SkillScan

v1.1.6

Security gate for skills. Every new skill MUST pass SkillScan before use. Activate on any install, load, add, evaluate, or safety question about a skill. On...

⭐ 7· 90.5k·0 current·0 all-time

by@tokauthai

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description match the included scanner implementation: it enumerates skill install paths, hashes packages, queries a remote lookup, and uploads packages for remote scanning. These capabilities are expected for a central/cloud-based scanning service. Notable: it enumerates an unusually large set of vendor-specific paths (many third‑party agent folders), which is aggressive but explainable if the goal is to scan all installed skills.

Instruction Scope

SKILL.md instructs the agent to run on any install/load/add/mention or safety question and to scan all existing installed skills on first-run. That scope can cause scans (and remote uploads) to be triggered by casual mentions or on first load without explicit per-scan consent, which may result in unexpected disclosure of skill source code or embedded secrets.

ℹ

Install Mechanism

There is no install spec (instruction-only) and the package supplies a scanner.py. That lowers installation risk. However the scanner implements an 'upgrade' flow and a silent auto-update check (daily) using a remote manifest URL; automatic retrieval of updates from an external host increases risk because it fetches remote content without explicit user action.

ℹ

Credentials

The skill does not require credentials, but it optionally reads SKILL_SCANNER_UPDATE_URL. It also builds and persists a client_info record (UUID, OS, python version, and, when available, MAC address) and uses that as a Base64 X-Client-Info header when talking to the remote API. Collecting MAC and persistent client IDs is not strictly required to scan local files and is a privacy risk if you don't trust the remote service.

Persistence & Privilege

The skill writes marker files (.first_run_done, .client_info, .last_update_check) in its own directory and will run a first-run scan across all discovered skill directories. While not 'always:true', the policy to 'activate on any mention' combined with autonomous invocation and remote upload capability elevates its effective privilege and blast radius — a misbehaving or compromised scanner could exfiltrate many local skill files.

What to consider before installing

This skill appears to be a legitimate security scanner but includes several privacy- and safety-sensitive behaviors you should understand before enabling it: it enumerates many vendor/user skill directories, may read and package skill code, and uploads skill packages to https://skillscan.tokauth.com for remote analysis. It also generates a persistent client record (including a UUID and potentially your MAC address) and performs silent daily update checks. Before installing: 1) Verify the publisher and a trustworthy homepage/repo and privacy policy for the remote service; 2) Inspect the scanner.py upload and upgrade code to confirm exactly what gets uploaded and whether secrets are excluded; 3) Decide whether automatic first-run scanning and 'activate on any mention' behavior is acceptable — prefer explicit confirmation prompts before any upload; 4) Consider running the scanner in an isolated environment (or with a read-only mount) so it cannot access unrelated sensitive directories; 5) If you must use it, configure SKILL_SCANNER_UPDATE_URL to a vetted internal server or disable auto-updates and avoid running first-run until you audit what will be scanned. If you want higher assurance, request the full, untruncated scanner.py and any server-side docs or source so you can confirm upload semantics and data retention policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk979mcj4r9b7a9shxkzx92c7x1856dsn

90.5kdownloads

7stars

2versions

Updated 3d ago

v1.1.6

MIT-0

SkillScan v1.1.6

Security check for skill packages. Every new skill must pass this scan before use.

Implemented in scripts/scanner.py. Supports Windows / macOS / Linux.

Do NOT generate report files inside the skill directory.

When to Activate

Run SkillScan whenever a skill is installed, loaded, added, evaluated, or questioned for safety — regardless of method or phrasing.

Trigger examples: install, load, add, use, set up, "is this safe", upload .zip/.skill, paste SKILL.md, mention unknown skill name, install from hub/store.

First Load

Check scripts/.first_run_done:

Not found → Tell user SkillScan is installed, ask to scan all existing skills:
```
python <skill_scanner_dir>/scripts/scanner.py first-run
```
.first_run_done is created automatically after completion.
Found → Skip, operate normally.

Commands

Command	Usage
`scanner.py scan <path>`	Scan a single skill (.zip or directory)
`scanner.py scan-all`	Scan all installed skills
`scanner.py first-run`	First-time full scan
`scanner.py upgrade`	Manual upgrade

Scan Rules

.zip files → Scan BEFORE installation. Block if fails.
Directory installs (cp, mv, git clone, ln -s, any method) → Scan AFTER files land on disk.
Remote installs (clawhub, skillhub, npx skills add, etc.) → Scan immediately after install.
Unknown skills → If user mentions a skill you haven't seen, scan it.

Exit Codes

Code	Verdict	Action
`0`	UNKNOWN / SAFE	Proceed
`1`	LOW / MEDIUM	Warn user, ask to confirm
`2`	HIGH / CRITICAL	Block, show details
`3`	Scan failed	Explain, offer retry

Auto Update

Checks for updates every day automatically. Silent, no user action needed. Manual: scanner.py upgrade.

Environment Variables

Variable	Description
`SKILL_SCANNER_UPDATE_URL`	Custom update source (optional)

API

Base URL: https://skillscan.tokauth.com

Step	Method	Path
① Cache lookup	GET	`/oapi/v1/skill-scan/search?dir_sha256=<dir_sha256>`
② Upload	POST	`/oapi/v1/skill-scan/upload`
③ Poll result	GET	`/oapi/v1/skill-scan/result?task_no=<task_no>` (poll every 20s, max 180s)

Comments

Loading comments...