v0.1.0

Skill Security Scanner

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:32 AM.

Analysis

The scanner is mostly purpose-aligned, but its reports can preserve unredacted secrets and raw HTML-capable scan data, so it needs review before use on sensitive skills.

GuidanceUse this only on code you are comfortable scanning, prefer JSON/HTML reports that redact secrets, do not publish generated security_report.html files without reviewing them, and use a dedicated VirusTotal key if you enable that integration.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Cascading Failures

SeverityMediumConfidenceMediumStatusConcern

source/reporter.py

<title>🔒 Security Scan Report - {skill}</title> ... <span>📦 Skill: {skill}</span>

The HTML report template directly interpolates report fields into HTML. If scan result fields contain markup, they may be rendered rather than safely escaped.

User impactOpening an HTML report for an untrusted or attacker-controlled skill name/result could display misleading content or potentially execute browser-side script if other unescaped fields are similarly inserted.

RecommendationHTML-escape every value derived from scanned files, paths, messages, and snippets before rendering; consider a restrictive Content Security Policy for generated reports.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

install.sh

ln -s "${CLI_SCRIPT}" "${CLI_PATH}"
chmod +x "${CLI_SCRIPT}"

The install script creates a persistent CLI symlink in the user's ~/.local/bin and marks the script executable. This is normal for a CLI skill, but the registry also describes the package as having no install spec.

User impactRunning the installer changes the local command environment and may replace an existing command after backing it up.

RecommendationReview install.sh before running it, confirm ~/.local/bin is an intended install location, and remove the symlink if uninstalling.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

skill.json

"virustotal_api_key": ... "Optional VirusTotal API key for file reputation scanning"

The skill can use a third-party VirusTotal credential. This is disclosed and purpose-aligned, with no artifact evidence of hardcoding or unrelated credential use.

User impactIf enabled, the scanner may make VirusTotal reputation queries using the provided API key and consume that account's quota.

RecommendationUse a dedicated, least-privileged VirusTotal API key and avoid placing long-lived credentials in shared command histories or reports.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

source/scanner.py

message="Potential hardcoded secret detected",
                        snippet=line.strip()[:80]

Hardcoded-secret findings include the first 80 characters of the original matching line, which can copy actual API keys, passwords, or tokens into scan output instead of masking them.

User impactA report meant to warn about secrets could itself become a place where those secrets are stored, shared, archived, or accidentally published.

RecommendationRedact or hash secret values in snippets, store reports outside publishable source directories, and avoid sharing generated reports unless they have been sanitized.