ClawSkillGuard
PassAudited by ClawScan on May 1, 2026.
Overview
ClawSkillGuard appears to be a purpose-aligned local skill scanner, with only minor review notes about local file scanning and packaging/command clarity.
This appears safe to use as a local scanner. Before installing, note that it will read the skill files you point it at, and confirm the correct command path because the documentation mentions scripts/scan.py while the manifest includes scan.py at the root.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The scanner may read many installed skill files instead of only one target skill.
This directs the agent to inspect multiple local skill directories. That is aligned with a security-audit tool, but it broadens the local files being read.
If no path given, offer to scan all installed skills.
Provide an explicit skill path unless you intentionally want a full installed-skill audit.
The skill relies on local script execution to perform scans.
The skill instructs running a local Python script. This is expected for a scanner, but users should understand that installing and using it means executing bundled code locally.
python3 <skill_directory>/scripts/scan.py <path_to_skill> [--format text|json] [--severity low|medium|high|critical]
Run it only from the installed skill directory you intended to use, and review results before acting on any install recommendation.
The documented command may fail or cause confusion about which file should be executed.
The documented command references scripts/scan.py, while the supplied manifest lists scan.py at the root and the metadata declares no required binaries. This looks like a packaging/documentation mismatch rather than malicious behavior.
python3 <skill_directory>/scripts/scan.py <path_to_skill>
Verify the installed file path before running the scanner; the packaged file appears to be scan.py at the skill root.