中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:2 days ago Rescan
15 /100
Security Scanner
Scans AI agent skills for security vulnerabilities, dangerous code patterns, and undeclared permissions via Claw0x Gateway API
This is a thin, legitimate API wrapper skill that calls an external Claw0x Gateway API for security scanning. No local code analysis, shell execution, filesystem access, or credential exfiltration occurs. The sole finding is a missing allowed-tools declaration in SKILL.md frontmatter, which is a documentation gap rather than a security violation.
Skill NameSecurity Scanner
Duration46.0s
Enginepi
Safe to install
Add a complete allowed-tools declaration to SKILL.md frontmatter (e.g., Read for filesystem:READ, WebFetch for network:READ, and env access for environment:READ) to align documentation with the inferred capability footprint. No blocking action needed.

Findings 3 items

Severity Finding Location
Low
Missing allowed-tools declaration in SKILL.md frontmatter
The SKILL.md YAML frontmatter lacks an allowed-tools field. While the handler.ts implementation is benign (only env:READ and network:READ are used), the absence of this declaration is a documentation gap. Users and agents cannot verify the actual permission footprint from the metadata alone.
---
name: Security Scanner
description: >
  Scan AI agent skills for security vulnerabilities...
metadata:
  requires:
    env:
      - CLAW0X_API_KEY
---
→ Add an allowed-tools declaration to the frontmatter, e.g.: allowed-tools: Read: filesystem:READ WebFetch: network:READ env: environment:READ
 SKILL.md:1
Info
IOC flagged 'rm -rf /' is a benign documentation example
The pre-scan IOC flagged the string 'rm -rf /' at SKILL.md line 452. This is a text example in documentation showing what the Claw0x security scanning API would detect as a dangerous pattern. It is not executed code, poses no security risk, and is correctly used as a teaching example.
"code": "import os\nos.system('rm -rf /')",
→ No action needed. The IOC is a false positive from the pre-scan treating all text matches equally.
 SKILL.md:452
Info
External URLs used for API and branding
The skill references claw0x.com URLs for the external API endpoint, signup, and documentation. These are declared in documentation and used for the intended API-based service. No unexpected or direct-IP network connections are present.
curl -X POST https://api.claw0x.com/v1/call
→ No action needed. This is the intended service architecture.
 SKILL.md:45
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No filesystem access found in handler.ts or SKILL.md
Network NONE READ ✓ Aligned handler.ts:64 - fetch('https://api.claw0x.com/v1/call', ...)
Shell NONE NONE No shell execution found
Environment READ READ ✓ Aligned SKILL.md frontmatter declares requires.env: [CLAW0X_API_KEY]; handler.ts:51 uses…
Skill Invoke NONE NONE No skill invocation found
Clipboard NONE NONE No clipboard access found
Browser NONE NONE No browser automation found
Database NONE NONE No database access found
1 Critical 5 findings
💀
Critical Dangerous Command 危险 Shell 命令
rm -rf /
SKILL.md:452
🔗
Medium External URL 外部 URL
https://claw0x.com
SKILL.md:17
🔗
Medium External URL 外部 URL
https://api.claw0x.com/v1/call
SKILL.md:45
🔗
Medium External URL 外部 URL
https://claw0x.com/skills
SKILL.md:696
🔗
Medium External URL 外部 URL
https://claw0x.com\n
handler.ts:78

File Tree

2 files · 25.0 KB · 818 lines
Markdown 1f · 698L TypeScript 1f · 120L
├─ 📜 handler.ts TypeScript 120L · 3.0 KB
└─ 📝 SKILL.md Markdown 698L · 22.0 KB

Security Positives

✓ No shell execution or subprocess calls anywhere in the codebase
✓ No filesystem read/write operations — the handler is purely an HTTP client
✓ No credential harvesting or exfiltration — only reads the single required API key
✓ No base64 encoding/decoding, eval, or dynamic code execution patterns
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, or .env
✓ No curl|bash or wget|sh remote script installation patterns
✓ No hidden HTML comments or steganographic payloads
✓ Input validation enforces mutually exclusive input modes (repo_url, skill_slug, code)
✓ API key is read from environment variables only, not hardcoded
✓ All code paths are straightforward and auditable