Skill Trust Decision

skill-security-vet

Name: skill-security-vet Trust Review Report
Item: skill-security-vet
Rating: 32
Author: ClawSafe

Undeclared computer-wide filesystem scanning and auto-quarantine capabilities discovered - SKILL.md only mentions skill scanning but code includes full drive scanning mode.

Install decision first Source: Manual upload Scanned: Apr 3, 2026

Files 3

Artifacts 2

Violations 2

Findings 5

Most direct threat evidence

User installs skill-security-vet believing it only scans installed skills Entry · SKILL.md

Attacker or compromised tool uses 'local' or 'full' mode to scan entire computer filesystem reconnaissance · vet.ts

Tool iterates through directories searching for sensitive files and credential patterns reconnaissance · vet.ts

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

2 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 4 attack-chain steps and 2 severe findings.

Pass

Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

Attack Chain

User installs skill-security-vet believing it only scans installed skills

Entry · SKILL.md:1

Attacker or compromised tool uses 'local' or 'full' mode to scan entire computer filesystem

reconnaissance · vet.ts:219

Tool iterates through directories searching for sensitive files and credential patterns

reconnaissance · vet.ts:239

Files matching danger patterns are auto-quarantined or removed without user consent

Impact · vet.ts:160

What drove the risk score up

Undeclared filesystem scanning +25

SKILL.md describes only skill scanning, but vet.ts has 'local' and 'full' modes scanning entire computer drives

Undeclared auto-quarantine/removal +20

Automatic file quarantine and removal without explicit user consent per operation

Deep filesystem traversal +15

Scans all directories up to depth 5, examining all script file types across the entire system

No declared shell/network access needed +8

Skill-scanning should not require full computer filesystem access

Most important evidence

High

Undeclared local/full computer scanning mode

vet.ts contains 'local' and 'full' scanning modes that recursively scan entire system drives (C:, D:, E:, F: on Windows, / on Unix) up to depth 5, examining 10,000+ files. SKILL.md only describes scanning installed skills in ~/.opencode/skill.

vet.ts:219

Remove local/full modes or clearly document computer-wide scanning capability in SKILL.md

High

Automatic file quarantine without consent

The tool automatically quarantines (copies and deletes) or removes files identified as dangerous without prompting for user consent per operation. Configured via --auto flag.

vet.ts:160

Require explicit user confirmation before auto-quarantine, or document this behavior prominently

Medium

Undocumented VirusTotal API integration

Code integrates with VirusTotal API to submit file hashes for scanning. While the SKILL.md mentions VirusTotal, it doesn't detail the API endpoint or that file hashes are sent externally.

vet.ts:127

Document what data is sent to VirusTotal (file hashes only vs content)

Medium

Suspicious file pattern matching

Tool scans for credential-related patterns including decodeURIComponent with password/token, keyloggers, remote connection attempts (SSH/RDP). While legitimate for security scanning, combined with undeclared full drive access this could be used for credential harvesting.

vet.ts:50

Clarify intent - a skill security tool should not need to detect password theft patterns on user's computer

Low

Broad exclusion list suggests awareness of sensitive areas

The excludeSet includes AppData/Local/Temp, Windows, Program Files, etc. This suggests the tool is aware of and avoids Windows system areas while potentially targeting user data areas.

vet.ts:239

Review exclusion list - consider if this is protective or targeted

Declared capability vs actual capability

Filesystem Block

Declared READ

→

Inferred READ+WRITE

vet.ts:219-263 (scanLocalComputer function scans entire drives)

Network Block

Declared NONE

→

Inferred READ

vet.ts:127-154 (VirusTotal API calls not mentioned in docs)

Shell Pass

Declared NONE

→

Inferred NONE

No shell execution found

Suspicious artifacts and egress

Medium External URL

https://virustotal.com

SKILL.md:46

Medium External URL

https://www.virustotal.com/api/v3/files/$

vet.ts:127

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
bun	`bundled`	system	No	Bun runtime required

File composition

3 files · 885 lines

TypeScript 2 files · 768 linesMarkdown 1 files · 117 lines

Files of concern · 2

vet.ts TypeScript · 484 lines

Undeclared local/full computer scanning mode · Automatic file quarantine without consent · Undocumented VirusTotal API integration · Suspicious file pattern matching · Broad exclusion list suggests awareness of sensitive areas · https://www.virustotal.com/api/v3/files/$

SKILL.md Markdown · 117 lines

https://virustotal.com

Other files · startup-scan.ts

Security positives

Security scanning patterns are well-defined and comprehensive

Uses VirusTotal for external threat intelligence (legitimate security tool feature)

No direct exfiltration of credentials observed - only pattern matching

No reverse shell, C2, or direct malicious code execution

API key stored locally in config directory, not hardcoded