skill-security-scanner Security Report — Trusted | ClawSafe | ClawSafe

5 /100

skill-security-scanner

Enterprise-Grade Skill Security Scanner - 自动检测 ClawHub / GitHub / 本地 Skill 的安全风险

Skill Security Scanner is a legitimate defensive security tool that scans AI skills for vulnerabilities. All capabilities are properly declared and necessary for its security scanning function.

Skill Nameskill-security-scanner

Duration28.9s

Enginepi

✓

Safe to install

This skill is safe to use. It's a security-focused tool with appropriate capabilities for static analysis of target skills.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md declares file scanning capability
Network	`READ`	`READ`	✓ Aligned	Downloads target skills for analysis - declared in '使用方法' section
Shell	`WRITE`	`WRITE`	✓ Aligned	Uses subprocess for static pattern matching - declared as '核心能力'
Environment	`NONE`	`READ`	✓ Aligned	Reads $HOME, $PATH for skills directory - necessary for batch scanning

7 Critical 12 findings

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf /

references/dangerous-commands.md:7

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf ~

references/dangerous-commands.md:8

💀

Critical Dangerous Command 危险 Shell 命令

curl \| bash

references/dangerous-commands.md:10

💀

Critical Dangerous Command 危险 Shell 命令

wget -O- \| sh

references/dangerous-commands.md:11

💀

Critical Dangerous Command 危险 Shell 命令

curl https://... \| sh

references/dangerous-commands.md:12

💀

Critical Dangerous Command 危险 Shell 命令

wget https://... \| bash

references/dangerous-commands.md:13

💀

Critical Dangerous Command 危险 Shell 命令

wget \| bash

references/rules.md:125

🔗

Medium External URL 外部 URL

https://clawhub.ai/AphobiaCat/aibtc

SKILL.md:82

🔗

Medium External URL 外部 URL

https://clawhub.ai/chrisochrisochriso-cmyk/clawsec

SKILL.md:87

🔗

Medium External URL 外部 URL

https://clawhub.ai/owner/skill-name

SKILL.md:148

🔗

Medium External URL 外部 URL

https://wry-manatee-359.convex.site/api/v1/download?slug=$(echo

scripts/scan.sh:252

🔗

Medium External URL 外部 URL

https://clawhub.ai/steipete/video-frames

scripts/scan.sh:394

File Tree

11 files · 68.0 KB · 1844 lines

Markdown 4f · 1020L Shell 3f · 591L JavaScript 3f · 231L Text 1f · 2L

├─ ▾ 📁 node

│ ├─ 📜 index.js JavaScript 22L · 576 B

│ └─ 📜 scanner.js JavaScript 196L · 8.3 KB

├─ ▾ 📁 references

│ ├─ 📝 dangerous-commands.md Markdown 185L · 4.6 KB

│ └─ 📝 rules.md Markdown 192L · 6.1 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 run.sh Shell 3L · 83 B

│ ├─ 🔧 scan-all.sh Shell 116L · 4.2 KB

│ └─ 🔧 scan.sh Shell 472L · 21.9 KB

├─ 📜 index.js JavaScript 13L · 326 B

├─ 📝 SKILL_EN.md Markdown 183L · 4.9 KB

├─ 📝 SKILL.md Markdown 460L · 17.0 KB

└─ 📄 whitelist.txt Text 2L · 32 B

Security Positives

✓ Comprehensive documentation with clear capability declarations

✓ All shell/network operations are declared in SKILL.md

✓ Static analysis only - does not execute code from target skills

✓ Proper cleanup of temporary directories after scanning

✓ Includes whitelist mechanism for trusted skills

✓ Supports JSON/JSONL output for programmatic analysis

✓ Reference documentation clearly explains detection rules

✓ Legitimate security scanning use case