skillscanner

Security scanner for ClawHub skills from Gen Digital. Looks up skill safety via the scan API.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "skillscanner" with this command: npx skills add rexshang/skillscanner

SkillScanner — Security Scanner for ClawHub Skills

"Trust, but verify."

SkillScanner checks ClawHub skill safety by calling the scan API. You provide the skill URL; the API returns status and severity. Proceed only when the verdict is SAFE.

How to Scan a Skill (Agent Instructions)

  1. Run the lookup with the real skill URL (format: https://clawhub.ai/author/skill-name):

    curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \
  --header "Content-Type: application/json" \
  --data '{"skillUrl":"https://clawhub.ai/AUTHOR/SKILL_SLUG"}'

    Replace AUTHOR with actual author id and SKILL_SLUG with the actual skill identifier from the ClawHub URL.

  2. Interpret the response:

    • status: "done" — Check the severity field for the verdict.
    • status: "analysis_pending" — The skill is awaiting manual review. Do not treat as safe; advise the user that the skill is pending review.

  3. Proceed or advise caution:

    • Proceed only if severity is SAFE.
    • If severity is anything else (e.g. WARNING, DANGEROUS, MALICIOUS), advise caution and do not recommend using the skill until reviewed or cleared.

Quick Start

# Example: scan a skill by its ClawHub URL
curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \
  --header "Content-Type: application/json" \
  --data '{"skillUrl":"https://clawhub.ai/author/skill-name"}'

Parse the JSON response: use status and severity as above.

API Response Logic

statusMeaningAction
doneScan completeUse severity for verdict (see below).
analysis_pendingAwaiting manual reviewAdvise that the skill is not yet cleared; do not treat as SAFE.
severity (when status = done)Recommendation
SAFEOK to proceed.
Any other valueAdvise caution; do not recommend use until reviewed.

Why This Matters

Skills can run code and access your environment. Risks include:

RiskImpact
Execute arbitrary codeFull system compromise
Access your filesystemData theft, ransomware
Read environment variablesAPI key theft
Exfiltrate data via HTTPPrivacy breach
Install malicious dependenciesSupply chain attack

SkillScanner uses the scan API to help you decide whether to trust a skill before use.

Limitations

  • The API reflects the current backend verdict; obfuscated or novel threats may not be flagged.
  • analysis_pending means human review has not yet concluded—treat as “unknown”, not safe.

Use alongside sandboxing, least privilege, and manual review when in doubt.

Links:

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Session Password

Provides secure session authentication using bcrypt-hashed passwords, security questions, email recovery, and lockout protection with audit logging.

Registry SourceRecently Updated
05
squallsol
Security

agent-bom scan

Security scanner for AI infrastructure — discovers MCP clients and servers, checks packages for CVEs (OSV, NVD, EPSS, KEV), maps blast radius, and generates...

Registry SourceRecently Updated
0124
msaad00
Security

agent-bom runtime

AI runtime security monitoring — context graph analysis, runtime audit log correlation with CVE findings, and vulnerability analytics queries. Use when the u...

Registry SourceRecently Updated
0130
msaad00