skill-safety-scanner

Run local safety scans on Agent Skills before publishing. Detects secrets, dangerous code patterns, and analyzes required permissions.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "skill-safety-scanner" with this command: npx skills add skillscatalog/registry/skillscatalog-registry-skill-safety-scanner

Instructions

Use this skill to run safety scans on any Agent Skill directory before publishing. The scanner detects:

  • Secrets - Hardcoded API keys, tokens, passwords, private keys
  • Dangerous Code - eval(), exec(), command injection, XSS patterns
  • Permissions - Required capabilities (filesystem, network, subprocess, etc.)

When to Use

  • Before submitting a skill for publication
  • To preview what the catalog safety scan will find
  • To identify and fix security issues early
  • As part of CI/CD pipelines

How to Use

Scan a skill directory:

Scan the skill at /path/to/my-skill for safety issues

Get detailed output:

python3 safety_scan.py /path/to/my-skill --verbose

Get JSON output for CI integration:

python3 safety_scan.py /path/to/my-skill --json

Output

Safety Scan Report
  Skill: my-skill
  Grade: B (85/100)

  Scores:
    Secrets: 100/100
    Dangerous Code: 70/100

  Permissions Detected:
    - filesystem
    - network

  Findings (1):
    [medium] Potential command injection
      File: scripts/main.py:42
      Code: subprocess.run(cmd, shell=True)

  Recommendation: Review the finding above before publishing.

Examples

Basic scan:

User: Scan my skill at ./document-tools for safety issues
Agent: Running safety scan on ./document-tools...

       Grade: A (95/100)
       No critical issues found.

Finding secrets:

User: Check ./my-api-client for security issues
Agent: Running safety scan...

       Grade: F (0/100)

       Findings:
         [critical] Hardcoded API key detected
           File: config.py:5
           Code: API_KEY = "sk-ant-..."

       You must remove this secret before publishing.

Limitations

  • Does not scan dependencies (use npm audit / pip-audit separately)
  • Pattern-based detection may have false positives
  • Cannot detect all security issues (not a replacement for security review)
  • Scans local files only (not GitHub URLs)

Dependencies

  • Python 3.9+
  • No external dependencies (uses Python stdlib)

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Skill Scanner

Scan OpenClaw skills for security vulnerabilities before installing them. Use when evaluating a new skill from ClawHub or any third-party source. Detects cre...

Registry SourceRecently Updated
0611
Profile unavailable
Security

Security Skill Scanner

Scans OpenClaw skills for security vulnerabilities and suspicious patterns before installation

Registry SourceRecently Updated
71.7K
Profile unavailable
Security

Safety Checks

Verify before you trust — model pinning, fallbacks, and runtime safety validation

Registry SourceRecently Updated
0456
Profile unavailable