skill-scanner

Scan installed agent components (MCP servers, skills, agent tools) for security vulnerabilities using snyk-agent-scan. Use only when running uvx snyk-agent-scan commands to scan skills for risks like prompt injection, malware, or credential leaks. This skill intentionally executes external code (snyk-agent-scan via uvx) for security auditing purposes.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "skill-scanner" with this command: npx skills add SwiftKing100/snyk-skill-scanner

Skill Scanner

Use snyk/agent-scan to detect security risks in agent components.

Quick Scan

# Scan all skills on the machine
uvx snyk-agent-scan@latest --skills

# Scan MCP servers (default behavior)
uvx snyk-agent-scan@latest

# Scan with verbose output
uvx snyk-agent-scan@latest --skills --verbose

# Output JSON for automation
uvx snyk-agent-scan@latest --skills --json

What It Detects

For Skills

  • Prompt Injection (E004) - Malicious instructions hidden in prompts
  • Malware Payloads (E006) - Harmful code disguised as content
  • Untrusted Content (W011) - Potentially unsafe external data
  • Credential Handling (W007) - Improper secrets management
  • Hardcoded Secrets (W008) - API keys or passwords in code

For MCP Servers

  • Prompt Injection (E001)
  • Tool Poisoning (E003)
  • Tool Shadowing (E002)
  • Toxic Flows (TF001)
  • Rug Pull (W005) - Malicious skill replacement

Workflow

  1. Before installing a new skill → Run a scan first
  2. After scanning → Review any E001/E003/E004/E006 issues (high severity)
  3. Low severity warnings (W005-W008) → Decide based on your risk tolerance

Interpreting Results

PrefixSeverityAction
EHighFix or avoid the skill
WMedium/LowReview and decide
TFHighToxic flow detected

Common Issues

If uvx is not found, install uv first:

# macOS
brew install uv

# Linux
curl -LsSf https://astral.sh/uv/install.sh | sh

OpenClaw Skills Location

OpenClaw skills are typically stored at:

  • Global: ~/.openclaw/skills/
  • Workspace: <project>/skills/

To scan a custom path, pass it directly:

uvx snyk-agent-scan@latest ~/.openclaw/skills/

Output Example

The scan will show:

  • File path of the issue
  • Risk type and description
  • Severity level (E/W/TF)
  • Recommended fix

Review the full report at: https://github.com/snyk/agent-scan/blob/main/docs/issue-codes.md

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

AgentShield Scanner

Scan AI agent skills, MCP servers, and plugins for security vulnerabilities. Use when: user asks to check a skill/plugin for safety, audit security, scan for...

Registry SourceRecently Updated
066
Profile unavailable
Security

Security Check

🔒 Pre-installation security verification for external code and dependencies. Automated risk analysis for GitHub repos, npm packages, PyPI libraries, and she...

Registry SourceRecently Updated
0104
Profile unavailable
Security

Preflyt

Scan deployed web apps for security misconfigurations after every deploy. Checks for exposed .env files, databases, source code, open ports, missing security...

Registry SourceRecently Updated
0137
Profile unavailable