← Back to Skills Marketplace

security scanner

Name: security scanner
Author: kennyzir

by claw0x · GitHub ↗ · v1.0.7 · MIT-0

cross-platform ⚠ suspicious

259

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install security-scanner-plus

Description

Scan AI agent skills for security vulnerabilities, dangerous code patterns, and undeclared permissions. Three-layer analysis: dependency CVE scanning, static...

Usage Guidance

This skill forwards provided repo URLs or code to the Claw0x Gateway (https://api.claw0x.com). That behavior matches its purpose but has privacy implications: do not send secrets, credentials, or private data you cannot share. Before installing, verify you trust Claw0x (review privacy/security docs), use a dedicated/limited API key, rotate the key if leaked, and prefer a local scanner for highly sensitive code. Review the included handler.ts (it only reads CLAW0X_API_KEY and POSTs the input) and consider network controls (allowlist api.claw0x.com) and logging to detect unexpected usage.

Capability Analysis

Type: OpenClaw Skill Name: security-scanner-plus Version: 1.0.7 The skill acts as a wrapper for an external third-party service, requiring a 'CLAW0X_API_KEY' and sending user-provided source code or repository URLs to a remote endpoint (api.claw0x.com) for processing, as seen in handler.ts. While this behavior is consistent with the stated purpose of a security scanner in SKILL.md, the exfiltration of potentially sensitive source code to a 'black box' API represents a high-risk data handling practice. There is no evidence of local malicious logic, but the reliance on an external service for code analysis poses significant privacy and security risks.

Capability Assessment

✓ Purpose & Capability

Name/description state it will scan skills for vulnerabilities and undeclared permissions; the SKILL.md and handler.ts implement exactly that by calling the Claw0x Gateway API. Requested artifacts (repo_url, skill_slug, code) and the single required env var (CLAW0X_API_KEY) match the stated purpose.

ℹ Instruction Scope

Runtime instructions and examples consistently instruct the agent to POST skill data (repo URL or code) to https://api.claw0x.com/v1/call. There are no instructions to read unrelated local files or other environment variables. This is expected, but it does mean user code/metadata will be sent to a third-party service — a privacy-sensitive action that the user should be aware of.

✓ Install Mechanism

Instruction-only skill with no install spec. The included handler.ts is a small network wrapper (uses fetch) and does not write to disk or download/extract remote archives. Low installation risk.

ℹ Credentials

Only CLAW0X_API_KEY is required (declared in SKILL.md metadata and enforced by handler.ts). That single credential is proportional to a remote service wrapper. Users should still treat the key as sensitive because it authorizes requests that may transmit code to the external API.

✓ Persistence & Privilege

always is false and the skill does not request elevated privileges, nor does it modify other skills or global agent config. Model invocation is allowed (the platform default), which is appropriate for a callable scanner.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install security-scanner-plus
After installation, invoke the skill by name or use /security-scanner-plus
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.7

No user-facing changes in this release. - Version bumped to 1.0.7. - No code or documentation changes detected.

v1.0.6

Security-scanner-plus v1.0.6 changelog: - SKILL.md completely rewritten for clarity, conciseness, and practical usage guidance. - Added "Quick Reference", "5-Minute Quickstart", "Real-World Use Cases", and "Integration Recipes" sections for faster onboarding. - Removed mentions of GITHUB_TOKEN from required environment variables. - Updated description, examples, and API usage to reflect latest scan flow and endpoint: https://api.claw0x.com/v1/call. - Improved documentation on code, dependency, and permission scanning, with actionable example workflows for CI/CD, marketplaces, and pre-commit hooks. - No changes to code logic; documentation update only.

v1.0.5

- Added GITHUB_TOKEN as a required environment variable in addition to CLAW0X_API_KEY. - No other changes to features, usage, or output.

v1.0.4

v1.0.4 of security-scanner-plus - No file changes detected in this version. - Functionality, documentation, and metadata remain unchanged.

v1.0.3

- Clarified and reworded descriptions for static code analysis rules and input modes for improved readability. - Enhanced explanations of mutually exclusive input options (repo_url, skill_slug, code) for accuracy and clarity. - Updated example sections for input and output to use more concise, consistent formatting. - Minor adjustments to permission auditing and when-to-use guidance to better reflect usage outside the Claw0x publishing context. - No functional or logic changes; documentation only.

v1.0.2

- Internal code files (including analyzers and rule definitions) were removed. - The skill now depends entirely on the remote API; local scanning logic is no longer included. - No changes to user-facing API, input modes, or documentation. - Functionality, usage, and output remain unchanged for users.

v1.0.1

**Major restructuring: Full rewrite with expanded documentation, new input/output structure, and internal modularization.** - Complete internal refactor with new modular files for code analysis, dependency scanning, risk scoring, reporting, and permission auditing. - Unified documentation now covers detailed scanning methodology, risk scoring, all detectors, example inputs/outputs, and precise API usage. - Expanded input options: direct code, GitHub repo, or Claw0x skill slug. - Output format enhanced: includes detailed scan findings, scoring breakdown, recommendation list, timing, and expanded permission audit. - Tool is still free, but now clearer on prerequisites and API key handling.

v1.0.0

security-scanner 1.0.0 - Initial public release. - Provides three-layer security scanning for AI agent skills: dependency CVE checks, code analysis for dangerous patterns, and permission audits. - Generates a structured risk report with a 0–100 score. - Supports scanning via direct code, GitHub repo URL, or registered skill slug. - Free to use;

Metadata

Slug security-scanner-plus

Version 1.0.7

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 8

Frequently Asked Questions

What is security scanner?

Scan AI agent skills for security vulnerabilities, dangerous code patterns, and undeclared permissions. Three-layer analysis: dependency CVE scanning, static... It is an AI Agent Skill for Claude Code / OpenClaw, with 259 downloads so far.

How do I install security scanner?

Run "/install security-scanner-plus" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is security scanner free?

Yes, security scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does security scanner support?

security scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created security scanner?

It is built and maintained by claw0x (@kennyzir); the current version is v1.0.7.

More Skills