← Back to Skills Marketplace
sudhindrat

Skill Scanner

by sudhindrat · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
206
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install skill-security-scan
Description
Security checks for installing skills, packages, or plugins. Use BEFORE any `npm install`, `openclaw plugins install`, `clawhub install`, or similar install...
Usage Guidance
This skill is a safe, instruction-only checklist you can use before installing packages. Before you rely on it: ensure the environment where checks run has npm/git if you want the automated commands to work; review any commands the agent would execute (it may run `npm info`, `npm audit`, or inspect package.json); treat the checklist as guidance — it doesn't auto-block installs; and continue to require explicit user approval before running or installing anything flagged as suspicious.
Capability Analysis
Type: OpenClaw Skill Name: skill-security-scan Version: 1.0.0 The skill bundle (skill-security-scan) is a defensive utility providing a comprehensive security checklist and heuristics for an AI agent to follow before installing third-party packages. It includes instructions to verify sources, audit dependencies, check for lifecycle scripts, and identify known attack patterns like 'ClawHavoc' or 'AuthTool' in SKILL.md. The instructions are aligned with the stated purpose of enhancing security and do not contain any malicious payloads or exfiltration logic.
Capability Assessment
Purpose & Capability
Name and description match the SKILL.md content: it is a pre-install security checklist for skills/packages. There are no unrelated environment variables, binaries, or installs requested that would be disproportionate to the stated purpose.
Instruction Scope
The runtime instructions are advisory (inspect package.json, run `npm info`, `npm audit`, check repos, look for downloads/lifecycle scripts, etc.). This is appropriate for a security checklist. One minor mismatch: the skill expects tools like `npm` and `git` to be available but the metadata does not declare required binaries — that is reasonable given it's instruction-only but worth noting so an operator knows these checks rely on external CLI tools.
Install Mechanism
No install spec and no code files — lowest-risk category. The skill does not download or execute third-party code itself.
Credentials
The skill requests no credentials, environment variables, or config paths. Its guidance to look for credential-access patterns (e.g., `.env`, `~/.ssh/`) is appropriate for its purpose rather than an attempt to access them.
Persistence & Privilege
always is false and the skill is user-invocable. Model invocation is allowed (default) but that is appropriate for a helper skill and not excessive given the skill has no install or credential requests.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install skill-security-scan
  3. After installation, invoke the skill by name or use /skill-security-scan
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Major update: Migrated from an automated shell audit tool to a comprehensive pre-install security checklist and manual review workflow. - Removed all audit scripts and blocklist/allowlist files; the skill no longer performs automated scanning. - Added detailed, actionable checklists for vetting sources, popularity, dependencies, lifecycle scripts, and post-install risks. - Expanded instructions to cover npm and ClawHub skill/package/plugin installs, including dynamic content, core file protection, and reporting known attack campaigns. - Focus is now on practical user guidance for risk assessment at install-time, rather than automated post-hoc scanning.
Metadata
Slug skill-security-scan
Version 1.0.0
License MIT-0
All-time Installs 2
Active Installs 2
Total Versions 1
Frequently Asked Questions

What is Skill Scanner?

Security checks for installing skills, packages, or plugins. Use BEFORE any `npm install`, `openclaw plugins install`, `clawhub install`, or similar install... It is an AI Agent Skill for Claude Code / OpenClaw, with 206 downloads so far.

How do I install Skill Scanner?

Run "/install skill-security-scan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Scanner free?

Yes, Skill Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Skill Scanner support?

Skill Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Scanner?

It is built and maintained by sudhindrat (@sudhindrat); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments