← Back to Skills Marketplace
Shadows Security Scanner
by
NakedoShadow
· GitHub ↗
· v1.1.0
446
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install shadows-security-scanner
Description
7-phase security audit pipeline — reconnaissance, dependency scan, application tests, API security, hardening check, OWASP verification, report. Use before p...
Usage Guidance
This skill appears coherent for running a repo-focused security audit. Before running it: (1) verify the skill source (registry metadata shows an external homepage in SKILL.md but the package's declared homepage is missing — confirm authenticity); (2) run scans only in the intended repository or an isolated clone to avoid accidentally scanning unrelated files on the machine; (3) be aware dependency auditors (npm audit, pip-audit, cargo-audit) make read-only network calls to vulnerability databases; (4) outputs (git history, grep results) can contain secrets — treat reports carefully and rotate any exposed secrets; (5) if you are uncertain, run the suggested commands manually in a controlled environment first rather than giving the agent autonomous execution access.
Capability Analysis
Type: OpenClaw Skill
Name: shadows-security-scanner
Version: 1.1.0
The skill provides a comprehensive security audit pipeline using high-risk capabilities such as broad file system access, shell command execution, and outbound network requests. It utilizes `grep` and `git log --all -p` to scan source code and history for secrets, and invokes external tools like `npm audit` and `curl` for dependency and header checks. While these actions are clearly aligned with the stated purpose of a security scanner and no evidence of malicious intent or data exfiltration was found, the combination of shell access and network capabilities meets the threshold for a suspicious classification under the provided guidelines.
Capability Assessment
Purpose & Capability
Name and description are consistent with the instructions: git is required for history/secret scans; npm/pip/cargo are optional for dependency audits. No unrelated credentials, config paths, or strange binaries are requested.
Instruction Scope
Instructions explicitly run grep across source files, run dependency auditors (which perform network reads), and run git log --all -p to search history. These actions are appropriate for a security audit, but they will read repository content (including any secrets) and may make network requests to vulnerability databases. The SKILL.md warns about only curling user-provided URLs for header checks.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer. Risk from installs is low because the skill assumes locally installed standard tools (git, npm, pip, cargo).
Credentials
No environment variables, credentials, or config paths are requested. Optional tools are proportionate to the dependency-audit features. The skill does not request unrelated secrets or keys.
Persistence & Privilege
always: false and no install means no forced or persistent presence. The skill does not attempt to modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install shadows-security-scanner - After installation, invoke the skill by name or use
/shadows-security-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
HIGH TRUST: full bins declaration, PREREQUISITES, SECURITY CONSIDERATIONS, LIMITATIONS, fixed Phase 5 URL handling
v1.0.0
Initial release of shadows-security-scanner 1.0.0
- Introduces a comprehensive 7-phase security audit pipeline (reconnaissance, dependency scan, application security tests, API security, hardening check, secrets verification, and structured reporting).
- Provides specific command-line examples and detailed checklists for Node.js, Python, and Rust projects.
- Designed for use before production deployments, after incidents, or as part of regular scheduled audits.
- Ensures findings are evidence-based, actionable, and categorized by severity.
- Offers an output format for clear, structured security audit reports.
Metadata
Frequently Asked Questions
What is Shadows Security Scanner?
7-phase security audit pipeline — reconnaissance, dependency scan, application tests, API security, hardening check, OWASP verification, report. Use before p... It is an AI Agent Skill for Claude Code / OpenClaw, with 446 downloads so far.
How do I install Shadows Security Scanner?
Run "/install shadows-security-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Shadows Security Scanner free?
Yes, Shadows Security Scanner is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Shadows Security Scanner support?
Shadows Security Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created Shadows Security Scanner?
It is built and maintained by NakedoShadow (@nakedoshadow); the current version is v1.1.0.
More Skills