← Back to Skills Marketplace
Snyk Agent Scan Compliance
by
Samuel Berthe
· GitHub ↗
· v1.0.0
· MIT-0
98
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install snyk-agent-scan-compliance
Description
Compliance expert for snyk-agent-scan — the agent skill file scanner — NOT for other Snyk CLI tools (snyk test, snyk code SAST, snyk iac, snyk container). Fi...
Usage Guidance
This skill appears to do what it says (help authors fix snyk-agent-scan alerts) and installs the snyk-agent-scan CLI, but there is an important inconsistency: the runtime examples require a SNYK_TOKEN secret yet the skill metadata declares no required env vars or primary credential. Before installing, confirm you trust the source of the snyk-agent-scan uv package and ask the publisher to (a) declare the SNYK_TOKEN in the manifest so you can review its scope, or (b) update docs to explain the token's required permissions and how it will be used. Treat the SNYK_TOKEN as sensitive — only provide it via CI secrets or a limited-scope token in a sandboxed environment. Finally, because this is an instruction-only skill (no code files), the SKILL.md is the full runtime surface: review the prose for any additional commands you would not want executed by an autonomous agent and test the skill in an isolated environment first.
Capability Analysis
Type: OpenClaw Skill
Name: snyk-agent-scan-compliance
Version: 1.0.0
The skill bundle is a compliance assistant designed to help developers fix alerts generated by the 'snyk-agent-scan' tool. It provides detailed instructions and reference patterns (W001, W011, W012) for restructuring OpenClaw skills to pass security heuristics, such as moving installation commands to frontmatter and using version pinning. The content promotes security best practices within the OpenClaw ecosystem and contains no evidence of malicious intent, data exfiltration, or unauthorized execution logic.
Capability Assessment
Purpose & Capability
The skill's stated purpose (helping authors remediate snyk-agent-scan alerts) aligns with the install of the snyk-agent-scan tool (uv package). Requiring the snyk-agent-scan binary is coherent. However, the SKILL.md explicitly shows running the scanner with SNYK_TOKEN=<token> (and recommends storing it as a CI secret), yet the skill metadata lists no required environment variables or primary credential. That omission is inconsistent and unexplained.
Instruction Scope
The SKILL.md instructs running snyk-agent-scan (examples: `SNYK_TOKEN=<token> snyk-agent-scan --skills ...`) and tells users to store SNYK_TOKEN as a CI secret. Because there are no code files, the prose is the runtime surface — and it explicitly requires a secret but the manifest doesn't declare it. Otherwise the instructions stay within the stated domain (rewriting skill bodies to avoid W001/W011/W012), and they do not instruct reading unrelated local files or exfiltrating arbitrary data.
Install Mechanism
Install uses a uv package entry for snyk-agent-scan (kind: uv, package: snyk-agent-scan) which is proportionate to the tool's purpose. UV installs are a network fetch of a package; that's expected for a CLI helper. No arbitrary direct-download or extract-from-untrusted-URL patterns are present in the install spec.
Credentials
The SKILL.md clearly requires a SNYK_TOKEN to run the scanner and gives examples using it, but the skill's declared requirements list no environment variables or primary credential. A scanner token is a sensitive secret; the skill should declare it (primaryEnv or requires.env) and justify scope. As written, there is a mismatch between declared and actual secret needs.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system settings. Allowed-tools are broad but consistent with an authoring/compliance helper. There is no evidence the skill requests permanent elevated presence.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install snyk-agent-scan-compliance - After installation, invoke the skill by name or use
/snyk-agent-scan-compliance - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of skill-authoring compliance guidance for snyk-agent-scan.
- Provides comprehensive reference and best practices for resolving W011 (third-party content), W012 (malicious URLs), and W001 (prompt injection) alerts.
- Clarifies scope: applies to skill authoring and editing, not code/infrastructure findings.
- Details passive rewriting strategies; never suppress or delete information.
- Includes remediation order, typical false positive conditions, and pre-authoring checklist to minimize scan failures.
- Usage and installation guidance specific to `snyk-agent-scan`, including how to triage scans in local and CI environments.
Metadata
Frequently Asked Questions
What is Snyk Agent Scan Compliance?
Compliance expert for snyk-agent-scan — the agent skill file scanner — NOT for other Snyk CLI tools (snyk test, snyk code SAST, snyk iac, snyk container). Fi... It is an AI Agent Skill for Claude Code / OpenClaw, with 98 downloads so far.
How do I install Snyk Agent Scan Compliance?
Run "/install snyk-agent-scan-compliance" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Snyk Agent Scan Compliance free?
Yes, Snyk Agent Scan Compliance is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Snyk Agent Scan Compliance support?
Snyk Agent Scan Compliance is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Snyk Agent Scan Compliance?
It is built and maintained by Samuel Berthe (@samber); the current version is v1.0.0.
More Skills