Scan AI agent skills for malware and risky patterns using context-aware, AI-driven analysis to ensure safe installation and operation.
Security Analysis
medium confidenceThe skill's purpose (a security scanner) is plausible, but there are several inconsistencies and risky instructions (undeclared API key usage, prompt-injection examples in the docs, guidance to store secrets in plaintext and add shell aliases, and execution of arbitrary scans/cloned repos) that warrant careful review before installing or running.
The name and SKILL.md describe a security scanner for skills, which matches the presence of a scanner script in the bundle. However the docs require an external LLM API key for '--analyze' (OPENROUTER_API_KEY) but the skill manifest declares no required env variables; the SKILL.md mentions Claude in one place and OpenRouter in another (minor inconsistency). The scanner's ability to clone remote repos (shown in examples) is reasonable for a scanner but increases risk and should be explicit in the manifest.
Runtime instructions include cloning arbitrary GitHub repos and running the scanner against them, iterating over all installed skills, and recommend writing an alias to ~/.bashrc and storing API keys in plaintext files. The doc also contains explicit examples of dangerous prompt-injection payloads (e.g., 'ignore previous instructions') — while these are presented as detection examples, their presence is a prompt-injection signal and was flagged by the pre-scan. The instructions don't clearly limit what the scanner itself will execute; if the Python script executes or imports code from scanned repos, that could execute untrusted code.
There is no install spec (instruction-only), which avoids automatic downloads during install. That is lower-risk. However SKILL.md advises adding an alias to ~/.bashrc and saving API keys to ~/clawd/secrets/openrouter.key, which creates persistence and writes credentials to disk if the user follows the guide — a security consideration the user should be aware of.
The docs ask for an OpenRouter API key (or a file) to enable AI-powered analysis, which is proportionate to an optional analysis feature, but the manifest does not declare any required env vars or a primary credential. This mismatch is an incoherence that reduces transparency. Also recommending storing 'sk-or-...' in a plaintext file under the home directory is risky; prefer using a runtime environment variable or secret manager.
The skill does not set 'always' or other elevated registry flags, and model-invocation flags are left default. There is no built-in forced persistence. However the installation notes recommend creating a shell alias (modifying ~/.bashrc), which is a user-side persistence action; users should be aware this is optional and review what it does before applying.
Guidance
This skill looks like a legitimate security scanner, but there are a few red flags you should address before running or installing it: - Inspect the included Python script(s) (scripts/skill-scan.py and skill-scan.py) before executing. Search for any subprocess/os.system/exec calls, network requests (curl/wget/requests), or code that imports/executes files from scanned repos. - Do not blindly run scans against untrusted repositories on machines with secrets. Use an isolated environment (VM/container) for initial testing. - The SKILL.md asks you to provide an OpenRouter API key and suggests saving it plaintext to ~/clawd/secrets/openrouter.key; instead, prefer using an environment variable for the key and avoid storing it in an unprotected file. Confirm the manifest is updated to declare required env vars. - Review any recommended shell modifications (the alias appended to ~/.bashrc) before applying. That step is optional and creates persistence in your shell environment. - Confirm the LLM provider and privacy model (the docs reference both Claude and OpenRouter inconsistently) and whether any scanned data or telemetry is sent to third parties. - If you are unsure, request the skill author/repository link and verify the source (maintainer identity, GitHub repo contents, recent commits). If the author or origin is unknown, treat the skill as higher-risk. Given the documented inconsistencies and the presence of prompt-injection examples in the docs, proceed cautiously and audit the code and network behavior before trusting this skill with sensitive environments.
Latest Release
v1.0.1
Added description and improved docs
Popular Skills
Published by @h-mascot on ClawHub
