security scanner

Name/description state it will scan skills for vulnerabilities and undeclared permissions; the SKILL.md and handler.ts implement exactly that by calling the Claw0x Gateway API. Requested artifacts (repo_url, skill_slug, code) and the single required env var (CLAW0X_API_KEY) match the stated purpose.

Runtime instructions and examples consistently instruct the agent to POST skill data (repo URL or code) to https://api.claw0x.com/v1/call. There are no instructions to read unrelated local files or other environment variables. This is expected, but it does mean user code/metadata will be sent to a third-party service — a privacy-sensitive action that the user should be aware of.

Instruction-only skill with no install spec. The included handler.ts is a small network wrapper (uses fetch) and does not write to disk or download/extract remote archives. Low installation risk.

Only CLAW0X_API_KEY is required (declared in SKILL.md metadata and enforced by handler.ts). That single credential is proportional to a remote service wrapper. Users should still treat the key as sensitive because it authorizes requests that may transmit code to the external API.

always is false and the skill does not request elevated privileges, nor does it modify other skills or global agent config. Model invocation is allowed (the platform default), which is appropriate for a callable scanner.