← Back to AI & LLMs
AI & LLMs by @rexshang

skillscanner

Security scanner for ClawHub skills from Gen Digital

0
Source Code

SkillScanner — Security Scanner for ClawHub Skills

"Trust, but verify."

SkillScanner checks ClawHub skill safety by calling the scan API. You provide the skill URL; the API returns status and severity. Proceed only when the verdict is SAFE.

How to Scan a Skill (Agent Instructions)

  1. Run the lookup with the real skill URL (format: https://clawhub.ai/author/skill-name):

    curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \
  --header "Content-Type: application/json" \
  --data '{"skillUrl":"https://clawhub.ai/AUTHOR/SKILL_SLUG"}'

    Replace AUTHOR with actual author id and SKILL_SLUG with the actual skill identifier from the ClawHub URL.

  2. Interpret the response:

    • status: "done" — Check the severity field for the verdict.
    • status: "analysis_pending" — The skill is awaiting manual review. Do not treat as safe; advise the user that the skill is pending review.

  3. Proceed or advise caution:

    • Proceed only if severity is SAFE.
    • If severity is anything else (e.g. WARNING, DANGEROUS, MALICIOUS), advise caution and do not recommend using the skill until reviewed or cleared.

Quick Start

# Example: scan a skill by its ClawHub URL
curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \
  --header "Content-Type: application/json" \
  --data '{"skillUrl":"https://clawhub.ai/author/skill-name"}'

Parse the JSON response: use status and severity as above.

API Response Logic

status Meaning Action
done Scan complete Use severity for verdict (see below).
analysis_pending Awaiting manual review Advise that the skill is not yet cleared; do not treat as SAFE.
severity (when status = done) Recommendation
SAFE OK to proceed.
Any other value Advise caution; do not recommend use until reviewed.

Why This Matters

Skills can run code and access your environment. Risks include:

Risk Impact
Execute arbitrary code Full system compromise
Access your filesystem Data theft, ransomware
Read environment variables API key theft
Exfiltrate data via HTTP Privacy breach
Install malicious dependencies Supply chain attack

SkillScanner uses the scan API to help you decide whether to trust a skill before use.

Limitations

  • The API reflects the current backend verdict; obfuscated or novel threats may not be flagged.
  • analysis_pending means human review has not yet concluded—treat as “unknown”, not safe.

Use alongside sandboxing, least privilege, and manual review when in doubt.

Links: