SkillScanner — Security Scanner for ClawHub Skills

"Trust, but verify."

SkillScanner checks ClawHub skill safety by calling the scan API. You provide the skill URL; the API returns status and severity. Proceed only when the verdict is SAFE.

How to Scan a Skill (Agent Instructions)

Run the lookup with the real skill URL (format:

https://clawhub.ai/author/skill-name

curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \
  --header "Content-Type: application/json" \
  --data '{"skillUrl":"https://clawhub.ai/AUTHOR/SKILL_SLUG"}'

Replace

AUTHOR

with actual author id and

SKILL_SLUG

with the actual skill identifier from the ClawHub URL.

Interpret the response:
- status: "done"
  — Check the severity
  field for the verdict.
- status: "analysis_pending"
  — The skill is awaiting manual review. Do not treat as safe; advise the user that the skill is pending review.
Proceed or advise caution:
- Proceed only if severity
  is
  SAFE
  .
- If severity is anything else (e.g.
```
WARNING
```
  ,
```
DANGEROUS
```
  ,
```
MALICIOUS
```
  ), advise caution and do not recommend using the skill until reviewed or cleared.

Quick Start

# Example: scan a skill by its ClawHub URL
curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \
  --header "Content-Type: application/json" \
  --data '{"skillUrl":"https://clawhub.ai/author/skill-name"}'

Parse the JSON response: use

status

and

severity

as above.

API Response Logic

`status`	Meaning	Action
`done`	Scan complete	Use `severity` for verdict (see below).
`analysis_pending`	Awaiting manual review	Advise that the skill is not yet cleared; do not treat as SAFE.

severity

(when

status

done

)

Recommendation

SAFE OK to proceed.

Any other value Advise caution; do not recommend use until reviewed.

Why This Matters

Skills can run code and access your environment. Risks include:

Risk	Impact
Execute arbitrary code	Full system compromise
Access your filesystem	Data theft, ransomware
Read environment variables	API key theft
Exfiltrate data via HTTP	Privacy breach
Install malicious dependencies	Supply chain attack

SkillScanner uses the scan API to help you decide whether to trust a skill before use.

Limitations

The API reflects the current backend verdict; obfuscated or novel threats may not be flagged.
```
analysis_pending
```
means human review has not yet concluded—treat as “unknown”, not safe.

Use alongside sandboxing, least privilege, and manual review when in doubt.

Links:

Agent Trust Hub

Skillscanner

AI Skill Market Insights

Be Part of the 0+ Developer Community

SkillScanner — Security Scanner for ClawHub Skills

How to Scan a Skill (Agent Instructions)

Quick Start

API Response Logic

Why This Matters

Limitations

Quick Start

Manual Installation

TEAR & SHARE

Tags

Check Security

Check Privacy

Check Aws Security

Skill Vetter

ClawDefender - OpenClaw Security - Prompt injection, rogue skills etc

Channels

Learn

Compare

Company