The Agent Skills Directory

[SAFE]: The skill implements a secure manual installation process that uses OpenSSL to verify the cryptographic signature of the downloaded components against a pinned public key, ensuring code integrity.\n- [COMMAND_EXECUTION]: Security tools such as Semgrep, Bandit, and npm-audit are executed via the spawn API with argument arrays, which prevents shell injection by avoiding shell interpolation of inputs.\n- [EXTERNAL_DOWNLOADS]: The skill queries trusted vulnerability databases, including Google's OSV and the NIST NVD. Installation assets are retrieved from the author's verified GitHub repository, consistent with the identified author context.\n- [DATA_EXFILTRATION]: Access to sensitive environment variables (e.g., NVD API keys, GitHub tokens) is limited to legitimate authentication for vulnerability queries; there is no evidence of secret exposure or unauthorized external data transmission.\n- [SAFE]: The skill includes its own testing framework (DAST) specifically designed to validate hook handler safety by simulating common attack vectors like path traversal and command injection in a controlled environment.

clawsec-scanner