Is itsnishi/scan-skill safe?
https://github.com/openclaw/skills/tree/main/skills/itsnishi/scan-skill
scan-skill is a legitimate defensive security tool that scans other Claude Code skills for injection, exfiltration, and obfuscation patterns before installation. The code is clean Python using only standard library, the SKILL.md is transparent about its operation, and canary integrity was confirmed intact with no credential exfiltration. The only notable concern is that Bash is pre-approved in the frontmatter, but this is adequately mitigated by disable-model-invocation: true and the skill's explicit, read-only purpose.
Category Scores
Findings (3)
MEDIUM Bash tool pre-approved in frontmatter -20 ▶
The allowed-tools frontmatter field includes Bash, meaning when a user invokes this skill the agent may execute shell commands without per-command consent prompts. This is adequately mitigated by disable-model-invocation: true (user must consciously trigger the skill) and context: fork (isolated execution context). The Bash invocation is necessary and transparent — the SKILL.md shows exactly what command will run.
LOW Sensitive credential files accessed during audit window -10 ▶
Auditd PATH records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. Pre-install accesses at timestamp 1771909119 predate the skill clone (1771909136) and are definitively from openclaw infrastructure. Post-install accesses at 1771909141 are consistent with audit monitoring cycles. The skill Python code contains no logic to read these paths. Canary integrity confirmed intact.
INFO Supporting Python scripts present and analyzed -10 ▶
scan_skill.py (main scanner) and patterns.py (pattern library) are well-structured, pure-function Python using only standard library. No dangerous calls, no network I/O, no dynamic code execution. Pattern library covers known attack categories comprehensively and correctly.