shield_lock
金大哥
联系我们
返回 Skill 列表
extension
分类: 安全与合规无需 API Key

Skillscanner

Gen Digital出品的ClawHub技能安全扫描器,通过扫描API查询技能安全性。

person作者: rexshanghubclawhub
open_in_new仓库download下载资源包

SkillScanner — Security Scanner for ClawHub Skills

"Trust, but verify."

SkillScanner checks ClawHub skill safety by calling the scan API. You provide the skill URL; the API returns status and severity. Proceed only when the verdict is SAFE.

How to Scan a Skill (Agent Instructions)

  1. Run the lookup with the real skill URL (format: https://clawhub.ai/author/skill-name):

    curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \
  --header "Content-Type: application/json" \
  --data '{"skillUrl":"https://clawhub.ai/AUTHOR/SKILL_SLUG"}'

    Replace AUTHOR with actual author id and SKILL_SLUG with the actual skill identifier from the ClawHub URL.

  2. Interpret the response:

    • status: "done" — Check the severity field for the verdict.
    • status: "analysis_pending" — The skill is awaiting manual review. Do not treat as safe; advise the user that the skill is pending review.

  3. Proceed or advise caution:

    • Proceed only if severity is SAFE.
    • If severity is anything else (e.g. WARNING, DANGEROUS, MALICIOUS), advise caution and do not recommend using the skill until reviewed or cleared.

Quick Start

# Example: scan a skill by its ClawHub URL
curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \
  --header "Content-Type: application/json" \
  --data '{"skillUrl":"https://clawhub.ai/author/skill-name"}'

Parse the JSON response: use status and severity as above.

API Response Logic

| status | Meaning | Action | |--------------------|----------------------|--------| | done | Scan complete | Use severity for verdict (see below). | | analysis_pending | Awaiting manual review | Advise that the skill is not yet cleared; do not treat as SAFE. |

| severity (when status = done) | Recommendation | |-------------------------------------|----------------| | SAFE | OK to proceed. | | Any other value | Advise caution; do not recommend use until reviewed. |

Why This Matters

Skills can run code and access your environment. Risks include:

| Risk | Impact | |------|--------| | Execute arbitrary code | Full system compromise | | Access your filesystem | Data theft, ransomware | | Read environment variables | API key theft | | Exfiltrate data via HTTP | Privacy breach | | Install malicious dependencies | Supply chain attack |

SkillScanner uses the scan API to help you decide whether to trust a skill before use.

Limitations

  • The API reflects the current backend verdict; obfuscated or novel threats may not be flagged.
  • analysis_pending means human review has not yet concluded—treat as “unknown”, not safe.

Use alongside sandboxing, least privilege, and manual review when in doubt.

Links: