SkillScanner — Security Scanner for ClawHub Skills

> "Trust, but verify."

SkillScanner checks ClawHub skill safety by calling the scan API. You provide the skill URL; the API returns status and severity. Proceed only when the verdict is SAFE.

How to Scan a Skill (Agent Instructions)

1. Run the lookup with the real skill URL (format: https://clawhub.ai/author/skill-name):

```bash

curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \

--header "Content-Type: application/json" \

--data '{"skillUrl":"https://clawhub.ai/AUTHOR/SKILL_SLUG"}'

```

Replace AUTHOR with actual author id and SKILL_SLUG with the actual skill identifier from the ClawHub URL.

1. Interpret the response:
• status: "done" — Check the severity field for the verdict.
• status: "analysis_pending" — The skill is awaiting manual review. Do not treat as safe; advise the user that the skill is pending review.

1. Proceed or advise caution:
• Proceed only if severity is SAFE.
• If severity is anything else (e.g. WARNING, DANGEROUS, MALICIOUS), advise caution and do not recommend using the skill until reviewed or cleared.

Quick Start

# Example: scan a skill by its ClawHub URL
curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" \
  --header "Content-Type: application/json" \
  --data '{"skillUrl":"https://clawhub.ai/author/skill-name"}'

Parse the JSON response: use status and severity as above.

API Response Logic

Why This Matters

Skills can run code and access your environment. Risks include:

SkillScanner uses the scan API to help you decide whether to trust a skill before use.

Limitations

• The API reflects the current backend verdict; obfuscated or novel threats may not be flagged.
• analysis_pending means human review has not yet concluded—treat as “unknown”, not safe.

Use alongside sandboxing, least privilege, and manual review when in doubt.

Links:

• Agent Trust Hub