🛠️ 開発・MCP コミュニティ 🔴 エンジニア向け
👤 エンジニア・AI開発者
🛠️ セキュリティScanner
Security Scanner
AIエージェントのスキルをセキュリティ脆弱性、危険なコードパターン、未申告の権限についてスキャンし、構造化されたJSON形式のリスクレポートを返すためのSkillです。
⚡
⏱ RAG構築 1週間 → 1日
📜 元の英語説明(参考)
Scan AI agent skills for security vulnerabilities, dangerous code patterns, and undeclared permissions. Three-layer analysis: dependency CVE scanning, static code analysis, and permission auditing. Returns structured JSON risk report. Use when the user asks to scan a skill for security issues, check for vulnerabilities, audit permissions, or assess skill safety.
🇯🇵 日本人クリエイター向け解説
一言でいうと
AIエージェントのスキルをセキュリティ脆弱性、危険なコードパターン、未申告の権限についてスキャンし、構造化されたJSON形式のリスクレポートを返すためのSkillです。
※ jpskill.com 編集部が日本のビジネス現場向けに補足した解説です。Skill本体の挙動とは独立した参考情報です。
⚡ おすすめ: コマンド1行でインストール(60秒)
下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。
🍎 Mac / 🐧 Linux
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o security-scanner.zip https://jpskill.com/download/5340.zip && unzip -o security-scanner.zip && rm security-scanner.zip
🪟 Windows (PowerShell)
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/5340.zip -OutFile "$d\security-scanner.zip"; Expand-Archive "$d\security-scanner.zip" -DestinationPath $d -Force; ri "$d\security-scanner.zip"完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。
💾 手動でダウンロードしたい(コマンドが難しい人向け)
- 1. 下の青いボタンを押して
security-scanner.zipをダウンロード - 2. ZIPファイルをダブルクリックで解凍 →
security-scannerフォルダができる - 3. そのフォルダを
C:\Users\あなたの名前\.claude\skills\(Win)または~/.claude/skills/(Mac)へ移動 - 4. Claude Code を再起動
⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。
🎯 このSkillでできること
下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。
📦 インストール方法 (3ステップ)
- 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
- 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
- 3. 展開してできたフォルダを、ホームフォルダの
.claude/skills/に置く- · macOS / Linux:
~/.claude/skills/ - · Windows:
%USERPROFILE%\.claude\skills\
- · macOS / Linux:
Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。
詳しい使い方ガイドを見る →- 最終更新
- 2026-05-17
- 取得日時
- 2026-05-18
- 同梱ファイル
- 1
💬 こう話しかけるだけ — サンプルプロンプト
- › Security Scanner を使って、最小構成のサンプルコードを示して
- › Security Scanner の主な使い方と注意点を教えて
- › Security Scanner を既存プロジェクトに組み込む方法を教えて
これをClaude Code に貼るだけで、このSkillが自動発動します。
📖 Skill本文(日本語訳)
※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。
Security Scanner
Claw0x による無料スキル — Claw0x Gateway API を利用しています。
AI エージェントスキルを、依存関係の CVE、危険なコードパターン、未申告のパーミッションという3つのレイヤーにわたるセキュリティ脆弱性についてスキャンします。全体的なスコア(0~100)を含む構造化された JSON 形式のリスクレポートを返します。
無料で利用できます。 このスキルは費用がかかりません。claw0x.com でサインアップし、API キーを作成して呼び出しを開始するだけです。クレジットカードやウォレットへのチャージは不要です。
クイックリファレンス
| このような場合 | スキャン対象 | 得られるもの |
|---|---|---|
| サードパーティースキルのインストール時 | すべての脆弱性 | リスクスコア + CVE リスト |
| スキル公開前 | コードパターン + パーミッション | セキュリティ監査レポート |
| 依存関係の更新時 | 新しい CVE | 更新された脆弱性リスト |
| ユーザーが不審な動作を報告した場合 | 未申告のパーミッション | パーミッション監査 |
| CI/CD パイプライン | 自動セキュリティチェック | 合格/不合格 + 推奨事項 |
| スキルマーケットプレイスのレビュー | 信頼スコアの計算 | 承認決定データ |
なぜ API ベースなのか? 一元化された CVE データベース(OSV.dev)、一貫したスキャンルール、ローカルセットアップ不要という利点があります。
5分で始めるクイックスタート
ステップ1:API キーの取得(30秒)
claw0x.com でサインアップ → ダッシュボード → API キーを作成
ステップ2:最初のスキルをスキャン(1分)
curl -X POST https://api.claw0x.com/v1/call \
-H "Authorization: Bearer ck_live_..." \
-H "Content-Type: application/json" \
-d '{
"skill": "security-scanner",
"input": {
"repo_url": "https://github.com/owner/repo"
}
}'ステップ3:リスクレポートの確認(即時)
{
"overall_risk": "medium",
"risk_score": 35,
"dependency_scan": {
"vulnerabilities": [
{
"id": "GHSA-jf85-cpcp-j695",
"severity": "high",
"package_name": "lodash",
"summary": "Prototype Pollution"
}
]
},
"code_scan": {
"findings": [
{
"rule_id": "SHELL_INJECT",
"severity": "critical",
"file": "handler.ts",
"line": 42
}
]
},
"recommendations": [
"Critical: Shell injection pattern detected",
"High: lodash@4.17.20 has known vulnerabilities"
]
}ステップ4:問題を修正(2分)
# Update vulnerable dependency
npm update lodash
# Fix shell injection
# Replace: exec(userInput)
# With: execFile('command', [userInput])完了です。 これでスキルがより安全になりました。
実世界のユースケース
シナリオ1:スキルマーケットプレイスの審査
問題点: スキルマーケットプレイスを運営しており、承認前に提出物を審査する必要があります。
解決策:
- 出品者が GitHub URL 経由でスキルを提出します。
- 提出時に自動スキャンが実行されます。
- リスクスコアが承認ワークフローを決定します。
- 高リスクのスキルは手動レビューを受けます。
- 低リスクのスキルは自動承認されます。
例:
async function reviewSkillSubmission(repoUrl) {
const response = await fetch('https://api.claw0x.com/v1/call', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.CLAW0X_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
skill: 'security-scanner',
input: { repo_url: repoUrl }
})
});
const scan = await response.json();
if (scan.risk_score > 50) {
await queue.add('manual-review', { repoUrl, scan });
} else if (scan.risk_score < 20) {
await approveSkill(repoUrl);
} else {
await requestSellerFixes(repoUrl, scan.recommendations);
}
}
// 結果: 提出物の80%が自動処理され、セキュリティインシデントが95%減少しました。シナリオ2:CI/CD セキュリティゲート
問題点: 開発者が脆弱性のあるコードをプッシュし、それが本番環境に到達してしまいます。
解決策:
- CI/CD パイプラインにセキュリティスキャンを追加します。
- リスクスコアがしきい値を超えた場合、マージをブロックします。
- デプロイ前に修正を要求します。
- セキュリティメトリクスを時系列で追跡します。
例:
# .github/workflows/security.yml
- name: Security Scan
run: |
RESULT=$(curl -X POST https://api.claw0x.com/v1/call \
-H "Authorization: Bearer $CLAW0X_API_KEY" \
-d '{"skill":"security-scanner","input":{"repo_url":"${{ github.repository }}"}}')
RISK_SCORE=$(echo $RESULT | jq -r '.risk_score')
if [ $RISK_SCORE -gt 50 ]; then
echo "Security scan failed: risk score $RISK_SCORE"
exit 1
fi
# 結果: 本番環境でのセキュリティ問題が90%削減されました。シナリオ3:依存関係の監視
問題点: スキルが使用する依存関係に、時間の経過とともに新しい CVE が発生します。
解決策:
- 公開されているすべてのスキルを毎週スキャンするようスケジュールします。
- 新しい脆弱性が現れたときにアラートを発します。
- 依存関係の更新を含む PR を自動作成します。
- 修正にかかる時間を追跡します。
例:
// Cron job: every Monday
async function weeklySecurityAudit() {
const skills = await db.skills.findMany({ status: 'published' });
for (const skill of skills) {
const response = await fetch('https://api.claw0x.com/v1/call', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.CLAW0X_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
skill: 'security-scanner',
input: { repo_url: skill.repo_url }
})
});
const scan = await response.json();
// Check if risk increased
if (scan.risk_score > skill.last_risk_score) {
await notifyMaintainer(skill, scan);
await createUpdatePR(skill, scan.recommendations);
}
await db.skills.update({
where: { id: skill.id },
data: { last_risk_score: scan.risk_score }
});
}
}
// 結果: 平均 CVE 修正時間: 2日(業界平均: 30日)シナリオ4:Pre-Commit フック
問題点: 開発者が誤ってシークレットや危険なパターンをコミットしてしまいます。
解決策:
- pr を追加
(原文がここで切り詰められています)
📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開
Security Scanner
Free skill by Claw0x — powered by Claw0x Gateway API.
Scan AI agent skills for security vulnerabilities across three layers: dependency CVEs, dangerous code patterns, and undeclared permissions. Returns a structured JSON risk report with an overall score (0–100).
Free to use. This skill costs nothing. Just sign up at claw0x.com, create an API key, and start calling. No credit card, no wallet top-up required.
Quick Reference
| When This Happens | Scan For | What You Get |
|---|---|---|
| Installing third-party skill | All vulnerabilities | Risk score + CVE list |
| Before publishing skill | Code patterns + permissions | Security audit report |
| Dependency update | New CVEs | Updated vulnerability list |
| User reports suspicious behavior | Undeclared permissions | Permission audit |
| CI/CD pipeline | Automated security check | Pass/fail + recommendations |
| Skill marketplace review | Trust score calculation | Approval decision data |
Why API-based? Centralized CVE database (OSV.dev), consistent scanning rules, no local setup required.
5-Minute Quickstart
Step 1: Get API Key (30 seconds)
Sign up at claw0x.com → Dashboard → Create API Key
Step 2: Scan Your First Skill (1 minute)
curl -X POST https://api.claw0x.com/v1/call \
-H "Authorization: Bearer ck_live_..." \
-H "Content-Type: application/json" \
-d '{
"skill": "security-scanner",
"input": {
"repo_url": "https://github.com/owner/repo"
}
}'Step 3: Review Risk Report (instant)
{
"overall_risk": "medium",
"risk_score": 35,
"dependency_scan": {
"vulnerabilities": [
{
"id": "GHSA-jf85-cpcp-j695",
"severity": "high",
"package_name": "lodash",
"summary": "Prototype Pollution"
}
]
},
"code_scan": {
"findings": [
{
"rule_id": "SHELL_INJECT",
"severity": "critical",
"file": "handler.ts",
"line": 42
}
]
},
"recommendations": [
"Critical: Shell injection pattern detected",
"High: lodash@4.17.20 has known vulnerabilities"
]
}Step 4: Fix Issues (2 minutes)
# Update vulnerable dependency
npm update lodash
# Fix shell injection
# Replace: exec(userInput)
# With: execFile('command', [userInput])Done. Your skill is now more secure.
Real-World Use Cases
Scenario 1: Skill Marketplace Vetting
Problem: You run a skill marketplace and need to vet submissions before approval
Solution:
- Seller submits skill via GitHub URL
- Automated scan runs on submission
- Risk score determines approval workflow
- High-risk skills get manual review
- Low-risk skills auto-approve
Example:
async function reviewSkillSubmission(repoUrl) {
const response = await fetch('https://api.claw0x.com/v1/call', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.CLAW0X_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
skill: 'security-scanner',
input: { repo_url: repoUrl }
})
});
const scan = await response.json();
if (scan.risk_score > 50) {
await queue.add('manual-review', { repoUrl, scan });
} else if (scan.risk_score < 20) {
await approveSkill(repoUrl);
} else {
await requestSellerFixes(repoUrl, scan.recommendations);
}
}
// Result: 80% of submissions auto-processed, 95% fewer security incidentsScenario 2: CI/CD Security Gate
Problem: Developers push code with vulnerabilities that reach production
Solution:
- Add security scan to CI/CD pipeline
- Block merges if risk score > threshold
- Require fixes before deployment
- Track security metrics over time
Example:
# .github/workflows/security.yml
- name: Security Scan
run: |
RESULT=$(curl -X POST https://api.claw0x.com/v1/call \
-H "Authorization: Bearer $CLAW0X_API_KEY" \
-d '{"skill":"security-scanner","input":{"repo_url":"${{ github.repository }}"}}')
RISK_SCORE=$(echo $RESULT | jq -r '.risk_score')
if [ $RISK_SCORE -gt 50 ]; then
echo "Security scan failed: risk score $RISK_SCORE"
exit 1
fi
# Result: 90% reduction in production security issuesScenario 3: Dependency Monitoring
Problem: Your skills use dependencies that get new CVEs over time
Solution:
- Schedule weekly scans of all published skills
- Alert when new vulnerabilities appear
- Auto-create PRs with dependency updates
- Track remediation time
Example:
// Cron job: every Monday
async function weeklySecurityAudit() {
const skills = await db.skills.findMany({ status: 'published' });
for (const skill of skills) {
const response = await fetch('https://api.claw0x.com/v1/call', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.CLAW0X_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
skill: 'security-scanner',
input: { repo_url: skill.repo_url }
})
});
const scan = await response.json();
// Check if risk increased
if (scan.risk_score > skill.last_risk_score) {
await notifyMaintainer(skill, scan);
await createUpdatePR(skill, scan.recommendations);
}
await db.skills.update({
where: { id: skill.id },
data: { last_risk_score: scan.risk_score }
});
}
}
// Result: Average CVE remediation time: 2 days (industry avg: 30 days)Scenario 4: Pre-Commit Hooks
Problem: Developers accidentally commit secrets or dangerous patterns
Solution:
- Add pre-commit hook that scans changed files
- Block commits with critical findings
- Provide immediate feedback
- Prevent secrets from reaching Git history
Example:
#!/bin/bash
# .git/hooks/pre-commit
# Get staged files
FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.(ts|js|py)$')
if [ -z "$FILES" ]; then
exit 0
fi
# Scan staged code
CODE=$(cat $FILES)
RESULT=$(curl -s -X POST https://api.claw0x.com/v1/call \
-H "Authorization: Bearer $CLAW0X_API_KEY" \
-d "{\"skill\":\"security-scanner\",\"input\":{\"code\":\"$CODE\"}}")
CRITICAL=$(echo $RESULT | jq -r '.code_scan.finding_counts.critical')
if [ "$CRITICAL" -gt 0 ]; then
echo "❌ Commit blocked: critical security issues found"
echo $RESULT | jq -r '.recommendations[]'
exit 1
fi
echo "✅ Security scan passed"
exit 0
# Result: Zero secrets committed to Git in 6 monthsIntegration Recipes
OpenClaw Agent
// Scan before installing skill
agent.onSkillInstall(async (skillUrl) => {
const response = await fetch('https://api.claw0x.com/v1/call', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.CLAW0X_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
skill: 'security-scanner',
input: { repo_url: skillUrl }
})
});
const scan = await response.json();
if (scan.risk_score > 50) {
throw new Error(`Skill failed security scan: ${scan.recommendations.join(', ')}`);
}
console.log(`✓ Security scan passed (risk score: ${scan.risk_score})`);
return scan;
});LangChain Agent
import os
import requests
def vet_skill(repo_url):
response = requests.post(
'https://api.claw0x.com/v1/call',
headers={
'Authorization': f'Bearer {os.getenv("CLAW0X_API_KEY")}',
'Content-Type': 'application/json'
},
json={
'skill': 'security-scanner',
'input': {'repo_url': repo_url}
}
)
result = response.json()
if result["risk_score"] > 50:
raise SecurityError(f"High risk: {result['recommendations']}")
return result
# Use in skill installation
try:
scan = vet_skill("https://github.com/owner/repo")
install_skill(repo_url)
except SecurityError as e:
print(f"Installation blocked: {e}")CI/CD Pipeline (GitHub Actions)
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan for vulnerabilities
run: |
RESULT=$(curl -X POST https://api.claw0x.com/v1/call \
-H "Authorization: Bearer ${{ secrets.CLAW0X_API_KEY }}" \
-H "Content-Type: application/json" \
-d "{\"skill\":\"security-scanner\",\"input\":{\"repo_url\":\"https://github.com/${{ github.repository }}\"}}")
echo "$RESULT" | jq '.'
RISK_SCORE=$(echo "$RESULT" | jq -r '.risk_score')
if [ "$RISK_SCORE" -gt 50 ]; then
echo "::error::Security scan failed with risk score $RISK_SCORE"
exit 1
fi
echo "::notice::Security scan passed with risk score $RISK_SCORE"Batch Scanning
// Scan all skills in marketplace
const skills = await db.skills.findMany();
const scans = await Promise.all(
skills.map(async skill => {
const response = await fetch('https://api.claw0x.com/v1/call', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.CLAW0X_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
skill: 'security-scanner',
input: { skill_slug: skill.slug }
})
});
return response.json();
})
);
// Update trust scores
for (let i = 0; i < skills.length; i++) {
const trustScore = calculateTrustScore(scans[i]);
await db.skills.update({
where: { id: skills[i].id },
data: {
trust_score: trustScore,
last_scan: new Date(),
security_scan_status: scans[i].overall_risk
}
});
}How It Works — Under the Hood
This skill runs a three-layer security analysis pipeline. No LLM involved — pure deterministic scanning logic.
Layer 1: Dependency CVE Scanning
Dependencies are extracted from package.json (npm) or requirements.txt (PyPI) and queried against the OSV.dev batch vulnerability database.
- Fetches dependency manifests from the target repository
- Queries all packages in a single batch request to OSV.dev
- Classifies each vulnerability by severity: critical, high, medium, low
- Score contribution: critical +25, high +15, medium +8, low +3 (capped at 50)
Layer 2: Static Code Analysis
Source files (.ts, .js, .py) are scanned line-by-line against 8 pre-compiled regex rules covering: dynamic execution, shell injection, env leaks, data exfiltration, hardcoded credentials, unsafe imports, filesystem overreach, and insecure network requests.
- Score contribution: critical +20, high +12, medium +5, low +2 (capped at 40)
Layer 3: Permission Auditing
The SKILL.md frontmatter allowed-tools field is cross-referenced against actual code behavior detected by the static analyzer.
- Parses declared permissions from SKILL.md YAML frontmatter
- Maps code findings to permission categories
- Reports any permissions detected in code but not declared in frontmatter
- Score contribution: +5 per undeclared permission (capped at 10)
Risk Score
The three layer scores are summed into a total risk score (0–100):
| Score Range | Risk Level |
|---|---|
| 0–20 | Low |
| 21–50 | Medium |
| 51–100 | High |
Three Input Modes
You can scan a skill using any of these three modes (mutually exclusive — provide exactly one):
Mode 1: GitHub Repo URL
Provide a public GitHub repository URL. The scanner fetches dependency files, source code, and SKILL.md automatically.
{ "repo_url": "https://github.com/owner/repo" }Mode 2: Claw0x Skill Slug
Provide a skill slug from the Claw0x platform. The scanner looks up the associated repo URL and proceeds with the standard scan.
{ "skill_slug": "validate-email" }Mode 3: Direct Code Submission
Submit code directly along with optional dependency and SKILL.md data. No GitHub fetching needed.
{
"code": "import os\nos.system('rm -rf /')",
"dependencies": { "requests": "2.28.0" },
"skill_md": "---\nname: my-skill\nallowed-tools: Bash(curl *)\n---"
}Prerequisites
- Sign up at claw0x.com
- Create API key in Dashboard
- Set environment variable:
# Add to ~/.openclaw/.env or your agent's environment CLAW0X_API_KEY=ck_live_...
Security note: Never embed API keys in prompts, source code, or version-controlled files. Use environment variables or secret managers.
No credit card or wallet balance needed. This skill is free to use.
When to Use
- Agent pipeline needs to vet a third-party skill before installing
- Developer wants to self-check a skill before publishing
- Platform review pipeline needs automated security assessment
- User asks "is this skill safe?", "scan for vulnerabilities", "check skill security"
API Call
curl -s -X POST https://api.claw0x.com/v1/call \
-H "Authorization: Bearer $CLAW0X_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"skill": "security-scanner",
"input": {
"repo_url": "https://github.com/owner/repo"
}
}'Input
Provide exactly one of the three input modes:
| Field | Type | Required | Description |
|---|---|---|---|
repo_url |
string | one of three | GitHub repo URL. Mutually exclusive with skill_slug and code |
skill_slug |
string | one of three | Claw0x skill slug (1–100 chars). Mutually exclusive with repo_url and code |
code |
string | one of three | Source code to scan directly (max 500KB). Mutually exclusive with repo_url and skill_slug |
dependencies |
object | no | Package name to version map for dependency scanning (used with code mode) |
skill_md |
string | no | SKILL.md content for permission auditing (used with code mode) |
Output Fields
| Field | Type | Description |
|---|---|---|
overall_risk |
string | Risk level: low, medium, or high |
risk_score |
number | Numeric risk score (0–100) |
input_mode |
string | Which input mode was used |
repo_url |
string or null | Repository URL if applicable |
dependency_scan.packages_scanned |
number | Number of packages checked |
dependency_scan.vulnerabilities |
array | Found CVEs (max 20) |
dependency_scan.vulnerability_counts |
object | Count by severity level |
code_scan.findings |
array | Dangerous code patterns found (max 50) |
code_scan.finding_counts |
object | Count by severity level |
code_scan.rules_checked |
number | Number of rules applied |
permission_audit.declared_permissions |
array | Permissions from SKILL.md |
permission_audit.detected_permissions |
array | Permissions found in code |
permission_audit.undeclared_risks |
array | Detected but not declared |
recommendations |
array | Actionable fix suggestions |
scanned_at |
string | ISO 8601 scan timestamp |
scan_duration_ms |
number | Total scan time in milliseconds |
Example
Input:
{
"skill": "security-scanner",
"input": {
"code": "const { exec } = require('child_process');\nexec(userInput);",
"dependencies": { "lodash": "4.17.20" }
}
}Output:
{
"overall_risk": "high",
"risk_score": 62,
"input_mode": "direct",
"repo_url": null,
"dependency_scan": {
"packages_scanned": 1,
"vulnerabilities": [
{
"id": "GHSA-jf85-cpcp-j695",
"summary": "Prototype Pollution in lodash",
"severity": "high",
"package_name": "lodash",
"package_version": "4.17.20"
}
],
"vulnerability_counts": { "critical": 0, "high": 1, "medium": 0, "low": 0 }
},
"code_scan": {
"findings": [
{
"rule_id": "SHELL_INJECT",
"name": "Shell injection",
"severity": "critical",
"file": "input.ts",
"line": 1,
"match": "require('child_process')",
"description": "Shell command execution detected"
}
],
"finding_counts": { "critical": 1, "high": 0, "medium": 0, "low": 0 },
"rules_checked": 8
},
"permission_audit": {
"declared_permissions": [],
"detected_permissions": ["Bash(*)"],
"undeclared_risks": ["Bash(*)"]
},
"recommendations": [
"Critical: Shell injection pattern detected",
"High: lodash@4.17.20 has known vulnerabilities",
"Undeclared permission: Bash(*) detected but not declared"
],
"scanned_at": "2025-01-15T10:30:00.000Z",
"scan_duration_ms": 1250
}Pricing
Free. This skill costs nothing to use. Just sign up at claw0x.com and create an API key.
- No credit card required
- No wallet top-up needed
- Unlimited scans
- Free forever
Why free? Security scanning is a critical need for the agent ecosystem. We provide it free to help build trust and attract users to the Claw0x platform.
API vs Local Scanning: Which is Right for You?
| Feature | Local Tools (npm audit, Snyk) | Claw0x (API-Based) |
|---|---|---|
| Setup Time | 10-30 min (install, configure) | 2 minutes (get API key) |
| CVE Database | npm registry only | OSV.dev (all ecosystems) |
| Code Analysis | Basic (npm audit) | 8 rule categories |
| Permission Audit | ❌ Not available | ✅ SKILL.md cross-check |
| Multi-Language | Separate tools per language | Unified API |
| CI/CD Integration | Complex (multiple tools) | Single API call |
| Cost | Free (local) | Free (API) |
| Maintenance | Tool updates required | Zero maintenance |
When to Use Local Tools
- Offline scanning required
- Already integrated into workflow
- Need language-specific deep analysis
- Processing proprietary code that can't leave network
When to Use Claw0x (API-Based)
- Multi-language projects (npm + PyPI)
- Need permission auditing
- Building skill marketplaces
- CI/CD automation
- Centralized security dashboard
- No local tool maintenance
How It Fits Into Your Development Workflow
┌─────────────────────────────────────────────────────────────┐
│ Skill Development Lifecycle │
└─────────────────────────────────────────────────────────────┘
│
├─ Development
│ • Write code
│ • Add dependencies
│
├─ Pre-Commit Scan
│ POST /v1/call
│ {code: staged_files}
│ → Block if critical
│
├─ CI/CD Scan
│ POST /v1/call
│ {repo_url: github_url}
│ → Fail build if risk > 50
│
├─ Pre-Publish Scan
│ POST /v1/call
│ {skill_slug: slug}
│ → Calculate trust score
│
└─ Continuous Monitoring
Weekly scans for new CVEs
Alert on risk increaseIntegration Points
- Pre-Commit Hooks — Catch issues before Git commit
- CI/CD Pipeline — Block merges with vulnerabilities
- Skill Submission — Vet marketplace submissions
- Continuous Monitoring — Track CVEs over time
- Trust Score Calculation — Update marketplace rankings
Why Use This Via Claw0x?
Unified Infrastructure
- One API key for all skills — no per-provider auth
- Free to use — no credit card, no wallet balance required
- Security scanned — OSV.dev integration for all skills
Security-Optimized
- Three-layer analysis — dependencies, code, permissions
- OSV.dev integration — comprehensive CVE database
- Structured output — JSON format, easy to parse
- Actionable recommendations — specific fixes, not generic advice
Production-Ready
- 99.9% uptime — reliable infrastructure
- Fast scanning — 1-3 seconds per skill
- Scales to millions — handle marketplace-scale scanning
- Cloud-native — works in Lambda, Cloud Run, containers
About Claw0x
Claw0x is the native skills layer for AI agents — providing unified API access, atomic billing, and quality control.
Explore more skills: claw0x.com/skills