🧪 Skills

Snyk Skill Scanner

Scan installed agent components (MCP servers, skills, agent tools) for security vulnerabilities using snyk-agent-scan. Use only when running uvx snyk-agent-s...

v1.0.0
❤️ 0
⬇️ 117
👁 1
Save📁 Collect
Share

Description

name: skill-scanner description: "Scan installed agent components (MCP servers, skills, agent tools) for security vulnerabilities using snyk-agent-scan. Use only when running uvx snyk-agent-scan commands to scan skills for risks like prompt injection, malware, or credential leaks. This skill intentionally executes external code (snyk-agent-scan via uvx) for security auditing purposes."

Skill Scanner

Use snyk/agent-scan to detect security risks in agent components.

Quick Scan

# Scan all skills on the machine
uvx snyk-agent-scan@latest --skills

# Scan MCP servers (default behavior)
uvx snyk-agent-scan@latest

# Scan with verbose output
uvx snyk-agent-scan@latest --skills --verbose

# Output JSON for automation
uvx snyk-agent-scan@latest --skills --json

What It Detects

For Skills

  • Prompt Injection (E004) - Malicious instructions hidden in prompts
  • Malware Payloads (E006) - Harmful code disguised as content
  • Untrusted Content (W011) - Potentially unsafe external data
  • Credential Handling (W007) - Improper secrets management
  • Hardcoded Secrets (W008) - API keys or passwords in code

For MCP Servers

  • Prompt Injection (E001)
  • Tool Poisoning (E003)
  • Tool Shadowing (E002)
  • Toxic Flows (TF001)
  • Rug Pull (W005) - Malicious skill replacement

Workflow

  1. Before installing a new skill → Run a scan first
  2. After scanning → Review any E001/E003/E004/E006 issues (high severity)
  3. Low severity warnings (W005-W008) → Decide based on your risk tolerance

Interpreting Results

Prefix Severity Action
E High Fix or avoid the skill
W Medium/Low Review and decide
TF High Toxic flow detected

Common Issues

If uvx is not found, install uv first:

# macOS
brew install uv

# Linux
curl -LsSf https://astral.sh/uv/install.sh | sh

OpenClaw Skills Location

OpenClaw skills are typically stored at:

  • Global: ~/.openclaw/skills/
  • Workspace: <project>/skills/

To scan a custom path, pass it directly:

uvx snyk-agent-scan@latest ~/.openclaw/skills/

Output Example

The scan will show:

  • File path of the issue
  • Risk type and description
  • Severity level (E/W/TF)
  • Recommended fix

Review the full report at: https://github.com/snyk/agent-scan/blob/main/docs/issue-codes.md

Reviews (0)

Sign in to write a review.

No reviews yet. Be the first to review!

Comments (0)

Sign in to join the discussion.

No comments yet. Be the first to share your thoughts!

Compatible Platforms

Links

📂 Source Code

Pricing

Free

Related Configs

🧪 Skill

self-improving-agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

❤️ 2.0k ⬇️ 218k
🧪 Skill

Self Improving Agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. And also 50+ models for image generation, video generation, text-to-speech, spe...

❤️ 2.0k ⬇️ 206k
🧪 Skill

Find Skills

Free

Search, discover, and install skills from the open agent skills ecosystem to extend agent capabilities for specific tasks or domains.

❤️ 814 ⬇️ 199k
🧪 Skill

Summarize

Free

--- name: summarize description: Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube). homepage: https://summarize.sh metadata: {"clawdbot":{"emoji":"🧾","requires":{"b

❤️ 609 ⬇️ 160k