2.5k
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
3 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill snyk-skill-scanner- _meta.json294 B
- SKILL.md2.4 KB
Overview
This skill scans installed agent components—MCP servers, skills, and agent tools—for security vulnerabilities using snyk-agent-scan via the uvx CLI. It intentionally runs external audit code to detect prompt injection, malware payloads, credential leaks, and other risky patterns. Use it as a lightweight, automated gate before installing or running third-party skills.
How this skill works
The skill invokes uvx snyk-agent-scan to analyze files and metadata under specified paths or default skill locations. It classifies findings with codes (E = high, W = medium/low, TF = toxic flow) and returns file paths, risk types, severity, and remediation hints. You can run scans with flags for verbose output or JSON for automation.
When to use it
- Before installing or enabling a new skill or tool
- After pulling or updating skills from a public archive
- As part of CI/CD or pre-deploy checks for agent components
- When you suspect credential leaks, prompt injection, or malicious code
- When auditing MCP servers or workspace/global skill folders
Best practices
- Scan the default OpenClaw skill locations (~/.openclaw/skills/ and <project>/skills/) and any custom paths before use
- Treat E-prefixed issues as high priority and fix or avoid the component
- Integrate JSON output into automated pipelines for blocking deployments on high-severity findings
- Run scans regularly and after every third-party update to catch regressions
- Combine findings with manual review for context-sensitive issues like untrusted content
Example use cases
- Pre-install scan of a downloaded skill bundle to detect hardcoded secrets or malware payloads
- Automated CI step that runs uvx snyk-agent-scan@latest --skills --json and fails on E-level issues
- Periodic inventory scan of all installed MCP servers to detect tool shadowing or tool poisoning
- Ad-hoc scan of a workspace skill folder after pulling community contributions
- Verbose scan to produce an audit-ready report for security reviews
FAQ
Use uvx snyk-agent-scan@latest with flags like --skills, --verbose, or --json. You can also pass a path to scan a custom directory.
How should I handle different severities?
Treat E (error) and TF (toxic flow) findings as high severity—fix or avoid. Review W-level warnings and decide based on your risk tolerance and context.