snyk-skill-scanner_skill

This skill scans installed agent components for security risks using snyk-agent-scan to detect prompt injection, malware, and credential leaks.
  • Python

2.5k

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

3 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill snyk-skill-scanner

  • _meta.json294 B
  • SKILL.md2.4 KB

Overview

This skill scans installed agent components—MCP servers, skills, and agent tools—for security vulnerabilities using snyk-agent-scan via the uvx CLI. It intentionally runs external audit code to detect prompt injection, malware payloads, credential leaks, and other risky patterns. Use it as a lightweight, automated gate before installing or running third-party skills.

How this skill works

The skill invokes uvx snyk-agent-scan to analyze files and metadata under specified paths or default skill locations. It classifies findings with codes (E = high, W = medium/low, TF = toxic flow) and returns file paths, risk types, severity, and remediation hints. You can run scans with flags for verbose output or JSON for automation.

When to use it

  • Before installing or enabling a new skill or tool
  • After pulling or updating skills from a public archive
  • As part of CI/CD or pre-deploy checks for agent components
  • When you suspect credential leaks, prompt injection, or malicious code
  • When auditing MCP servers or workspace/global skill folders

Best practices

  • Scan the default OpenClaw skill locations (~/.openclaw/skills/ and <project>/skills/) and any custom paths before use
  • Treat E-prefixed issues as high priority and fix or avoid the component
  • Integrate JSON output into automated pipelines for blocking deployments on high-severity findings
  • Run scans regularly and after every third-party update to catch regressions
  • Combine findings with manual review for context-sensitive issues like untrusted content

Example use cases

  • Pre-install scan of a downloaded skill bundle to detect hardcoded secrets or malware payloads
  • Automated CI step that runs uvx snyk-agent-scan@latest --skills --json and fails on E-level issues
  • Periodic inventory scan of all installed MCP servers to detect tool shadowing or tool poisoning
  • Ad-hoc scan of a workspace skill folder after pulling community contributions
  • Verbose scan to produce an audit-ready report for security reviews

FAQ

Use uvx snyk-agent-scan@latest with flags like --skills, --verbose, or --json. You can also pass a path to scan a custom directory.

How should I handle different severities?

Treat E (error) and TF (toxic flow) findings as high severity—fix or avoid. Review W-level warnings and decide based on your risk tolerance and context.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational