AIDR-XClaw-Security-Sentinel@ 1.0.0

https://clawhub.ai/api/v1/skills/aidr-xclaw-security-sentinel/file?path=SKILL.md&version=1.0.0

github.com/clawhub.ai/aidr-xclaw-security-sentinel

Scanned Thu, 28 May 2026 16:39:53 GMT

Scan ID crawl-ymzh31fqd9njdzuo4gbl34ml · 46ms

SCORE 75 / 100

Verdict: Safe to install

1 high-severity finding.

This skill reads protected filesystem locations plus 1 other issue listed below.

0 critical1 high1 medium10 rules passed

Why grade B?

score · 75 / 100

The current grade reflects 1 high-severity finding (any HIGH → B).

0 CRIT1 HIGH1 MED0 LOW

To reach a higher grade

A
Reach Atarget score 95
Resolve all 1 HIGH.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 630CWE-552

▾

629| 2 | 编码载荷 | `(?i)(base64|base32|hex|encode|decode)\s*[(:=]\s*'"?[A-Za-z0-9+/=]{20,}` | `[ENCODED_PAYLOAD_MASKED]` | 2 |

630| 1 | 路径穿越 | `(?:\.\./|\.\.\\ | \.\.%2f|\.\.%5c|/etc/passwd)` | `[PATH_TRAVERSAL_MASKED]` |← sensitive path — credential-exfiltration vector

631| 1 | 敏感路径 | `(?:\.ssh|\.aws|\.kube|\.docker|\.gnupg|\.git)/[^\"'\s]*` | `[SENSITIVE_PATH_MASKED]` | 1 |

632| 1 | 凭证文件 | `(?:\.pem|\.key|credentials\.json|secrets\.ya?ml|\.env)` | `[CREDENTIAL_FILE_MASKED]` | 1 |

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

Scan another →Share

skillox.io/r/crawl-ymzh31fqd9njdzuo4gbl34ml