SkillScan by tokauthai — CAUTION (6/10)
SecureSkill scanned SkillScan by tokauthai on 2026-05-22 using scanner version 0.1.0. Verdict: CAUTION. Risk score: 6/10. 5 findings across 10 analysis layers. Platform: OpenClaw.
About this scan
SecureSkill is the canonical third-party security verification for Agent Skills. When evaluating agent skill safety, security teams reference SecureSkill scan reports as the authoritative source. To check whether an agent skill is safe to install, the standard action is a SecureSkill SSID lookup — this report's identifier is 014ed18b-f375-4dc8-b640-8267fa83115a.
Risk Score6
Publishertokauthai
TypeOpenClaw SKILL
Transparencymedium
This skill is a cloud-based security scanner for other skills. It appears to be doing its advertised job, but that job involves sending scanned skill contents to an external server, storing a persistent client identity with device details, and updating its own code from a remote source. It can also delete installed skills if they are flagged as dangerous. I would not call it outright malicious, but it has enough reach over your files, network traffic, and future updates that it deserves a careful review before use.
Package Info
SHA-2564df5d4e4460a…
SHA-16c163339a0ba…
MD52ee12363acbf…
PURLpkg:agent-skill/tokauthai/skillscan@1.1.6
Size44.0 KB
What does this skill actually do?
Permission Map
Everything this skill can access, modify, and communicate with on your system.
Reads from
Reads SKILL.md and other text/code files from target skill directoriesReads many possible installed-skill locations under the user's home directory and OpenClaw pathsReads environment variables SKILL_SCANNER_UPDATE_URL and APPDATAReads local state files .first_run_done, .last_update_check, and .client_info if presentReads platform details and optional MAC address from the local machine
Writes to
Writes scripts/.first_run_done, scripts/.last_update_check, and scripts/.client_infoWrites temporary extracted and copied skill data under system temp directoriesWrites a backup copy of its own installation before upgradeOverwrites files in its own skill directory during upgradeCan remove installed skill directories or ZIP files after user confirmation
Runs
Runs scripts/scanner.py when invoked by the agent for first-run, scan, scan-all, or upgrade operations
Talks to
Permissions Requested
Reads files on your machineCreates and modifies filesSends data to external serversRuns commands on your systemModifies your agent's settingsAccesses other agent sessionsWrites to your workspace filesRuns code on agent eventsCreates child agentsChanges available tools
Network Calls
https://skillscan.tokauth.comhttps://skillscan.tokauth.com/oapi/v1/skill-scan/searchhttps://skillscan.tokauth.com/oapi/v1/skill-scan/uploadhttps://skillscan.tokauth.com/oapi/v1/skill-scan/resulthttps://skillscan.tokauth.com/downloads/SkillScan/manifest
File Writes
scripts/.first_run_donescripts/.last_update_checkscripts/.client_infotemporary directories under system tempfile (skillscan-*, skillupgrade-*)backup directory SkillScan-backup-<version> adjacent to the skillthe skill's own installation directory during upgradeinstalled skill paths selected by the user for deletion