Security Guardian
PassAudited by ClawScan on May 1, 2026.
Overview
This security auditing skill appears coherent and purpose-aligned, but it can read project files and guide credential remediation, so users should keep scans and fixes scoped to intended repositories.
This skill looks safe for its stated use: scanning project code for hardcoded secrets and checking container images with Trivy. Before installing, make sure you trust and have installed Trivy, review any separate mema-vault dependency, scan only intended repositories, and manually approve any credential vaulting or source-code changes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at a broad directory, the scanner may read many local files while looking for possible secrets, although it only reports finding type, file, and line number.
The scanner can recursively inspect a user-selected path and includes a force override for blocked system roots. This is central to the skill's purpose, but it should be used only on intended targets.
parser.add_argument("path", help="Target directory or file to scan") ... for root, dirs, files in os.walk(args.path): ... parser.add_argument("--force", action="store_true", help="Force scan even if path is considered dangerous")Run scans only on intended project workspaces and avoid --force or system paths unless deliberately performing that audit.
The agent may help move discovered secrets into a vault and edit source code to use environment variables or vault lookups.
The documented remediation flow can involve credential handling and source-code modification. This is appropriate for a security remediation skill, but it affects sensitive credentials and should remain user-directed.
- **Transition**: Move the secret to a secure vault (e.g., using the `mema-vault` skill). ... - **Redact**: Replace the plaintext secret in the source code with an environment variable or a vault lookup call.
Review and approve vault writes and code edits, rotate any exposed secrets, and verify the resulting application configuration before deployment.
Container scanning will not work without Trivy, and using an additional vault skill adds another component to trust.
The skill discloses reliance on an external skill and the Trivy binary, while the registry requirements list no required binaries and there is no install spec. This is not hidden, but users must manage dependency provenance themselves.
metadata: {"openclaw":{"requires":{"skills":["mema-vault"]}}} ... Container scanning requires `trivy` to be installed on the host system.Install Trivy from its official source, keep it updated, and review the mema-vault skill separately before using credential remediation.