ClawHub

Secure Code Guardian

v0.1.0

Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention.

1· 2.2k·11 current·11 all-time
byVeera@veeramanikandanr48
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an instruction-only secure-coding specialist that provides guidance and example code for authentication, input validation, OWASP Top 10 mitigations, headers, XSS/CSRF, rate limiting, etc. It neither declares nor requires unrelated binaries/credentials—this matches the stated purpose.
Instruction Scope
SKILL.md and reference files are focused on implementation guidance and code templates. They do not instruct the agent to read local files or exfiltrate data. However, the example code references runtime items (process.env.JWT_SECRET, redis, db, file system calls) which are illustrative; the skill does not explicitly instruct the agent to access system env or secrets, but a careless use of the templates could prompt someone or an agent to read or rely on local secrets.
Install Mechanism
No install spec and no code files to execute; this is low-risk from an installation perspective (nothing is downloaded or written to disk by the skill).
Credentials
The skill declares no required environment variables, but reference snippets use process.env (e.g., JWT_SECRET, SESSION_SECRET) and external services (redis, db/prisma). This is typical for sample backend code, but there is a mismatch between declared requirements (none) and the example code which implicitly needs secrets/config to run.
Persistence & Privilege
always is false and the skill is user-invocable; it requests no persistent presence or cross-skill/system configuration. It does not request elevated privileges.
Assessment
This is a coherent, instruction-only secure‑coding skill that provides useful patterns and example code. Before using it: (1) review example snippets—they reference environment variables and services (JWT_SECRET, SESSION_SECRET, Redis, DB, file I/O) but the skill doesn't declare them; supply and protect any secrets via your secret manager rather than pasting them into code or logs; (2) vet and test the provided templates in a safe environment before deploying to production; (3) verify any third-party libraries you install (bcrypt, jsonwebtoken, helmet, DOMPurify, etc.) for licensing and vulnerabilities and run dependency scans; (4) note the skill author/source is unknown—if you need stronger assurance, prefer guidance from a known maintainer or audit the content line-by-line before automation. Overall the skill appears consistent with its stated purpose, but exercise normal caution around secrets and operational configuration.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3w327g0f7r3gd83qjcbheh809znv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments