Senior Secops

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: senior-secops Version: 2.1.1 The 'senior-secops' skill bundle is a comprehensive and legitimate security operations toolkit designed for local auditing and compliance verification. It includes Python scripts (security_scanner.py, vulnerability_assessor.py, and compliance_checker.py) that use regular expressions to identify common vulnerabilities like hardcoded secrets, SQL injection, and XSS, as well as checking dependencies against a local CVE database. The code is well-documented, follows secure coding practices itself, and contains no evidence of data exfiltration, malicious execution, or harmful prompt injection instructions.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

If run on the wrong directory, the scanner may inspect more local source/configuration files than intended.

Why it was flagged

The skill directs use of local Python scanners over project paths, including the current directory. This is coherent with the security-audit purpose, but it gives the tool broad read access to the selected project.

Skill content

python scripts/security_scanner.py /path/to/project ... python scripts/compliance_checker.py . --framework all

Recommendation

Run the scripts only against intended repositories or CI workspaces, and avoid pointing them at a home directory or unrelated sensitive folders.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A changed or compromised third-party CI action could run in your pipeline and access the Snyk token used for scanning.

Why it was flagged

A reference CI template uses a moving third-party GitHub Action branch and passes a service token to it. This is an example, not automatic skill behavior, but copying it as-is would create supply-chain exposure.

Skill content

uses: snyk/actions/node@master ... SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Recommendation

If adopting the CI example, pin GitHub Actions to immutable versions or commit SHAs and scope any tokens narrowly.

Note

ASI06: Memory and Context Poisoning

What this means

Security reports may reveal real API keys, passwords, or proprietary source snippets if shared broadly.

Why it was flagged

The scanner intentionally detects secrets and stores a code snippet with each finding, so generated reports or console output may contain sensitive material from the scanned codebase.

Skill content

SECRET_PATTERNS = [ ... 'Hardcoded API key detected' ... 'AWS Secret Key' ... ] ... code_snippet: str

Recommendation

Treat generated reports as confidential, redact secrets before sharing, and rotate any real credentials the scanner discovers.