ClawHub

Senior Security

v2.1.1

Security engineering toolkit for threat modeling, vulnerability analysis, secure architecture, and penetration testing. Includes STRIDE analysis, OWASP guida...

7· 2.9k·22 current·22 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (threat modeling, vulnerability analysis, secret scanning) align with the included files: threat_modeler.py and secret_scanner.py plus comprehensive reference docs. There are no unrelated environment variables, binaries, or external services required that would be unexpected for this purpose.
Instruction Scope
SKILL.md defines workflows and triggers for security reviews and references local tools. The included secret_scanner.py is designed to scan local project files for secrets — this is expected for a secret-scanning tool, but it means the agent will need read access to any directories it is asked to scan. There is no instruction in the visible SKILL.md to transmit scan results to external endpoints, but you should verify the truncated portions of the docs for any steps that post results externally before running.
Install Mechanism
No install spec is provided (instruction-only), which is low risk. Two Python scripts are bundled with the skill and will be available to run locally if the agent executes them; that is consistent with the skill description and not unexpected.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The secret-scanner contains regexes that match many cloud/provider keys (expected for a scanner) but the skill does not request those credentials itself.
Persistence & Privilege
always is false and model invocation is permitted by default. The skill does not request permanent agent-level privileges or modify other skills' configs in the provided files. Bundled scripts operate locally and do not request elevated system privileges in the visible code.
Assessment
This package is internally consistent with its stated purpose. Before installing/using it: (1) review the remainder of SKILL.md (truncated parts) to confirm it does not instruct uploading scan results or contacting external endpoints; (2) be aware that the secret scanner will read files you point it at — avoid scanning sensitive system directories or credential stores unless you intend to; (3) run the scripts in an isolated environment (local checkout or sandbox) and review their output before taking remediation actions; and (4) if you need the agent to run these tools autonomously, consider limiting its available filesystem scope to prevent broad scans.

Like a lobster shell, security has layers — review code before you run it.

latestvk9725ycg0k5sayh0q2xh5z2zdh82jnjt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments