SecureVibes Scanner
v0.5.3Run AI-powered application security scans on codebases. Use when asked to scan code for security vulnerabilities, generate threat models, review code for sec...
⭐ 0· 653·0 current·0 all-time
byAnshuman Bhartiya@anshumanbh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description claim an AI-based security scanner that uses Claude/Anthropic and supports full and incremental scans. The bundled wrapper scripts and an incremental scanner are exactly what you'd expect for that functionality. The skill does not request unrelated system credentials or binaries beyond git and the 'securevibes' CLI, which are appropriate for scanning and git-based incremental checks.
Instruction Scope
SKILL.md instructs running local scans, scheduling cron jobs, using the scripts/scan.sh wrapper, and having the incremental scanner update and read state files under the target repo's .securevibes/ directory — all consistent with the stated function. It also instructs the agent/subagent to 'cd' into the repo and run git pull, which is normal for incremental scanning but gives the skill access to repository contents (including any sensitive files in the repo). The SKILL.md references ANTHROPIC_API_KEY (optional) and OAuth; these are expected because analysis uses Claude. Overall scope stays within scanning behavior, but users should note that scans will cause code to be processed (and, via the securevibes CLI, likely sent to Anthropic) so do not point it at repos you cannot disclose.
Install Mechanism
No install spec in the registry bundle — the skill is instruction+scripts which call an external 'securevibes' CLI. The README recommends pipx install securevibes (a reasonable distribution method) and the scripts check for the binary. There are no remote downloads or archives embedded in the install spec, which reduces installer risk. The only external software required is the third-party 'securevibes' package, which should be reviewed separately.
Credentials
The registry metadata declares no required env vars, and the skill itself does not demand unrelated credentials. SKILL.md and scripts reference ANTHROPIC_API_KEY (optional) or OAuth for Anthropic/Claude access — proportionate because the scanner uses Claude. Users should be aware that leaving ANTHROPIC_API_KEY unset will rely on OAuth sessions, which in some environments may or may not exist; the securevibes CLI and Anthropic access are the only external auth surfaces mentioned.
Persistence & Privilege
always:false and normal autonomous invocation. The skill writes state and logs into the target repository under .securevibes/ (expected for incremental scans). It does not request persistent, cross-skill privileges or modify other skills' configuration. Cron scheduling is suggested but not enforced by the registry metadata.
Assessment
This skill appears to be what it says: a wrapper around a third-party 'securevibes' CLI that runs scans (using Anthropic/Claude). Before installing or scheduling it, do the following: 1) Review the full ops/incremental_scan.py source (the provided listing was truncated in places) to confirm there are no unexpected network calls or obfuscated logic. 2) Inspect and vet the 'securevibes' CLI (pipx/pypi package) because that binary performs the actual scanning and will likely send code to Anthropic; verify its privacy/data-retention policy. 3) Only point scans at repositories you own or are allowed to test — scanning will read repository contents and may transmit code to Anthropic. 4) Prefer running an initial full scan manually to validate behavior and outputs before enabling cron/automation. 5) Keep ANTHROPIC credentials under your control (use service accounts or scoped keys where possible) and understand whether OAuth or API keys are used in your environment. If you want higher assurance, run the securevibes CLI in an isolated environment and inspect network traffic to confirm where scan data is sent.Like a lobster shell, security has layers — review code before you run it.
latestvk972hsh8e6kjsh1w432nqk8n0n81vxgb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.