ClawHub

Java Security Audit - AI驱动的Java代码审计

v1.0.1

AI驱动的Java代码安全审计技能,实现系统化、高覆盖率的漏洞挖掘。使用场景: (1) 审计Java/Kotlin项目寻找安全漏洞(0day挖掘、代码审计、安全评估) (2) 企业级代码库的安全审计(支持大型项目) (3) 需要高质量、低幻觉率的安全审计报告 (4) CI/CD集成的前期漏洞发现 触发关键词:Ja...

2· 115·0 current·0 all-time
by@auroraproudmoore
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included artifacts: Python and shell audit scripts, Semgrep rule sets, and documentation implement a Java/Kotlin code-audit workflow. Required tools (rg, grep, semgrep optional) and reading pom.xml/build.gradle are consistent with auditing tasks.
Instruction Scope
SKILL.md and scripts instruct the agent to scan the target repository, read files (source, pom/build files, configs), run local shell/python scripts, and optionally perform web searches to check dependency CVEs. Reading the project tree and creating local audit output files is expected; network lookups for CVE info are allowed by the spec and should be expected behavior but will cause external network access if the agent uses them.
Install Mechanism
No install spec; this is instruction-plus-code packaged with the skill. All code is present in the repository and no remote downloads or extract steps are required. Optional dependencies (semgrep, tree-sitter) are declared in requirements but not forcibly installed.
Credentials
The skill does not declare or require environment variables, credentials, or config paths beyond standard filesystem access to the project being audited. Scripts search for secrets in target files but do not request external tokens/keys.
Persistence & Privilege
always:false and user-invocable. The skill writes audit results to local output files (audit-output/ etc.), which is normal for a scanner. It does not request permanent platform-wide privileges or modify other skills' configs.
Assessment
This skill appears to be what it claims: a Java/Kotlin code-audit framework. Before installing or running it: (1) Review the included scripts (scripts/*.sh, scripts/java_audit.py) yourself or run them in a disposable container/VM, since they will read all files under the target repo and write audit outputs; (2) Expect optional network access if you enable dependency CVE lookups or the 'web_search' steps in the SKILL.md; (3) No credentials are required by the skill, but audit output can include sensitive strings from the codebase—keep outputs private and review them before sharing; (4) If you plan to run it in CI, pin/verify any optional external tools (semgrep) and run in an isolated runner; (5) The skill's owner and homepage are not provided—if provenance matters, prefer code from a known source or audit the code first.

Like a lobster shell, security has layers — review code before you run it.

latestvk973bcfnf00r4c5gvh34s45af1836g96

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments