ClawHub

Security Audit Toolkit

v1.0.0

Audit codebases and infrastructure for security issues. Use when scanning dependencies for vulnerabilities, detecting hardcoded secrets, checking OWASP top 10 issues, verifying SSL/TLS, auditing file permissions, or reviewing code for injection and auth flaws.

14· 10.7k·105 current·109 all-time
by@gitgoodordietrying
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (security audit) align with the contents of SKILL.md: commands and patterns target dependency scanning, secret detection, OWASP patterns, TLS checks, and file-permission audits. The declared required binaries (npm, pip, git, openssl, curl) are reasonable for these tasks.
Instruction Scope
SKILL.md contains concrete shell commands, grep patterns, and workflows that read source files, git history, and may install small CLI tools (pip/cargo/go installs, npx). Those actions are expected for this purpose, but they grant the agent broad read access to the repository (including history) and the ability to run install commands — review before executing. The instructions do not request unrelated system credentials or access.
Install Mechanism
No formal install spec (instruction-only), which is low-risk. However the instructions recommend using pip/cargo/go installs and npx which will download and execute packages from public registries at runtime; that is normal for an audit workflow but carries the usual supply-chain risk if you run them without verification or version pins.
Credentials
The skill declares no environment variables or credentials and does not ask for unrelated secrets. The grep patterns are designed to discover secrets in code, which is appropriate; they do not attempt to exfiltrate or request external credentials.
Persistence & Privilege
always:false and no required config paths. The only persistence-like instruction is an optional pre-commit hook that writes to .git/hooks (local to a repo) — this is expected for a secrets-blocking hook. The skill does not request global agent config changes or elevated system privileges.
Assessment
This skill appears to be what it claims: a set of manual commands and patterns for doing security reviews. Before you run anything: (1) review and understand each command (the SKILL.md runs grep/git and may install tools like pip/cargo/go/npx which will download code from public registries); (2) consider running installs and scans in an isolated environment (container or CI job) to avoid modifying your system or pulling untrusted packages; (3) be aware the secret-detection steps search repository history and staged files — they will read potentially sensitive content but do not exfiltrate it by themselves; (4) if you accept the pre-commit hook, it will modify .git/hooks in that repo and can block commits until you resolve findings; (5) prefer pinned package versions or verify upstream project URLs before installing recommended tools (e.g., trivy, pip-audit, cargo-audit).

Like a lobster shell, security has layers — review code before you run it.

latestvk972vngfs7w9nabg2c7c481cth80fj14

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis
OSLinux · macOS · Windows
Any binnpm, pip, git, openssl, curl

Comments