Security Audit Toolkit
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only security auditing checklist; the main caution is that some suggested commands can reveal secrets or change project files.
This skill appears appropriate for security auditing. Before installing or using it, be aware that secret scans can reveal real credentials, automatic fix commands can alter dependencies, external audit tools should be trusted before installation, and the optional pre-commit hook persists until removed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the secret scans may reveal sensitive credentials from source files or git history.
The skill explicitly searches for credentials and secrets, which is expected for a security audit but can expose live tokens or passwords in command output or chat logs.
Detecting hardcoded secrets, API keys, or credentials in source code
Run these checks only in trusted workspaces, redact secret values before sharing results, and rotate any real credentials that are found.
Automatic fixes could change dependency versions or project behavior.
The skill recommends automatic dependency remediation commands that can modify project dependency files; this is purpose-aligned but should be user-approved.
# Fix automatically where possible npm audit fix
Review proposed changes, run tests, and inspect diffs before committing dependency fixes.
External tools may introduce their own supply-chain risk if installed from untrusted or changing sources.
The documentation suggests installing or running third-party audit tools from external package registries, including an unpinned Go install at latest.
npx audit-ci --high pip install pip-audit go install golang.org/x/vuln/cmd/govulncheck@latest cargo install cargo-audit
Prefer trusted package sources, pin versions where practical, and verify tools before using them in sensitive repositories.
If installed, the hook can continue blocking commits after the audit task is finished.
The skill includes a persistent pre-commit hook example. It is disclosed and purpose-aligned, but it changes repository behavior until removed or bypassed.
# .git/hooks/pre-commit - Block commits containing potential secrets
Install the hook only if you want persistent commit checks, inspect it first, and remove it from .git/hooks when no longer needed.