Self-Improving Security
v1.2.0Captures vulnerabilities, misconfigurations, access control violations, compliance gaps, incident response patterns, and threat intelligence to enable contin...
⭐ 0· 56·0 current·0 all-time
byJosé I. O.@jose-compu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (capture security learnings, incidents, and promote patterns to runbooks) matches the shipped files and scripts: markdown templates, log scaffolding, a small activator reminder, an error-detection pattern-checker, and helpers to scaffold extracted skills. No unrelated credentials, binaries, or install steps are required.
Instruction Scope
Runtime instructions create/read .learnings/ files and optionally inject a reminder into OpenClaw workspaces; the activator only prints a reminder. The error-detector reads CLAUDE_TOOL_OUTPUT (user-provided command output) and scans it for security keywords — it does not forward raw output but will emit a detection marker. User must follow the redaction guidance: the skill relies on the operator to avoid recording secrets. Consider reviewing the scripts before enabling PostToolUse hooks because they operate on potentially sensitive tool output.
Install Mechanism
No automatic install spec is provided (instruction-only), so nothing is downloaded or extracted by the platform. The SKILL.md suggests manual git clone or clawdhub install; manual cloning is explicit and under user control. As with any manual clone, treat the referenced GitHub repo as a supply-chain source and review code before executing scripts.
Credentials
The skill declares no required environment variables, credentials, or config paths. The only environment value the scripts read is CLAUDE_TOOL_OUTPUT (for the optional error-detector hook) — which is proportional to the stated optional feature and documented with a caution about sensitive content.
Persistence & Privilege
always is false and the skill does not request permanent platform privileges. Hooks add a virtual reminder file on agent bootstrap (handler mutates event.context.bootstrapFiles), which is consistent with an opt-in reminder hook. The skill does not modify other skills or system-wide configs beyond instructions to copy hook files into the user's hooks directory if the user opts in.
Assessment
This skill appears to do what it says: create/append security learning and incident logs and inject bootstrap reminders. Before installing or enabling hooks: 1) Review the scripts (scripts/*.sh) and hook handlers for yourself — they will run with your agent's permissions. 2) Prefer the activator-only (UserPromptSubmit) setup; be cautious enabling PostToolUse/error-detector because it reads tool output (CLAUDE_TOOL_OUTPUT) that may contain secrets — ensure you trust the environment and that the detector won't forward sensitive content. 3) If using the manual git clone URL, verify the repository source and contents before running any scripts. 4) Ensure file permissions are correct (chmod +x scripts/*.sh) and prefer dry-run options (extract-skill.sh --dry-run) when available. 5) Follow the skill's redaction guidance strictly: never store unredacted secrets or PII in .learnings/.Like a lobster shell, security has layers — review code before you run it.
latestvk97avjfcz5apt5w9d4jss6bv1584v2bc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.