Security Review
v1.0.0Run a world-class security assessment before installing any external package, CLI, npm module, Python library, or third-party integration. Produces a GO/NO-G...
⭐ 0· 211·5 current·5 all-time
by@mpbshhx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (security review) match the instructions: the SKILL.md requires web_search and web_fetch and instructs source-code and CVE review. Asking to spawn a review sub-agent is reasonable for an in-depth assessment.
Instruction Scope
Instructions are explicit and narrowly scoped to security review tasks (legitimacy checks, web searches, raw source fetch, dependency analysis, data flow). However the skill mandates writing the review to a specific absolute Windows path and updating MEMORY.md, which is platform-specific and implies filesystem writes and persistent agent memory updates—things you should confirm are acceptable.
Install Mechanism
Instruction-only skill with no install steps or third-party downloads. Lowest install risk.
Credentials
No environment variables, credentials, or config paths are requested by the skill. The review process explicitly says to check for packages accessing env vars/API keys, which is appropriate for a security review.
Persistence & Privilege
always:false (good). The skill instructs spawning a sub-agent (sessions_spawn) and writing logs into the agent workspace and updating MEMORY.md — this requires file-write privileges and allows the review agent to act and persist findings. Confirm you are comfortable granting these capabilities to the agent and that the sub-agent is not given any install/autonomy beyond the review task.
Assessment
This skill appears to do what it says, but check a few things before installing/using it: (1) The SKILL.md writes results to a hard-coded Windows path (C:\Users\hhx-sandbox2\.openclaw\...) — replace that with a cross-platform workspace variable or confirm the path is correct and private. (2) It spawns a sub-agent (sessions_spawn) and requests use of web_search/web_fetch; ensure your agent policies limit what that sub-agent can do (it should not be allowed to auto-install packages or exfiltrate data). (3) The skill asks you to update MEMORY.md — verify whether persistent memory writes are acceptable in your environment. (4) The template forces a specific model (anthropic/claude-sonnet-4-6); confirm that model is available or adjust to a supported model. If you accept those caveats and restrict the sub-agent's permissions and storage location, the skill is coherent and appropriate for pre-install reviews. If you cannot limit file writes or sub-agent capabilities, treat it with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk974gwpd70n8h7e4fbnf7bjsxd8351as
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔐 Clawdis