ClawHub

Code Security Checks

v1.0.0

Perform security reviews of code to detect secrets exposure, auth issues, injection risks, unsafe dependencies, and improper execution paths.

0· 22·0 current·0 all-time
byMauricio Z. Filho@mzfshark

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mzfshark/axodus-security-checks.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Code Security Checks" (mzfshark/axodus-security-checks) from ClawHub.
Skill page: https://clawhub.ai/mzfshark/axodus-security-checks
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install mzfshark/axodus-security-checks

ClawHub CLI

Package manager switcher

npx clawhub@latest install axodus-security-checks
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description describe reviewing code for secrets, auth, injection, dependencies and unsafe execution; the SKILL.md contains step-by-step checks that map directly to that purpose and does not request unrelated capabilities.
Instruction Scope
Instructions are focused on reviewing a supplied 'scope' (files/diff) and list concrete checks. They do not direct the agent to call external endpoints or read unrelated system files. However, the guidance is somewhat high-level (expects the agent to determine how to scan the scope) and therefore relies on the agent having access to the repository or code artifacts provided by the user; that operational requirement is implied but not declared.
Install Mechanism
There is no install spec and no code files to execute; this is instruction-only, so nothing is written to disk or downloaded at install time.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. Be aware that to perform real reviews the agent (or caller) must supply the code/diff; the skill does not request repo tokens but practical usage may require the environment that hosts the agent to already have access to the codebase — that access is external to the skill and should be controlled by you.
Persistence & Privilege
always is false and the skill does not request persistent presence or modify other skills. Autonomous invocation is allowed (platform default) but there are no other elevated privileges requested.
Assessment
This instruction-only skill appears coherent and low-risk, but check these before installing: (1) provenance — the metadata shows 'RedHat Dev' inside files but the registry owner differs; verify the author/owner you trust. (2) Access scope — the skill expects a 'scope' (files/diff); ensure you only supply the code you want analyzed and that the agent does not have unintended filesystem or repo access. (3) Secrets handling — the SKILL.md says to redact secrets, but confirm how the agent/platform enforces redaction and where reports are stored/logged. (4) Operational needs — if you want the skill to scan a private repo, you'll need to provide the diff or repository access separately; the skill itself does not request credentials. If you need stronger assurance, ask the publisher for provenance (signed metadata) or run the guidance manually or in a sandboxed agent with limited access.

Like a lobster shell, security has layers — review code before you run it.

latestvk972p70f8fymk9ps8s1t5xfkks85f7q2
22downloads
0stars
1versions
Updated 4h ago
v1.0.0
MIT-0
Mauricio Z. Filho@mzfshark
latest
Download

SKILL: security-check

Purpose

Perform a security-focused review of code changes or a subsystem: secrets exposure, auth issues, injection risks, unsafe dependencies, and unsafe execution paths.

When to Use

  • Before deployment of a feature handling user input, money, or credentials.
  • When introducing new dependencies or external integrations.
  • After any authentication/authorization changes.

Inputs

  • scope (required, string): files/modules/diff to inspect.
  • threat_model (optional, string): assets at risk and attacker capabilities.
  • languages (optional, string[]): e.g., ["ts","py","solidity"]
  • constraints (optional, string[]): compliance rules or governance boundaries.

Steps

  1. Secrets & config:
    • ensure no tokens/keys are committed
    • ensure .env.example does not contain real secrets
  2. Input handling:
    • validate and sanitize untrusted inputs
    • enforce schema validation at boundaries
  3. Auth/authz:
    • verify authorization checks at every privileged action
    • avoid insecure defaults
  4. Injection and unsafe execution:
    • command injection
    • SQL/NoSQL injection
    • XSS/CSRF (frontend)
    • dynamic code execution without validation
  5. Dependencies:
    • flag risky packages
    • ensure versions are pinned when required
  6. Observability:
    • logs do not leak secrets/PII
    • audit trail exists for sensitive actions

Validation

  • Findings are evidence-based and include remediation.
  • Risk severity is calibrated (critical/high/medium/low).
  • Safety constraints are explicitly enforced (not “recommended”).

Output

Security report (example schema):

summary: "<top risks>"
findings:
  - id: "SEC-001"
    severity: "high|medium|low"
    issue: "<what>"
    location: ["..."]
    remediation: "<how>"

Safety Rules

  • Do not disclose secrets that appear in logs/config; redact.
  • Do not recommend disabling security controls to “unblock”.
  • Escalate when the change touches money movement or governance.

Example

Scope: “new webhook handler” Output: flags missing signature verification and recommends replay protection + audit logs.

Comments

Loading comments...