Neckr0ik Security Fixer
v1.0.0Auto-fix security vulnerabilities in OpenClaw skills. Works with neckr0ik-security-scanner to automatically remediate hardcoded secrets, shell injection risk...
⭐ 0· 194·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included code: fixer.py generates and applies fixes for secrets, shell injection, prompt injection, path traversal, and pinned deps. However, fixer.py imports an 'audit' module (audit_skill, Vulnerability, Severity) that is not included in the package and no dependency or install step declares the required scanner package. The SKILL.md references 'neckr0ik-security-scanner' but the registry metadata does not declare it as a required dependency — verify the scanner is installed separately or this will fail.
Instruction Scope
Runtime instructions and the script intentionally read, modify, and write files under the target skill path (create backups, write .env.example, update .gitignore). This is expected for a fixer, but it means the agent or user must trust the tool to modify code. The SKILL.md provides dry-run and backup options, and the script prints review messages for manual items — that's good. The fixer inserts code snippets (imports, helpers) directly into files which may break code or duplicate imports; expect some manual review.
Install Mechanism
No install spec is provided (instruction-only plus included fixer.py). That reduces supply-chain risk since nothing is downloaded at install time. But because the scanner dependency is not declared, the runtime may fail unless the user has the scanner/audit module installed from elsewhere.
Credentials
The skill requests no environment variables or credentials. The templates it generates include common API key names (OPENAI_API_KEY, ANTHROPIC_API_KEY, GITHUB_TOKEN, DB_PASSWORD) which is consistent with its purpose (moving hardcoded secrets to env vars). There is no evidence the skill itself attempts to read arbitrary environment variables beyond creating a .env.example.
Persistence & Privilege
always is false (not force-included) and it doesn't request system-level persistence. It does modify files under the given skill path (expected). The default behavior allowing autonomous invocation is standard for skills; combine that with file-modifying behavior only if you plan to allow autonomous runs.
What to consider before installing
This fixer appears to implement the advertised remediations, but take these precautions before running it on real code: 1) Verify you have the required scanner/audit module (neckr0ik-security-scanner or an audit.py) installed — the fixer imports 'audit' but the package does not declare or include it. 2) Always run with --dry-run first and keep backups (or use the backup option) to inspect changes before applying. 3) Review generated .env.example and .gitignore to ensure no sensitive data is leaked. 4) Expect the tool to insert imports and helper functions; check for duplicate imports or broken indentation. 5) Do not run with --auto on system-critical directories or repos you can't restore from backup. 6) If you will allow autonomous agent invocation of this skill, restrict its scope (target paths) and require human confirmation for applying fixes to production code.Like a lobster shell, security has layers — review code before you run it.
latestvk97brtck4p59mchf1qepfqstms82dm2x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.