Neckr0ik Security Fixer
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a security auto-fixer, but it has unclear execution dependencies while giving the tool authority to automatically rewrite skill files.
Review the full source and verify the exact scanner/fixer executable before installing or running it. Start with dry-run mode, keep backups or version control, avoid `--auto` until you trust the diffs, and treat any reports as potentially containing real secrets.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool may fail, or it may resolve and run an unreviewed local or installed module/command before changing skill code.
The main fixer depends on an `audit` module, but the provided manifest does not include `audit.py` and the metadata/install information declares no dependency or required scanner binary. For a tool that rewrites skill source files, this missing dependency/provenance path is material.
from audit import audit_skill, Vulnerability, Severity
Only run the fixer if the scanner/fixer dependency is included or pinned in a clear install spec. Prefer invoking reviewed source directly, and verify which executable/module is actually being used.
Running automatic mode can change or break a skill's code if the generated fix is wrong or too broad.
The documented workflow supports automatic application of fixes without prompting. This is purpose-aligned and disclosed, but it is still high-impact because it can rewrite source files.
neckr0ik-security-fixer fix /path/to/skill --auto
Use `--dry-run`, keep backups/version control, and review diffs before using `--auto` on important skills.
A local report or shared output could expose secrets that were present in the original code.
Because the skill targets hardcoded secrets, reports or console output containing original vulnerable code may include real tokens or passwords from the scanned project.
Outputs a detailed fix report with: - Original vulnerable code
Do not share generated reports without redacting secrets, and rotate any credentials that were hardcoded in source files.