ClawHub

Security Best Practices

Review code with secure-by-default standards, prioritize exploitable risks, and deliver minimal-diff fixes with evidence and regression checks.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 419 · 10 current installs · 10 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description (security reviews, prioritized findings, minimal diffs) align with the actual content: review playbook, severity model, remediation patterns, and templates. The only required artifact is a local config path (~/security-best-practices/) which is coherent for a review memory store.
Instruction Scope
SKILL.md limits actions to asking consent, creating/using local memory files, loading the minimum necessary files, and following a documented review workflow. There are no instructions to read unrelated system files, exfiltrate data, or call external endpoints. The skill explicitly states to ask before persisting data.
Install Mechanism
No install spec or code files are present; this is instruction-only which minimizes disk-write risk. There is no download/extract/install behavior to evaluate.
Credentials
No environment variables, binaries, or credentials are requested. The only resource required is a local directory for optional memory and logs; that is proportionate for a review workflow. Note: the files stored there could contain sensitive code snippets or findings, so disk access protections matter.
Persistence & Privilege
The skill may create and reuse local memory in ~/security-best-practices/ after explicit consent (always:false). Autonomous model invocation is allowed (platform default), but the skill does not request elevated system privileges or modify other skills. Consider the persistence trade-off: local files will remain until removed and may contain sensitive findings.
Assessment
This skill appears coherent and safe as an instruction-only security review helper. Before installing or enabling it: 1) Confirm you are comfortable with it creating ~/security-best-practices/ and store sensitive findings there; require explicit consent to create that directory. 2) Ensure that directory has appropriate file-system protections (permissions, disk encryption, backups) because it may hold code snippets or vulnerability evidence. 3) Be cautious before using any offered 'clawhub install' related skills — they are optional third-party installs. 4) If you need networked reviews or CI integration, verify any follow-up steps explicitly (the skill itself declares no external exfiltration). If you want extra assurance, request the author/source or a signed provenance for the skill before wide deployment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97862fzjwrmtz7stbbxqs5rzn81z297

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
OSLinux · macOS · Windows
Config~/security-best-practices/

SKILL.md

Setup

On first use, read setup.md for integration guidelines. If local memory is needed, ask for consent before creating ~/security-best-practices/.

When to Use

Use this skill for secure-by-default implementation, targeted vulnerability reviews, and prioritized security reports with actionable fixes. Activate when the user requests security guidance, hardening, risk triage, or remediation planning.

Architecture

Memory lives in ~/security-best-practices/. See memory-template.md for setup.

~/security-best-practices/
|- memory.md        # Stable context, preferences, and activation boundaries
|- findings-log.md  # Findings registry with severity and status
`- exceptions.md    # Approved security exceptions and review dates

Quick Reference

Load only the minimum file needed for the current request.

TopicFile
Setup processsetup.md
Memory templatememory-template.md
Full review workflowreview-playbook.md
Severity model and scoringseverity-model.md
Safe remediation patternsremediation-patterns.md
Risk exception logexceptions.md

Core Rules

1. Establish Scope and Evidence First

Before any conclusions, confirm:

  • System boundary (service, module, endpoint, or workflow)
  • Stack evidence (language, framework, deployment context)
  • Threat assumptions (external attacker, internal misuse, privilege level)

No evidence, no finding.

2. Map Risks to a Repeatable Baseline

Evaluate every review against a consistent baseline:

  • Authn/authz boundaries
  • Input validation and output encoding
  • Secrets handling and configuration safety
  • Dependency and supply chain posture
  • Logging, error handling, and data exposure controls

Use review-playbook.md to keep scans systematic instead of ad hoc.

3. Produce Findings That Are Verifiable

Each finding must include:

  • Severity from severity-model.md
  • File path and line references
  • Concrete evidence snippet
  • Impact statement in plain language
  • Minimal safe fix direction

Avoid speculative findings without repository evidence.

4. Prioritize Exploitability Over Theory

Rank by practical risk, not by checklist volume:

  • Reachability from untrusted inputs
  • Privilege required by attacker
  • Blast radius if exploited
  • Ease of abuse and repeatability

High confidence, exploitable issues come first.

5. Remediate With Minimal Product Risk

Fix one finding at a time:

  • Prefer small diffs that preserve existing behavior
  • Add tests when security fixes alter code paths
  • Flag expected behavior changes before implementing
  • Re-run project validation after each fix batch

Use remediation-patterns.md for safe rollouts.

6. Respect Explicit Exceptions and Ownership

If the user accepts a known risk:

  • Record rationale in exceptions.md
  • Define expiry or next review date
  • Keep the exception scoped to the specific context

Never apply broad silent overrides.

Security Review Traps

  • Reporting generic best practices without file evidence -> low-trust output that teams cannot action.
  • Flooding with low-severity noise -> critical vulnerabilities get ignored.
  • Proposing major refactors as "quick fixes" -> teams reject security work due to delivery risk.
  • Ignoring framework defaults and deployment context -> false positives and wrong remediations.
  • Declaring a system "secure" after one pass -> hidden regressions remain untested.

Security & Privacy

Data that leaves your machine:

  • None by default from this skill itself.

Data that stays local:

  • Review preferences and finding history in ~/security-best-practices/.
  • Exception rationale in local memory files only.

This skill does NOT:

  • Exfiltrate source code to undeclared third-party endpoints.
  • Mark unresolved risks as fixed.
  • Perform hidden destructive changes.

Related Skills

Install with clawhub install <slug> if user confirms:

  • auth - Authentication design and hardening.
  • authorization - Access control and permission boundaries.
  • encryption - Key management and cryptographic hygiene.
  • firewall - Network exposure review and policy controls.
  • devops - Secure delivery, CI checks, and operational safeguards.

Feedback

  • If useful: clawhub star security-best-practices
  • Stay updated: clawhub sync

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…