ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Security Guardian

Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 736 · 3 current installs · 3 all-time installs
byazzar budiyanto@1999AZZAR
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (secret scanning + Trivy container scans) matches the included files and runtime instructions. The repository contains a secrets scanner and a Trivy wrapper. The SKILL.md references mema-vault for remediation, which is coherent with the stated purpose.
Instruction Scope
SKILL.md instructs only local scans and Trivy usage. The provided scripts scan files or images only and do not reference external endpoints or collect/transmit secrets. The Python scanner explicitly blocks scanning system roots unless --force is used, and the container script delegates to the host's Trivy.
Install Mechanism
No install spec (instruction-only) and two small scripts are included. The only external requirement is the user-installed trivy binary for container scanning, which is documented in the SKILL.md.
Credentials
The skill does not request environment variables, credentials, or config paths. The scripts do not read secrets from environment variables or attempt to persist/authenticate to external services. Use of a vault (mema-vault) is suggested for remediation, but that integration is advisory rather than automatic.
Persistence & Privilege
The skill is not force-included (always:false), does not request persistent system-wide changes, and does not modify other skills' configs. Autonomous invocation is allowed by default (platform behavior) but is not combined with other concerning privileges here.
Assessment
What to consider before installing: - Code review: The packaged scripts are small and readable; review them yourself before running. The skill has no homepage or provenance, which lowers trust — prefer skills with verified sources. - Run scope: Use the tool only on intended project workspace paths. The secret scanner blocks system roots by default; avoid using --force unless you explicitly intend to scan system directories. - Handling findings: Treat any reported secrets as sensitive. Do not paste findings (secret values) into public channels. Use a vetted credential manager (review the mema-vault skill) to rotate and vault secrets rather than storing them in plain text. - Environment: Trivy may download vulnerability DB updates during scans; run it in an environment where network access and telemetry are acceptable. Consider running scans in an isolated environment if you have high security requirements. - False positives & limitations: The regex patterns can generate false positives and may miss obfuscated secrets; use findings as actionable leads, not absolute truth. - If you need higher assurance: ask the skill author for provenance (repo/homepage, signed release) or reimplement equivalent checks from known tools. If you will integrate with an external vault, validate that integration code and do not give vault credentials to untrusted skills.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
auditvk972d979ybzp0jskg94edfgrm5819xfcdevopsvk972d979ybzp0jskg94edfgrm5819xfclatestvk972d979ybzp0jskg94edfgrm5819xfcscannervk972d979ybzp0jskg94edfgrm5819xfcsecretsvk972d979ybzp0jskg94edfgrm5819xfcsecurityvk972d979ybzp0jskg94edfgrm5819xfctrivyvk972d979ybzp0jskg94edfgrm5819xfc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Security Guardian

System for automated security auditing and credential protection.

Core Workflows

1. Secret Scanning

Scan specific project directories for hardcoded credentials.

  • Tool: scripts/scan_secrets.py
  • Usage: python3 $WORKSPACE/skills/security-guardian/scripts/scan_secrets.py <path_to_project>
  • Workflow:
    1. Execute scan on a specific project or directory.
    2. If findings are reported (exit code 1):
      • Review the file and line number.
      • Transition: Move the secret to a secure vault (e.g., using the mema-vault skill).
      • Redact: Replace the plaintext secret in the source code with an environment variable or a vault lookup call.

2. Container Vulnerability Scan

Analyze Docker images for vulnerabilities prior to deployment.

  • Tool: scripts/scan_container.sh
  • Usage: bash $WORKSPACE/skills/security-guardian/scripts/scan_container.sh <image_name>
  • Logic: Identify HIGH and CRITICAL severities. Recommend base image updates or security patches.

Security Guardrails

  • Scope Limitation: Avoid scanning system-level directories. Focus only on relevant project workspaces.
  • Credential Isolation: Hardcoded secrets are considered a high-severity finding.
  • Dependencies: Container scanning requires trivy to be installed on the host system.

Integration

  • Vaulting: This skill identifies leaks. Remediation should be performed using a dedicated credential manager like mema-vault.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…