ClawHub

Agentic Security Audit

v1.0.0

Audit codebases, infrastructure, AND agentic AI systems for security issues. Covers traditional security (dependencies, secrets, OWASP web top 10, SSL/TLS, f...

1· 1.5k·9 current·10 all-time
by@kingrubic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The requested binaries (npm, pip, git, openssl, curl) and the included audit commands are appropriate for a general code/infrastructure security audit. However the skill's metadata (_meta.json) has a different ownerId and slug than the registry metadata, and the SKILL.md repeatedly claims coverage of 'agentic' AI systems (prompt injection, memory poisoning, multi-agent audits) while the visible instructions mostly show traditional codebase checks. Those discrepancies are unexpected and worth verifying with the publisher.
Instruction Scope
The SKILL.md gives concrete audit commands (npm audit, pip-audit, trivy, grep patterns, git-history scans, pre-commit hook, .gitignore checks) that are within the stated scope of a security audit. These instructions will read repository files and git history (git log -p --all), which is expected for secret discovery but can surface sensitive secrets — this is normal for an audit but important to be aware of. The document also claims agentic-specific audits but provides few or no concrete, scoped steps for those agentic checks in the provided excerpt, making that portion vague.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. It expects existing system tooling; nothing is downloaded or written by the skill itself.
Credentials
No environment variables or credentials are required. The absence of requested secrets is proportionate for the stated auditing tasks. Note: many of the grep patterns and git-history commands look for secrets in code; that's appropriate for this purpose, but users should avoid running these scans on systems they don't control.
Persistence & Privilege
always is false and there is no install; the skill does not request persistent presence or elevated platform privileges. Autonomous invocation is permitted by default but is not combined with other high-risk flags here.
What to consider before installing
This instruction-only skill appears to contain valid, useful audit commands for repositories and infrastructure. Before installing or using it: (1) verify the publisher/owner — the registry metadata and the embedded _meta.json disagree, which could indicate a repackaging or copy; (2) read the entire SKILL.md to confirm the agentic-AI audit steps are present and sensible (the excerpt focuses on traditional checks); (3) run scans in an isolated environment or on a copy of the repository because git-history scans and grep secret-detection will read and may display secrets; (4) do not provide credentials to the skill — it doesn’t need them; (5) if you plan to allow autonomous invocation, restrict the agent's filesystem scope and review logs, since the skill's commands will access file contents and git history. If you need strong assurance about the agentic-audit capabilities, ask the publisher for concrete, reproducible steps for prompt-injection, identity spoofing, and memory-poisoning checks and for a consistent package/owner identity.

Like a lobster shell, security has layers — review code before you run it.

agenticvk978gwyjc150qgs3ke869kvcd181vvsnlatestvk978gwyjc150qgs3ke869kvcd181vvsnowaspvk978gwyjc150qgs3ke869kvcd181vvsnsecurityvk978gwyjc150qgs3ke869kvcd181vvsn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis
OSLinux · macOS · Windows
Any binnpm, pip, git, openssl, curl

Comments