ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

configsafe

v1.0.2

Infrastructure configuration auditor — scans Dockerfiles, K8s manifests, Terraform, and CI/CD pipelines for security misconfigurations

0· 66·0 current·0 all-time
by@suhteevah

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suhteevah/configsafe.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "configsafe" (suhteevah/configsafe) from ClawHub.
Skill page: https://clawhub.ai/suhteevah/configsafe
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, bash, python3, jq
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install configsafe

ClawHub CLI

Package manager switcher

npx clawhub@latest install configsafe
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (git, bash, python3, jq), CLI surface, and files (bash scripts + pattern definitions) align with an offline configuration scanner that offers scans, reports, and git-hook integration. Requested primary credential CONFIGSAFE_LICENSE_KEY is appropriate for Pro/Team features.
Instruction Scope
Runtime instructions and scripts are local and focused on scanning configs and installing lefthook pre-commit hooks. Hooks will run the skill's shell scripts from the skill directory on each commit (expected for a pre-commit scanner) — remember that any pre-commit hook executes arbitrary code during commits, which is normal but worth noting.
Install Mechanism
Install spec only installs the well-known 'lefthook' brew formula, which is a reasonable, low-risk choice for hook management. No archived downloads or unusual external installers are used.
!
Credentials
The single declared credential (CONFIGSAFE_LICENSE_KEY) is appropriate, but the code reads ~/.openclaw/openclaw.json and will attempt to parse it (SKILL.md lists that config path). The registry metadata above listed 'Required config paths: none', which is inconsistent with the SKILL.md. More importantly, license.sh embeds decoded JWT JSON directly into inline python/node -c commands (and into jq expressions) without safe escaping; a malicious or crafted license value or a tampered ~/.openclaw/openclaw.json could cause command execution or syntax injection during license validation.
Persistence & Privilege
always:false and user-invocable:true. The skill installs lefthook config into repositories when requested and sources its own scripts; it does not request permanent system-wide privileges or modify other skills' configs. Pre-commit hooks will run on commit, which is expected for this functionality.
What to consider before installing
ConfigSafe otherwise looks coherent for an offline config scanner, but exercise caution before installing: 1) The license-validation code embeds JWT payloads directly into shell-invoked python/node commands — if an attacker can supply or modify your license key or ~/.openclaw/openclaw.json this could allow code injection during license checks. 2) Hooks install will run the skill's shell scripts on every commit (normal for linters/scanners but remember hooks execute code locally). Recommended actions before installing or enabling hooks: inspect ~/.openclaw/openclaw.json and any license keys you provide; run the skill in an isolated environment (e.g., VM or disposable container) first; consider patching license.sh to parse JSON safely (e.g., pass the payload on stdin to python or use jq with a filename, avoid inlining unescaped JSON into -c strings). If you cannot verify the license source or config file integrity, treat the skill as potentially hazardous and avoid enabling automated hooks on sensitive repos.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🐳 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envCONFIGSAFE_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook
latestvk97djy2b4n6et9rmwpy263sh4s84vs0t
66downloads
0stars
1versions
Updated 1w ago
v1.0.2
MIT-0
macOS, Linux, Windows
@suhteevah
latest
Download

ConfigSafe — Infrastructure Configuration Auditor

ConfigSafe scans infrastructure configuration files for security misconfigurations across Dockerfiles, docker-compose, Kubernetes manifests, Terraform, CI/CD pipelines, and web server configs. It uses regex-based pattern matching against 80+ misconfiguration patterns, lefthook for git hook integration, and produces markdown security reports with CIS benchmark mapping.

Commands

Free Tier (No license required)

configsafe scan [file|directory]

One-shot configuration security scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/configsafe.sh" scan [target]

What it does:

  1. Accepts a file path or directory (defaults to current directory)
  2. Auto-detects configuration types (Dockerfile, docker-compose, Kubernetes, Terraform, CI/CD, Nginx/Apache)
  3. Finds all config files matching known patterns
  4. Runs 80+ misconfiguration patterns against each file
  5. Calculates a security score (0-100) per file and overall
  6. Outputs findings with: file, line number, check ID, severity, description, recommendation
  7. Exit code 0 if secure (score >= 70), exit code 1 if issues found
  8. Free tier limited to 5 config files per scan

Example usage scenarios:

  • "Scan my infrastructure configs for security issues" -> runs configsafe scan .
  • "Check this Dockerfile for misconfigurations" -> runs configsafe scan Dockerfile
  • "Audit my Kubernetes manifests" -> runs configsafe scan k8s/
  • "Is my Terraform config secure?" -> runs configsafe scan terraform/

Pro Tier ($19/user/month -- requires CONFIGSAFE_LICENSE_KEY)

configsafe hooks install

Install git pre-commit hooks that scan staged config files before every commit.

How to execute:

bash "<SKILL_DIR>/scripts/configsafe.sh" hooks install

What it does:

  1. Validates Pro+ license
  2. Copies lefthook config to project root
  3. Installs lefthook pre-commit hook
  4. On every commit: scans all staged config files for misconfigurations, blocks commit if critical/high findings, shows remediation advice

configsafe hooks uninstall

Remove ConfigSafe git hooks.

bash "<SKILL_DIR>/scripts/configsafe.sh" hooks uninstall

configsafe report [directory]

Generate a markdown security report with findings, severity breakdown, and remediation steps.

bash "<SKILL_DIR>/scripts/configsafe.sh" report [directory]

What it does:

  1. Validates Pro+ license
  2. Runs full scan of the directory
  3. Generates a formatted markdown report from template
  4. Includes per-file breakdowns, security scores, CIS benchmark references
  5. Output suitable for security reviews and compliance audits

configsafe benchmark [directory]

Run CIS benchmark checks against infrastructure configurations.

bash "<SKILL_DIR>/scripts/configsafe.sh" benchmark [directory]

What it does:

  1. Validates Pro+ license
  2. Maps findings to CIS Docker Benchmark, CIS Kubernetes Benchmark, and CIS AWS Foundations
  3. Reports pass/fail status for each benchmark check
  4. Outputs overall compliance percentage

Team Tier ($39/user/month -- requires CONFIGSAFE_LICENSE_KEY with team tier)

configsafe policy [directory]

Enforce organization-specific security policies on infrastructure configurations.

bash "<SKILL_DIR>/scripts/configsafe.sh" policy [directory]

What it does:

  1. Validates Team+ license
  2. Loads custom policies from ~/.openclaw/openclaw.json (configsafe.config.customPolicies)
  3. Enforces organization-specific rules (e.g., required labels, forbidden images, mandatory resource limits)
  4. Combines custom policies with built-in patterns for comprehensive scanning
  5. Outputs SARIF-compatible results

configsafe compliance [directory]

Generate a full compliance report covering CIS and NIST frameworks.

bash "<SKILL_DIR>/scripts/configsafe.sh" compliance [directory]

What it does:

  1. Validates Team+ license
  2. Runs full scan with all patterns
  3. Maps findings to CIS Docker Benchmark, CIS Kubernetes Benchmark, CIS AWS Foundations, and NIST 800-190
  4. Generates comprehensive compliance report with pass/fail per control
  5. Includes executive summary, detailed findings, and remediation roadmap

configsafe status

Show license and configuration information.

bash "<SKILL_DIR>/scripts/configsafe.sh" status

Detected Misconfigurations

ConfigSafe detects 80+ misconfiguration patterns across 6 config types:

CategoryExamplesSeverity
DockerfileRunning as root, latest tag, ADD vs COPY, exposed sensitive ports, missing health checks, secrets in ENV, curl pipe bash, chmod 777, missing multi-stage buildsCritical/High
docker-composeprivileged: true, host network, Docker socket mount, missing resource limits, plaintext secrets, unbound ports, missing restart policyCritical/High
KubernetesRunning as root, privileged containers, missing security context, missing resource limits, hostPath volumes, default namespace, missing probes, allowPrivilegeEscalationCritical/High
TerraformHardcoded credentials, missing encryption, public S3 buckets, open security groups (0.0.0.0/0), missing logging, overly permissive IAM, default VPCCritical/High
CI/CD PipelinesPlaintext secrets, PR trigger with write perms, unpinned actions, missing timeout, unrestricted self-hosted runners, artifact upload without expiryHigh/Medium
Nginx/ApacheMissing security headers, server tokens enabled, SSL/TLS misconfig, open proxy, missing rate limiting, directory listing enabledMedium/High

Configuration

Users can configure ConfigSafe in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "configsafe": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "high",
          "customPolicies": [],
          "excludePatterns": ["**/test/**", "**/examples/**"],
          "reportFormat": "markdown"
        }
      }
    }
  }
}

Important Notes

  • Free tier works immediately with no configuration
  • All scanning happens locally -- no code or configs are sent to external servers
  • License validation is offline -- no phone-home or network calls
  • Pattern matching only -- no AST parsing, no external dependencies
  • Supports scanning multiple config types in a single pass
  • Git hooks use lefthook which must be installed (see install metadata above)
  • Exit codes: 0 = secure (score >= 70), 1 = issues found (for CI/CD integration)

Error Handling

  • If lefthook is not installed and user tries hooks install, prompt to install it
  • If license key is invalid or expired, show clear message with link to https://configsafe.pages.dev/renew
  • If a file is binary, skip it automatically with no warning
  • If no config files found in target, report clean scan with info message
  • If config type cannot be determined, skip the file gracefully

When to Use ConfigSafe

The user might say things like:

  • "Scan my Dockerfile for security issues"
  • "Check my Kubernetes manifests for misconfigurations"
  • "Audit my Terraform configs"
  • "Is my docker-compose file secure?"
  • "Check my CI/CD pipeline for security problems"
  • "Generate a security report for my infrastructure"
  • "Run CIS benchmark checks"
  • "Set up pre-commit hooks for config scanning"
  • "Check if my containers are running as root"
  • "Scan for open security groups in Terraform"
  • "Are there any hardcoded secrets in my configs?"
  • "Check my nginx config for security headers"

Comments

Loading comments...