ClawHub

Elixir Security Review

Reviews Elixir code for security vulnerabilities including code injection, atom exhaustion, and secret handling. Use when reviewing code handling user input,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 71 · 0 current installs · 0 all-time installs
byKevin Anderson@anderskev
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included checklists and reference documents; nothing in the manifest or SKILL.md requests unrelated credentials, binaries, or system access. The references cover the issues the skill claims to review (code injection, atom exhaustion, secrets, process exposure).
Instruction Scope
SKILL.md provides targeted, code-review-focused instructions and a concrete checklist. Minor inconsistency: it tells the reviewer to 'Load and follow [review-verification-protocol](../review-verification-protocol/SKILL.md)' but that referenced file is not present in the provided file manifest — this is an operational gap (missing doc) rather than an evidence of malicious behavior.
Install Mechanism
No install spec and no bundled code; instruction-only skills write nothing to disk and have minimal install risk.
Credentials
No environment variables, credentials, or config paths are required. Reference documents discuss environment use in Elixir apps (e.g., System.fetch_env!), which is appropriate context for reviewers but does not indicate the skill needs secrets or keys.
Persistence & Privilege
always is false and the skill does not request persistence or elevated platform privileges. It does not modify other skills or system-wide settings.
Assessment
This is an instruction-only security-review checklist for Elixir and appears internally consistent and low-risk. Before using: (1) note the missing referenced 'review-verification-protocol' document — ask the skill author or registry for it if you depend on that step; (2) remember 'benign' means the skill is coherent, not that it will find every vulnerability — still validate findings manually; and (3) if the skill is later extended to include code that executes or downloads artifacts, re-evaluate for install/credential risks. If you need stricter guarantees, request the author add the missing protocol file and an explicit provenance/homepage.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.0
Download zip
latestvk97b6bd2pqq5s59g5pdqrq56vd83bn6q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Elixir Security Review

Quick Reference

Issue TypeReference
Code.eval_string, binary_to_termreferences/code-injection.md
String.to_atom dangersreferences/atom-exhaustion.md
Config, environment variablesreferences/secrets.md
ETS visibility, process dictionaryreferences/process-exposure.md

Review Checklist

Critical (Block Merge)

  • No Code.eval_string/1 on user input
  • No :erlang.binary_to_term/1 without :safe on untrusted data
  • No String.to_atom/1 on external input
  • No hardcoded secrets in source code

Major

  • ETS tables use appropriate access controls
  • No sensitive data in process dictionary
  • No dynamic module creation from user input
  • Path traversal prevented in file operations

Configuration

  • Secrets loaded from environment
  • No secrets in config/*.exs committed to git
  • Runtime config used for deployment secrets

Valid Patterns (Do NOT Flag)

  • String.to_atom on compile-time constants - Atoms created at compile time are safe
  • Code.eval_string in dev/test - May be needed for tooling
  • ETS :public tables - Valid when intentionally shared
  • binary_to_term with :safe - Explicitly safe option used

Context-Sensitive Rules

IssueFlag ONLY IF
String.to_atomInput comes from external source (user, API, file)
binary_to_termData comes from untrusted source
ETS :publicContains sensitive data

Before Submitting Findings

Use the issue format: [FILE:LINE] ISSUE_TITLE for each finding.

Load and follow review-verification-protocol before reporting any issue.

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…