ClawHub
Skill flagged — review recommended

ClawHub Security found sensitive or high-impact capabilities. Review the scan results before using.

Neckr0ik Security Fixer

v1.0.0

Auto-fix security vulnerabilities in OpenClaw skills. Works with neckr0ik-security-scanner to automatically remediate hardcoded secrets, shell injection risk...

0· 262· 1 versions· 1 current· 1 all-time· Updated 5h ago· MIT-0
by@neckr0ik

Security Scans

VirusTotalBenignClawScanReviewStatic analysisReview

Install

openclaw skills install neckr0ik-security-fixer

Security Fixer

Automatically fixes security vulnerabilities found by neckr0ik-security-scanner.

Quick Start

# Scan and fix in one command
neckr0ik-security-fixer fix /path/to/skill --auto

# Interactive fix (confirm each change)
neckr0ik-security-fixer fix /path/to/skill

# Generate .env.example only
neckr0ik-security-fixer env /path/to/skill

What This Fixes

Critical Issues (Auto-fixable)

IssueFix Applied
Hardcoded SecretsReplaces with os.environ.get() + generates .env.example
Shell InjectionConverts to subprocess.run() with shell=False
eval/execWraps with safe alternatives or flags for review

High Issues (Auto-fixable)

IssueFix Applied
Prompt InjectionAdds sanitization wrapper
Path TraversalAdds pathlib validation

How It Works

  1. Runs security scan on target skill
  2. For each vulnerability, generates fix
  3. Applies fix automatically (with --auto) or prompts for confirmation
  4. Creates .env.example with detected secret placeholders
  5. Updates .gitignore to exclude .env

Example Fixes

Hardcoded API Key

Before:

api_key = "sk-abc123def456..."

After:

import os
api_key = os.environ.get("OPENAI_API_KEY")
if not api_key:
    raise ValueError("OPENAI_API_KEY environment variable required")

Generated .env.example:

OPENAI_API_KEY=your-key-here

Shell Injection

Before:

os.system(f"convert {filename} output.png")

After:

import subprocess
result = subprocess.run(
    ["convert", filename, "output.png"],
    capture_output=True,
    check=True
)

Prompt Injection

Before:

prompt = f"User says: {user_input}"

After:

import re
def sanitize_for_prompt(text: str) -> str:
    return re.sub(r'[<>\{\}\[\]\\]', '', text[:1000])

prompt = f"User says: {sanitize_for_prompt(user_input)}"

Commands

fix

neckr0ik-security-fixer fix <skill-path> [options]

Options:
  --auto        Apply all fixes without prompting
  --dry-run     Show what would be fixed without making changes
  --backup      Create .bak files before modifying

env

neckr0ik-security-fixer env <skill-path>

Generates:
  - .env.example (template with placeholders)
  - Updates .gitignore to exclude .env

report

neckr0ik-security-fixer report <skill-path> --format json

Outputs a detailed fix report with:
  - Original vulnerable code
  - Fixed code
  - Files modified
  - Manual review items

Safety Features

  • Backup files created by default (can disable with --no-backup)
  • Dry-run mode shows changes without applying
  • Manual review flagging for complex issues that need human judgment
  • Git integration - shows diff before applying

See Also

  • neckr0ik-security-scanner - Scan for vulnerabilities first
  • references/fix-templates.md - Complete fix template library
  • scripts/fixer.py - Main fixer script

Version tags

latestvk97brtck4p59mchf1qepfqstms82dm2x