OpenClaw Security Scanner
v1.0.0Security analysis and vulnerability detection. Scans code for security issues, checks dependencies, and provides remediation advice.
⭐ 0· 9·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the provided code and SKILL.md: the bundle includes a Python scanner (scripts/main.py) that implements scanning, dependency guidance, and secret detection. The requested resources (none) are proportional to a local scanner.
Instruction Scope
SKILL.md tells the agent to run the included Python script to scan files/directories and to integrate in CI. The instructions and script operate on local files (rglob over project files) which is expected for this purpose, but will enumerate/print secrets found to stdout. Minor mismatch: the CI example references skills/security/scripts/main.py while the distributed file path is scripts/main.py — this may be a packaging/path inconsistency to verify before use.
Install Mechanism
No install spec is provided and the skill is instruction-only with a bundled script. Nothing is downloaded or written by an installer; the only code executed is the included Python file.
Credentials
The skill requires no environment variables, credentials, or config paths. The scanner searches files for credentials (which is its purpose) but does not attempt to read unrelated environment variables or request external credentials.
Persistence & Privilege
The skill does not set always:true, does not claim to persist or modify other skills, and has no install-time hooks. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges.
Assessment
This skill appears to be a local security scanner and is internally consistent, but note the following before running it:
- Running the bundled script executes arbitrary Python included in the skill. If you do not fully trust the author, review scripts/main.py line-by-line (it was provided) before execution.
- The scanner will read and enumerate files in the target directory (rglob('*')), which is expected for secret detection but means it will touch many repository files and print findings to stdout. Do not run it in a context where printing secrets to logs is unsafe; prefer a sandbox or run locally in a controlled environment.
- The CI example path in SKILL.md (skills/security/scripts/main.py) doesn't match the provided file layout (scripts/main.py). Confirm paths if you integrate this into CI to avoid accidental execution of a different script.
- The tool itself does not make network calls or request credentials, but it suggests using external tools (safety, pip-audit). Use those tools from trusted sources if you follow that guidance.
If you want higher assurance: run the script in an isolated container, inspect the full main.py (and any referenced modules/rules) for unexpected behavior, and test on a non-sensitive repository first.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Security - Security Analysis
安全分析工具,扫描代码漏洞、检查依赖、提供修复建议。
Version: 1.0
Features: 漏洞扫描、依赖检查、密钥检测、安全建议
Quick Start
1. 扫描代码
# 扫描单个文件
python3 scripts/main.py scan --file src/main.py
# 扫描整个项目
python3 scripts/main.py scan --dir src/
2. 检查依赖
# 检查依赖漏洞
python3 scripts/main.py deps --requirements requirements.txt
# 检查 package.json
python3 scripts/main.py deps --package-json package.json
3. 检测密钥泄露
# 扫描密钥泄露
python3 scripts/main.py secrets --dir .
Commands
| 命令 | 说明 | 示例 |
|---|---|---|
scan | 安全扫描 | scan --file src.py |
deps | 依赖检查 | deps --requirements req.txt |
secrets | 密钥检测 | secrets --dir . |
安全扫描
$ python3 scripts/main.py scan --file src/auth.py
🔒 Security Scan Results
=========================
File: src/auth.py
Issues found: 2
🔴 Critical:
Line 34: Hardcoded password
password = "admin123" # ← Move to environment variable
CWE-798: Use of Hard-coded Credentials
🟡 Medium:
Line 67: SQL injection risk
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
CWE-89: SQL Injection
Fix: Use parameterized queries
✅ No secrets detected
依赖检查
$ python3 scripts/main.py deps --requirements requirements.txt
📦 Dependency Check
===================
Checked: 15 packages
Issues: 2
🔴 CVE-2023-1234: requests < 2.31.0
Severity: High
Fix: pip install requests>=2.31.0
🟡 CVE-2023-5678: flask < 2.3.0
Severity: Medium
Fix: pip install flask>=2.3.0
✅ All other dependencies up to date
密钥检测
$ python3 scripts/main.py secrets --dir .
🔑 Secret Detection
===================
Scanned: 45 files
Secrets found: 1
🔴 .env (line 3):
AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
Type: AWS Secret Access Key
Action: Move to secrets manager or environment variable
⚠️ Remember to rotate exposed credentials!
检测规则
代码漏洞
| 规则 | 严重度 | CWE |
|---|---|---|
| Hardcoded credentials | 🔴 Critical | CWE-798 |
| SQL injection | 🔴 Critical | CWE-89 |
| Command injection | 🔴 Critical | CWE-78 |
| Path traversal | 🔴 Critical | CWE-22 |
| Insecure crypto | 🟡 Medium | CWE-327 |
| Weak random | 🟡 Medium | CWE-338 |
| Debug mode enabled | 🟡 Medium | CWE-489 |
密钥模式
| 类型 | 检测 |
|---|---|
| API Keys | ✅ |
| AWS Credentials | ✅ |
| Database URLs | ✅ |
| Private Keys | ✅ |
| JWT Secrets | ✅ |
| Passwords in code | ✅ |
Configuration
.security.json:
{
"severity_threshold": "medium",
"ignore_paths": [
"tests/**",
"vendor/**"
],
"ignore_rules": [
"debug-mode-in-production"
],
"custom_patterns": {
"company_api_key": "COMPANY_[A-Z0-9]{32}"
}
}
CI/CD 集成
# .github/workflows/security.yml
name: Security Scan
on: [pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan Code
run: python3 skills/security/scripts/main.py scan --dir src/
- name: Check Dependencies
run: python3 skills/security/scripts/main.py deps --requirements requirements.txt
- name: Detect Secrets
run: python3 skills/security/scripts/main.py secrets --dir .
Files
skills/security/
├── SKILL.md # 本文件
└── scripts/
├── main.py # ⭐ 统一入口
├── scanner.py # 漏洞扫描器
└── rules/ # 检测规则
├── python.yml
└── javascript.yml
Roadmap
- Basic vulnerability detection
- Secret detection
- Dependency checking
- SAST integration
- DAST support
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…