ClawHub

Sec Audit Cn

v1.0.0

在中国等地区进行代码安全审计、安全编码与评审时使用:覆盖 OWASP Top 10、鉴权与授权、密钥与配置、CORS/CSP、 输入校验与防注入、XSS/CSRF、依赖漏洞、日志与错误处理;输出分级结论与可执行修复建议。 适用于 Web/API、移动端后端、小程序服务端、涉及个人信息与支付回调的业务。

0· 52·0 current·0 all-time
by@clawkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe an application security audit guide for China-regions and the SKILL.md contains OWASP-aligned checklists, code examples, and remediation guidance — all consistent with that purpose. There are no unrelated requirements (no cloud keys, no platform-specific creds).
Instruction Scope
Runtime instructions are prose, checklists, and code snippets for auditing code/config/architecture. They do not instruct the agent to read arbitrary system files, access environment variables, or send data to external endpoints. Examples using child_process or execFile are illustrative and aligned with injection-check guidance.
Install Mechanism
No install spec and no bundled code; this is instruction-only so nothing will be written to disk or downloaded during install.
Credentials
The skill declares no required env vars, credentials, or config paths. The checks and remediation items reference best-practice handling of secrets but do not request access to them.
Persistence & Privilege
Flags show default behavior (not always:true) and the skill is user-invocable; it does not request elevated/always-on privileges or modify other skills' configuration.
Assessment
This skill is coherent with its stated purpose (a localized OWASP-style audit guide). Before installing: review the full SKILL.md yourself (the provided preview was truncated), confirm you trust the skill's provenance (source/homepage unknown), and avoid giving the agent sensitive secrets or production-only credentials when asking it to perform audits. If you plan to run automated checks against live systems, do so in a controlled environment and coordinate with ops/compliance as needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk975n2kw9p50w0km11weyech1h84ezsh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments