ClawHub

Security Review Workflow

v1.0.0

Use when the current branch or PR needs a focused security review that minimizes false positives and only reports concrete, exploit-relevant issues.

0· 12·0 current·0 all-time
by@wimi321
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (focused security review of a branch/PR) match the instructions (collect diffs, inspect newly introduced attack surfaces, report concrete findings). The actions requested are what you'd expect for a diff-based security review.
Instruction Scope
Runtime instructions ask for git status, changed files, diffs, and to analyze the codebase for security patterns — all consistent with the stated purpose. Instructions do not direct reading unrelated system paths, accessing external endpoints, or exfiltrating data.
Install Mechanism
No install spec and no code files; the skill is instruction-only so nothing is written to disk or fetched at install time.
Credentials
The skill declares no required environment variables, credentials, or config paths. It only expects repository diffs and related context, which is proportional to its purpose.
Persistence & Privilege
always is false and there is no request to modify agent/global config or persist credentials. Autonomous invocation is allowed (default) but that is expected for skills and is not combined with other concerning privileges.
Assessment
This skill appears coherent and safe in scope, but follow these precautions before enabling it: (1) Provide only the minimal diff/changed-files and needed context—do not feed secrets or large private blobs to a third-party model. (2) Prefer running reviews locally or within your trusted environment if code contains sensitive data. (3) Verify the provenance/source before using in sensitive projects (the registry metadata shows an unknown owner and no homepage). (4) Test on a non-sensitive branch/PR to confirm the agent's behavior and outputs match your expectations (it is aggressive about suppressing low-confidence findings).

Like a lobster shell, security has layers — review code before you run it.

claude-codevk972fhebgc8gq2yg4y1whprm1n84366xextractedvk972fhebgc8gq2yg4y1whprm1n84366xlatestvk972fhebgc8gq2yg4y1whprm1n84366x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Security Review Workflow

Use this skill for focused security review of branch or PR changes.

Workflow

  1. Collect git status, changed files, commit list, and full diff against the target base.
  2. Research the codebase's existing security patterns.
  3. Inspect only newly introduced attack surfaces in the diff.
  4. Filter out speculative, low-signal, or excluded finding classes.
  5. Report only concrete, actionable findings with file, severity, exploit path, and recommendation.

Guardrails

  • Minimize false positives aggressively.
  • Ignore general code review comments that are not security issues.
  • Prefer fewer high-confidence findings over noisy coverage.

Example Requests

  • Review this branch only for concrete security bugs.
  • Find high-confidence vulnerabilities in the current diff and ignore noise.

Inputs

  • Diff against base
  • Changed files
  • Relevant security context

Outputs

  • High-signal security findings
  • Severity and exploit path
  • Fix recommendations

Success Criteria

  • Only concrete issues are reported.
  • False positives are aggressively filtered.
  • Each finding is actionable.

Non-Goals

  • General style review
  • Speculative low-confidence security commentary

Source Provenance

Derived from src/commands/security-review.ts.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…