ClawHub

Sovereign Security Auditor

v1.0.0

Comprehensive code security audit covering OWASP Top 10, secrets detection, dependency vulnerabilities, and language-specific attack patterns. Built by Taylo...

0· 450·1 current·1 all-time
by@ryudi84
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (security audit) aligns with the instructions: the SKILL.md explicitly directs the agent to inspect repositories, dependency manifests (package.json, requirements.txt, go.mod, Cargo.toml, pom.xml), config files and .env files, and produce structured findings. All of these are legitimate needs for a code security auditor.
Instruction Scope
Instructions correctly require reading repository files and configuration to find vulnerabilities and secrets. This is expected, but it means the agent will examine highly sensitive files (e.g., .env, CI configs, hardcoded credentials) and may include secrets in its findings unless the consumer filters or redacts them.
Install Mechanism
Instruction-only skill with no install spec and no code files to write to disk. This minimizes supply-chain risk.
Credentials
The skill declares no required environment variables, credentials, or config paths. Its recommended checks look for sensitive data inside the target codebase (which is appropriate). There are no unrelated external credentials requested.
Persistence & Privilege
No always:true flag, no install scripts, and no modifications to other skills or global agent settings. Autonomous invocation is allowed by default but that is standard and not, by itself, concerning here.
Assessment
This skill appears coherent for performing security audits, but remember it will scan and report sensitive secrets found in the target codebase. Before using it: (1) Limit the agent's access to only the repositories you want audited (avoid letting it scan wide filesystem locations), (2) run audits in a secure environment or on copies of repos if you are concerned about extracted secrets appearing in logs or outputs, (3) treat any secrets exposed in findings as compromised — rotate credentials immediately, and (4) verify the upstream project (GitHub homepage) and owner if you plan to rely on or share the skill broadly. If you need tighter control, request the skill redact or hash detected secrets in reports or run the audit tooling offline under your own supervision.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cb72xmndwj21q85f9hy7ayd81p9ah

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis

Comments