ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

S³ Security Audit

Run security audits on codebases using static analysis, dependency scanning, and manual code review patterns. Covers OWASP Top 10, secrets detection, depende...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 65 · 0 current installs · 0 all-time installs
bySolomon Neas@solomonneas
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a security-audit tool that performs local static checks and dependency scans, which matches the name/description. However the registry metadata declares no required binaries or env vars while the instructions assume common CLI tools (find, grep, sed), language toolchains (npm, pip) and optional scanners (pip-audit, npm audit). This mismatch between declared requirements and actual runtime expectations is an incoherence a user should be aware of.
!
Instruction Scope
Instructions perform broad local repository scans (searching for .env, *.pem, keys, and secret-like patterns) which is expected for auditing, but they also include commands that will attempt to install tooling at runtime (e.g., 'pip install pip-audit'). Installing packages and running network-backed audits (npm audit, pip-audit) are side effects with network/supply-chain implications. The guidance otherwise stays within the audit scope and does not instruct exfiltration or posting results externally.
!
Install Mechanism
There is no formal install spec in the registry (instruction-only), yet the SKILL.md contains an implicit install step ('pip install pip-audit') and expects npm/pip to be present. Implicit runtime installs are higher risk than an explicit vetted install spec because they pull code from package registries at execution time and may alter the agent environment.
Credentials
The skill requests no environment variables or credentials in metadata. The audit scripts search for secret patterns (AWS-like tokens, private keys) within the repository which is appropriate for a security audit and does not itself request unrelated external credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system/service configuration changes. It does not attempt to modify other skills or global agent settings in the provided instructions.
What to consider before installing
This instruction-only skill mostly does what it claims (local static checks and dependency scans), but note two important caveats: (1) the registry metadata omits required binaries (grep/find/sed, npm, pip), so ensure the executing environment has those tools before use; (2) the SKILL.md will try to install tooling at runtime (e.g., 'pip install pip-audit') and run network queries (npm audit/pip-audit), which introduces supply-chain and network exposure risks. Before installing or running: run the commands manually or inside an isolated container/VM, review and pin any packages that would be installed, avoid running against repositories with live secrets unless in a controlled environment, and consider using curated, signed scanner binaries or your organization's approved security tools instead of allowing implicit installs.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
auditvk9771v54wxh5xm51dxcxmp9egx836cymcode-reviewvk9771v54wxh5xm51dxcxmp9egx836cymlatestvk9771v54wxh5xm51dxcxmp9egx836cymowaspvk9771v54wxh5xm51dxcxmp9egx836cymsecurityvk9771v54wxh5xm51dxcxmp9egx836cymvulnerabilitiesvk9771v54wxh5xm51dxcxmp9egx836cym

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Security Audit Skill

Perform security audits on codebases. Adapted from Trail of Bits security research methodology.

When to Use

  • Security review before deployment
  • Code audit for vulnerabilities
  • Dependency vulnerability check
  • Infrastructure/config security review
  • Portfolio project security hardening

Audit Phases

Phase 1: Reconnaissance

Understand the codebase before scanning:

# Language detection
find . -type f | sed 's/.*\.//' | sort | uniq -c | sort -rn | head -20

# Framework detection
ls package.json pyproject.toml Gemfile go.mod Cargo.toml requirements.txt 2>/dev/null

# Entry points
grep -r "app.listen\|createServer\|Flask(\|FastAPI(\|func main" --include="*.py" --include="*.js" --include="*.ts" --include="*.go" -l

# Environment and secrets files
find . -name ".env*" -o -name "*.pem" -o -name "*.key" -o -name "*secret*" -o -name "*credential*" | grep -v node_modules | grep -v .git

Phase 2: Automated Scanning

Secrets Detection:

# Grep for common secret patterns
grep -rn "API_KEY\|SECRET\|PASSWORD\|TOKEN\|PRIVATE_KEY\|aws_access\|ssh-rsa" --include="*.py" --include="*.js" --include="*.ts" --include="*.env" --include="*.yaml" --include="*.yml" --include="*.json" . | grep -v node_modules | grep -v .git | grep -v "*.example"

Dependency Vulnerabilities:

# Node.js
npm audit --json 2>/dev/null | head -100

# Python
pip-audit 2>/dev/null || pip install pip-audit && pip-audit

# Check for outdated deps
npm outdated 2>/dev/null
pip list --outdated 2>/dev/null

Common Vulnerability Patterns (grep-based):

# SQL Injection (string concatenation in queries)
grep -rn "execute.*+\|execute.*%\|execute.*f'" --include="*.py" .
grep -rn "query.*+\|query.*\`" --include="*.js" --include="*.ts" .

# XSS (innerHTML, dangerouslySetInnerHTML)
grep -rn "innerHTML\|dangerouslySetInnerHTML\|v-html\|\$sce.trustAsHtml" --include="*.js" --include="*.ts" --include="*.jsx" --include="*.tsx" --include="*.vue" .

# Command Injection
grep -rn "exec(\|system(\|popen(\|subprocess.call\|child_process" --include="*.py" --include="*.js" --include="*.ts" .

# Path Traversal
grep -rn "\.\./" --include="*.py" --include="*.js" --include="*.ts" . | grep -v node_modules | grep -v test

# Hardcoded credentials
grep -rn "password.*=.*['\"].\+['\"]" --include="*.py" --include="*.js" --include="*.ts" --include="*.yaml" . | grep -v node_modules | grep -v test | grep -v example

Phase 3: Infrastructure Review

# Dockerfile issues
grep -n "FROM.*latest\|--no-check-certificate\|curl.*\|.*http:" Dockerfile* 2>/dev/null

# CORS configuration
grep -rn "Access-Control-Allow-Origin.*\*\|cors({.*origin.*true\|CORS(.*allow_all" --include="*.py" --include="*.js" --include="*.ts" .

# TLS/SSL
grep -rn "verify.*False\|rejectUnauthorized.*false\|NODE_TLS_REJECT_UNAUTHORIZED" --include="*.py" --include="*.js" --include="*.ts" .

# Rate limiting (absence is a finding)
grep -rn "rateLimit\|rate.limit\|throttle\|slowDown" --include="*.py" --include="*.js" --include="*.ts" . || echo "WARNING: No rate limiting detected"

Phase 4: Manual Review Focus Areas

Based on OWASP Top 10 (2021):

  1. A01 Broken Access Control — Check auth middleware, route protection, IDOR patterns
  2. A02 Cryptographic Failures — Weak hashing (MD5/SHA1 for passwords), missing encryption
  3. A03 Injection — SQL, NoSQL, OS command, LDAP injection
  4. A04 Insecure Design — Missing input validation, trust boundary violations
  5. A05 Security Misconfiguration — Debug mode, default credentials, verbose errors
  6. A06 Vulnerable Components — Outdated dependencies with known CVEs
  7. A07 Auth Failures — Weak password policy, missing MFA, session fixation
  8. A08 Data Integrity Failures — Unsigned updates, insecure deserialization
  9. A09 Logging Failures — Missing audit logs, logging sensitive data
  10. A10 SSRF — Unvalidated URL inputs, internal service access

Report Format

# Security Audit Report
**Project:** [name]
**Date:** [date]
**Scope:** [files/components audited]

## Executive Summary
[1-2 sentences: overall security posture]

## Critical Findings
### [CRITICAL-001] [Title]
- **Severity:** Critical/High/Medium/Low/Info
- **Category:** OWASP A0X
- **Location:** file:line
- **Description:** What's wrong
- **Impact:** What an attacker could do
- **Remediation:** How to fix it
- **Code:** [before/after snippets]

## Summary Table
| ID | Severity | Category | Title | Status |
|----|----------|----------|-------|--------|
| C-001 | Critical | A03 | SQL Injection in user search | Open |

## Recommendations
[Prioritized list of security improvements]

Limitations

  • Grep-based scanning has high false positive rate; manual verification required
  • Cannot detect logic flaws or business logic vulnerabilities
  • Does not replace professional penetration testing
  • No runtime analysis (DAST); static only

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…