ClawHub

Security Review

Review code changes for security vulnerabilities. Checks for OWASP Top 10, secrets exposure, injection flaws, auth issues, and insecure defaults. Use when re...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 77 · 0 current installs · 0 all-time installs
bySolomon Neas@solomonneas
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description describe a security code review and the SKILL.md contains checks and output format consistent with that purpose. There are no unrelated required binaries, env vars, or config paths.
Instruction Scope
Runtime instructions focus on reviewing code for OWASP Top 10, secrets, injections, auth/authorization, and configuration issues. The document does not instruct the agent to read unrelated system files, access environment variables, or transmit data to external endpoints. It does not give broad, open-ended permissions beyond reviewing provided code diffs/PRs.
Install Mechanism
There is no install spec and no shipped code — the skill is instruction-only, so nothing will be written to disk or downloaded during install.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate for a checklist-style review tool.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent/system-wide privileges or modifications to other skills.
Assessment
This skill is coherent and lightweight, but keep these practical points in mind before using it with real projects: (1) It will analyze whatever code you give it — do not supply secrets or private tokens in plain text. If findings include secrets, treat those as sensitive and rotate credentials as needed. (2) The skill produces suggested fixes and code examples but cannot safely apply changes; always review and test suggestions before merging. (3) If you plan to let the agent run autonomously on private repos, restrict its access and monitor outputs (the skill could surface sensitive snippets from code). (4) This checklist doesn't replace manual review of business-logic issues; note any areas requiring human assessment. If you want stronger guarantees, require the skill only be run interactively and avoid granting repository credentials or automated access to production systems.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97aq81qv0483yrs65hez1rp8h83bhrj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Security Code Review

Review code changes for security vulnerabilities, following OWASP Top 10 and secure coding best practices.

What to Check

Injection (SQL, Command, LDAP, XSS)

  • User input used in queries without parameterization
  • Template literals in SQL strings
  • eval(), exec(), os.system() with user input
  • Unescaped output in HTML templates

Authentication & Session

  • Hardcoded credentials or API keys
  • Weak password requirements
  • Missing rate limiting on auth endpoints
  • Session fixation or missing regeneration
  • JWT without expiration or with weak signing

Authorization

  • Missing access control checks on endpoints
  • IDOR (direct object reference without ownership check)
  • Role checks that can be bypassed
  • Privilege escalation paths

Secrets & Data Exposure

  • API keys, tokens, passwords in code or configs
  • Sensitive data in logs
  • PII without encryption
  • .env files or secrets committed to git

Configuration

  • Debug mode enabled in production
  • CORS set to wildcard (*)
  • Missing security headers
  • Default credentials unchanged
  • Verbose error messages exposing internals

Output Format

For each finding:

**FINDING:** [Title]
**Severity:** CRITICAL | HIGH | MEDIUM | LOW
**File:** [path:line]
**Code:** [the problematic code]
**Issue:** [what's wrong]
**Fix:** [how to fix it, with code example]
**OWASP:** [category reference]

Rules

  • Focus on HIGH and CRITICAL findings first
  • Provide working fix code, not just descriptions
  • If no security issues found, say so clearly
  • Note any areas that need manual review (business logic, auth flows)

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…