Security Audit Tianjin
ReviewAudited by ClawScan on May 10, 2026.
Overview
It appears to be a local security audit tool, but it deliberately inspects sensitive Clawdbot files and its optional auto-fix mode can change configuration files.
This skill looks coherent for local Clawdbot security auditing. Install and run it only if you are comfortable with it reading deployment configuration and credential files under /root/clawd. Start with a read-only audit, keep generated reports private, and use --fix only after reviewing what it may change.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the audit may reveal where secrets or weak credentials exist on the host, and any generated report should be treated as sensitive.
The audit reads local Clawdbot .env/config files to search for credential patterns. This is expected for a credential audit, but it is sensitive local access.
const CONFIG_DIR = '/root/clawd/skills/.env'; ... const content = fs.readFileSync(filePath, 'utf8');
Run it only on the intended Clawdbot deployment and avoid sharing audit output unless secrets and sensitive paths have been reviewed.
The audit may run system tools and inspect process/port state on the machine where it is executed.
The script executes local shell commands to inspect open ports. The visible command is fixed and purpose-aligned, but it is still local command execution.
const ssResult = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null || echo "not available"',Run it from a trusted account on the intended host, and review command behavior before using it in automation.
Auto-fix could change deployment behavior or file access permissions, which may break workflows if applied unexpectedly.
The documented auto-fix mode can change permissions and configuration files. This is purpose-aligned and user-invoked, but it is not read-only.
The `--fix` option automatically: - Sets restrictive file permissions (600 on .env) - Secures sensitive configuration files - Creates .gitignore if missing - Enables basic security headers
Run a read-only audit first, back up important configuration files, and use --fix only when you intend to apply changes.
It may be harder to verify who published the exact artifact and whether it matches the registry entry.
The packaged _meta.json owner/version differ from the registry metadata shown for owner/version, and the source/homepage are unknown. This is a provenance ambiguity, not evidence of malicious behavior by itself.
{ "ownerId": "kn72ce44tqw8bnnnewrn1s5x3s7yz7sq", "slug": "security-audit-tianjin", "version": "1.0.0"Confirm the package origin and version before installing, especially because the skill inspects sensitive files and can modify configuration in --fix mode.