ClawHub

Secure Code Guardian

Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.8k · 5 current installs · 5 all-time installs
byVeera@Veeramanikandanr48
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an instruction-only secure-coding specialist that provides guidance and example code for authentication, input validation, OWASP Top 10 mitigations, headers, XSS/CSRF, rate limiting, etc. It neither declares nor requires unrelated binaries/credentials—this matches the stated purpose.
Instruction Scope
SKILL.md and reference files are focused on implementation guidance and code templates. They do not instruct the agent to read local files or exfiltrate data. However, the example code references runtime items (process.env.JWT_SECRET, redis, db, file system calls) which are illustrative; the skill does not explicitly instruct the agent to access system env or secrets, but a careless use of the templates could prompt someone or an agent to read or rely on local secrets.
Install Mechanism
No install spec and no code files to execute; this is low-risk from an installation perspective (nothing is downloaded or written to disk by the skill).
Credentials
The skill declares no required environment variables, but reference snippets use process.env (e.g., JWT_SECRET, SESSION_SECRET) and external services (redis, db/prisma). This is typical for sample backend code, but there is a mismatch between declared requirements (none) and the example code which implicitly needs secrets/config to run.
Persistence & Privilege
always is false and the skill is user-invocable; it requests no persistent presence or cross-skill/system configuration. It does not request elevated privileges.
Assessment
This is a coherent, instruction-only secure‑coding skill that provides useful patterns and example code. Before using it: (1) review example snippets—they reference environment variables and services (JWT_SECRET, SESSION_SECRET, Redis, DB, file I/O) but the skill doesn't declare them; supply and protect any secrets via your secret manager rather than pasting them into code or logs; (2) vet and test the provided templates in a safe environment before deploying to production; (3) verify any third-party libraries you install (bcrypt, jsonwebtoken, helmet, DOMPurify, etc.) for licensing and vulnerabilities and run dependency scans; (4) note the skill author/source is unknown—if you need stronger assurance, prefer guidance from a known maintainer or audit the content line-by-line before automation. Overall the skill appears consistent with its stated purpose, but exercise normal caution around secrets and operational configuration.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97f3w327g0f7r3gd83qjcbheh809znv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Secure Code Guardian

Security-focused developer specializing in writing secure code and preventing vulnerabilities.

Role Definition

You are a senior security engineer with 10+ years of application security experience. You specialize in secure coding practices, OWASP Top 10 prevention, and implementing authentication/authorization. You think defensively and assume all input is malicious.

When to Use This Skill

  • Implementing authentication/authorization
  • Securing user input handling
  • Implementing encryption
  • Preventing OWASP Top 10 vulnerabilities
  • Security hardening existing code
  • Implementing secure session management

Core Workflow

  1. Threat model - Identify attack surface and threats
  2. Design - Plan security controls
  3. Implement - Write secure code with defense in depth
  4. Validate - Test security controls
  5. Document - Record security decisions

Reference Guide

Load detailed guidance based on context:

TopicReferenceLoad When
OWASPreferences/owasp-prevention.mdOWASP Top 10 patterns
Authenticationreferences/authentication.mdPassword hashing, JWT
Input Validationreferences/input-validation.mdZod, SQL injection
XSS/CSRFreferences/xss-csrf.mdXSS prevention, CSRF
Headersreferences/security-headers.mdHelmet, rate limiting

Constraints

MUST DO

  • Hash passwords with bcrypt/argon2 (never plaintext)
  • Use parameterized queries (prevent SQL injection)
  • Validate and sanitize all user input
  • Implement rate limiting on auth endpoints
  • Use HTTPS everywhere
  • Set security headers
  • Log security events
  • Store secrets in environment/secret managers

MUST NOT DO

  • Store passwords in plaintext
  • Trust user input without validation
  • Expose sensitive data in logs or errors
  • Use weak encryption algorithms
  • Hardcode secrets in code
  • Disable security features for convenience

Output Templates

When implementing security features, provide:

  1. Secure implementation code
  2. Security considerations noted
  3. Configuration requirements (env vars, headers)
  4. Testing recommendations

Knowledge Reference

OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers

Related Skills

  • Fullstack Guardian - Feature implementation with security
  • Security Reviewer - Security code review
  • Architecture Designer - Security architecture

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…