ClawHub

Yaf PHP Audit

v1.1.0

Audit legacy PHP projects, especially Yaf-based PHP 7.3 codebases, for architecture issues, security risks, performance problems, compatibility risks, and ma...

0· 110·0 current·0 all-time
byXavier Mary@xaviermary56
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the packaged checklist and two shell scanners. No unrelated environment variables, binaries, or install steps are requested. The provided scripts implement the advertised first‑pass static scan and batch workspace scanning.
Instruction Scope
SKILL.md instructs the agent to inspect project directories, use the checklist, and run the included scan scripts. The scripts read files under the target project/workspace, search for risky patterns, and write textual reports. They do not call external endpoints or read unrelated system configs. Note: the scanner will read any path you point it at (including config files that may contain secrets), so choose targets carefully.
Install Mechanism
No install spec — instruction-only with bundled shell scripts. No downloads, external package installs, or archive extraction. Low install surface.
Credentials
No required environment variables, credentials, or config paths declared. The scripts use only CLI args and local filesystem I/O. There is no disproportionate credential access requested.
Persistence & Privilege
always is false and the skill does not request persistent system presence or modify other skills. It writes report files to locations you pass in (or default output dirs) but does not change global agent configuration.
Assessment
This skill appears to do what it says: a first‑pass static auditor for PHP/Yaf projects implemented as shell scripts and a checklist. Before running: (1) review the scripts yourself if you don't trust the source (they are short, readable bash scripts); (2) run scans only against intended project directories (don't point it at system roots or vaults containing secrets — reports may include config contents); (3) treat results as a quick triage, not definitive vulnerability proofs; (4) run in a sandbox or with limited filesystem permissions if you want to reduce risk. If you need deeper dataflow or binary analysis, use a dedicated static analysis tool or manual audit.

Like a lobster shell, security has layers — review code before you run it.

latestvk973f81pqdj8npd0xambv5k331833y76

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments