ClawHub

Zero2ai Security Audit

v1.0.0

Security auditing for git commits, repos, and skills before publishing. Run automatically before any `git commit`, `git push`, or `clawhub publish`. Detects...

0· 252·1 current·1 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description describe a pre-publish/pre-commit security scanner and the repository contains a single audit script (scripts/audit.py) plus SKILL.md that instructs how to run it. The skill declares no binaries, env vars, or installs — consistent with a local scanner.
Instruction Scope
SKILL.md confines runtime behavior to running the local Python scanner on staged, last-commit, or arbitrary paths. It references a concrete {skill_dir} path (/home/aladdin/...) and tells users to report findings to 'Aladdin' — these are documentation/template details to update to the deployer's environment but do not expand the scanner's scope. The instructions do not direct the agent to read unrelated system secrets or send results externally.
Install Mechanism
No install spec — instruction-only skill with a local Python script. This is the lowest-risk install model and matches the stated purpose.
Credentials
The skill requests no environment variables, credentials, or config paths. The scanner reads repository files and may call 'git' via subprocess (to enumerate staged/last-commit files), which is appropriate for a pre-commit scanner.
Persistence & Privilege
always:false and no special system modifications are requested. The skill does not try to persist itself or modify other skills. Autonomous invocation by the agent is allowed by default on the platform but combined with this skill's limited scope it does not raise additional concerns.
Assessment
This skill appears to be what it says: a local pre-publish/pre-commit scanner implemented in Python. Before installing or using it: 1) Review scripts/audit.py yourself to confirm you agree with its patterns and exclusions (it intentionally excludes certain directories and has a whitelist of 'safe' placeholders). 2) Update SKILL.md paths and the 'Report to Aladdin' text to match your environment so the doc doesn't leak a template user. 3) Note the scanner calls 'git' and reads repository files (normal for this use) and only prints or emits JSON — there are no network calls or credential requirements in the included code. 4) If you plan to let an autonomous agent run this skill automatically, ensure you trust the agent to run arbitrary local scans; the script does not exfiltrate data but will read repository contents. If you want extra assurance, run the script manually on a test copy of your repo to validate results and behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97asjc1bdwfp5eaxhxw0shae9820944

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments