Install
openclaw skills install @zero2ai-hub/zero2ai-security-auditSecurity auditing for git commits, repos, and skills before publishing. Run automatically before any git commit, git push, or clawhub publish. Detects hardcoded secrets, API keys, tokens, absolute paths, committed node_modules, .env files, and other sensitive patterns. Use when reviewing code for security issues, pre-publishing skills, or investigating a potential secret exposure.
openclaw skills install @zero2ai-hub/zero2ai-security-auditRun scripts/audit.py before every commit, push, or skill publish. No exceptions.
| Trigger | Command |
|---|---|
Before git commit | python3 {skill_dir}/scripts/audit.py --staged |
Before git push | python3 {skill_dir}/scripts/audit.py --last-commit |
Before clawhub publish <path> | python3 {skill_dir}/scripts/audit.py <skill_path> |
| Ad-hoc scan any path | python3 {skill_dir}/scripts/audit.py <path> |
{skill_dir} = /home/aladdin/.openclaw/workspace/skills/skill-security-audit
0 = clean1 = HIGH or MEDIUM findings (block publish/push)2 = usage error| Severity | Pattern |
|---|---|
| 🔴 HIGH | API keys, secrets, passwords, JWT tokens, WooCommerce keys, AWS keys, private key blocks, bearer tokens, .env files |
| 🟡 MEDIUM | Absolute /home/<user>/ paths, /root/ paths, refresh tokens, node_modules/ committed |
| 🔵 LOW | Hardcoded IPs, long base64 strings |
node_modules/.process.env.SECRET_NAME or read from a local config file outside the repo..gitignore.Before clawhub publish:
audit.py <skill_path> returns 0 (clean)node_modules/ not present in skill folderpackage.json name matches skill folder name