← Back to Skills Marketplace
Elixir Security Review
by
Kevin Anderson
· GitHub ↗
· v1.2.1
· MIT-0
183
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install elixir-security-review
Description
Reviews Elixir code for security vulnerabilities including code injection, atom exhaustion, and secret handling. Use when reviewing code handling user input,...
README (SKILL.md)
Elixir Security Review
Quick Reference
| Issue Type | Reference |
|---|---|
| Code.eval_string, binary_to_term | references/code-injection.md |
| String.to_atom dangers | references/atom-exhaustion.md |
| Config, environment variables | references/secrets.md |
| ETS visibility, process dictionary | references/process-exposure.md |
Review Checklist
Critical (Block Merge)
- No
Code.eval_string/1on user input - No
:erlang.binary_to_term/1without:safeon untrusted data - No
String.to_atom/1on external input - No hardcoded secrets in source code
Major
- ETS tables use appropriate access controls
- No sensitive data in process dictionary
- No dynamic module creation from user input
- Path traversal prevented in file operations
Configuration
- Secrets loaded from environment
- No secrets in config/*.exs committed to git
- Runtime config used for deployment secrets
Valid Patterns (Do NOT Flag)
- String.to_atom on compile-time constants - Atoms created at compile time are safe
- Code.eval_string in dev/test - May be needed for tooling
- ETS :public tables - Valid when intentionally shared
- binary_to_term with :safe - Explicitly safe option used
Context-Sensitive Rules
| Issue | Flag ONLY IF |
|---|---|
| String.to_atom | Input comes from external source (user, API, file) |
| binary_to_term | Data comes from untrusted source |
| ETS :public | Contains sensitive data |
Hard gates (before reporting)
Complete in order for each finding you intend to report. Do not advance until the pass condition is satisfied.
- Location artifact — The finding includes
[FILE:LINE](or a line range) that you copied from the current file contents; the path resolves in this repo. - Scope read — You read the full surrounding function or module section that contains the flagged code, not only a diff hunk or summary.
- External-data claim (only if the finding depends on “user/untrusted input”) — You can name one concrete ingress (for example
conn.params,Jason.decode!/1result, uploaded file path, message from another node) or you drop the finding because the value is compile-time, test-only, or internal per Context-Sensitive Rules. - Protocol — Pre-report steps in
beagle-elixir:review-verification-protocol(skill) are satisfied for this item (no finding if they are not).
Before Submitting Findings
Use the issue format: [FILE:LINE] ISSUE_TITLE for each finding.
Hard gate 4 requires beagle-elixir:review-verification-protocol (skill); use it as the full pre-report checklist and issue-type verification (it extends beyond this skill’s summary).
Usage Guidance
This is an instruction-only Elixir security checklist that will read repository files and produce location-tagged findings — that behavior is expected for a code-review skill. Before installing, confirm you're comfortable with the agent reading your repo contents during reviews and verify the referenced verification skill (beagle-elixir:review-verification-protocol) if it will be invoked; since no credentials or installs are requested, the main risk is accidental disclosure of secrets found in the repo during reporting, so avoid running it on code containing live secrets or ensure findings are handled appropriately.
Capability Analysis
Type: OpenClaw Skill
Name: elixir-security-review
Version: 1.2.1
The skill bundle is a legitimate security review tool for Elixir applications. It contains well-documented reference materials (references/code-injection.md, references/atom-exhaustion.md, etc.) and structured instructions in SKILL.md to guide an AI agent in identifying common vulnerabilities like atom exhaustion and unsafe deserialization. There is no evidence of malicious intent, data exfiltration, or prompt injection.
Capability Tags
Capability Assessment
Purpose & Capability
Name, description, and included reference documents all match an Elixir security-review checklist; there are no unexpected binaries, environment variables, or install steps requested.
Instruction Scope
The SKILL.md explicitly instructs the agent to read repository files (full surrounding function/module) and to produce location-tagged findings — this is appropriate for a code-review skill. It also requires running a separate verification protocol (beagle-elixir:review-verification-protocol) before reporting; relying on another skill increases the review surface and you should verify that referenced skill's behavior, but this is not inherently incoherent.
Install Mechanism
No install specification or code files are included (instruction-only), so nothing is written to disk or downloaded during install — lowest-risk delivery model.
Credentials
The skill requests no environment variables, secrets, or config paths. Its guidance to inspect code and config files is consistent with a static review and does not demand unrelated credentials.
Persistence & Privilege
Defaults are used (not always:true). The skill does not request permanent presence or elevated privileges. Autonomous invocation is allowed (platform default) but not excessive here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install elixir-security-review - After installation, invoke the skill by name or use
/elixir-security-review - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.1
elixir-security-review v1.2.1
- Clarified “Before Submitting Findings” section with hard gate requirements and protocol references.
- Added explicit “Hard gates” checklist to be completed before reporting findings, enforcing stricter verification.
- Updated instructions to require use of the beagle-elixir:review-verification-protocol for pre-report procedures.
- No changes to issue list, review checklist, or valid pattern guidance.
v1.2.0
elixir-security-review v1.2.0
- Expanded documentation with specific review checklists for critical, major, and configuration issues.
- Added quick reference links for common vulnerabilities: code injection, atom exhaustion, secret exposure, and process exposure.
- Clarified valid/safe coding patterns that should not be flagged.
- Introduced context-sensitive rules for when to flag certain patterns.
- Provided guidelines for reporting findings and verification protocol.
Metadata
Frequently Asked Questions
What is Elixir Security Review?
Reviews Elixir code for security vulnerabilities including code injection, atom exhaustion, and secret handling. Use when reviewing code handling user input,... It is an AI Agent Skill for Claude Code / OpenClaw, with 183 downloads so far.
How do I install Elixir Security Review?
Run "/install elixir-security-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Elixir Security Review free?
Yes, Elixir Security Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Elixir Security Review support?
Elixir Security Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Elixir Security Review?
It is built and maintained by Kevin Anderson (@anderskev); the current version is v1.2.1.
More Skills