← Back to Skills Marketplace
🔌
121
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install gomboc-security
Description
Automatically scan and deterministically fix security issues in Terraform, CloudFormation, and IaC with merge-ready pull requests and CI/CD integration.
README (SKILL.md)
Gomboc Code Remediation Skill
Deterministic, merge-ready code fixes for any codebase.
Gomboc.ai Community Edition automatically scans and fixes code issues across your entire codebase — infrastructure, applications, configurations, and more — using deterministic AI (no hallucinations). This skill wraps Gomboc's power into agent workflows, CLI tools, and CI/CD pipelines, making it the perfect complement to agentic coding.
What It Does
- Scan any codebase for issues (infrastructure, application code, configs)
- Generate deterministic, merge-ready pull requests with fixes
- Remediate continuously via GitHub Actions or interactive CLI/MCP
- Trust 94%+ fix acceptance rate with zero hallucinations (ORL Engine)
- Pair with agents — deterministic remediation that works perfectly alongside agentic coding systems
Supported Languages & Frameworks
- Infrastructure as Code — Terraform, CloudFormation, Kubernetes YAML
- Configuration Files — JSON, YAML, HCL
- Security Issues — Across any codebase (IaC, applications, configs)
- Expanding — More languages and frameworks added regularly
Quick Start
1. Get a Token
# Sign up at https://app.gomboc.ai (free, Community Edition)
# Generate Personal Access Token in Settings
export GOMBOC_PAT="gpt_your_token"
2. Scan Code
python scripts/cli-wrapper.py scan --path ./src
3. Generate Fixes
python scripts/cli-wrapper.py fix --path ./src
4. Apply Fixes (Optional)
python scripts/cli-wrapper.py remediate --path ./src --commit
Key Features
✅ Deterministic AI — Same fix every time, no hallucinations ✅ 94%+ Accuracy — Merge-ready fixes users actually accept ✅ Free Forever — Community Edition of Gomboc.ai ✅ Production-Ready — Battle-tested implementation ✅ Secure by Design — No token leaking, proper error handling ✅ Agent-Friendly — Perfect for autonomous code improvement loops
CLI Commands
scan
Detect issues in your codebase
gomboc scan path:./terraform
gomboc scan path:./src policy:aws-cis format:markdown
fix
Generate merge-ready fixes
gomboc fix path:./terraform format:pull_request
gomboc fix path:./src format:json
remediate
Apply fixes directly to code
gomboc remediate path:./src commit:true
gomboc remediate path:./terraform commit:true push:true
config
Manage authentication
gomboc config --show-token
For Agents
This skill is designed as the ideal complement to agentic coding:
- Deterministic — Reliable, repeatable remediation
- Trustworthy — 94%+ of fixes are merged as-is
- Autonomous — Agents can scan, generate, and apply fixes without human intervention
- Continuous — Perfect for ongoing code improvement loops
Integration Methods
1. MCP Server (Agents)
Run the MCP server for interactive agent integration:
docker-compose -f scripts/docker-compose.yml up
# Server runs on http://localhost:3100
See references/mcp-integration.md for details.
2. CLI Tool (Developers)
Use the Python CLI for local scanning and fixing:
export GOMBOC_PAT="your_token"
python scripts/cli-wrapper.py scan --path ./src
See references/setup.md for detailed instructions.
3. GitHub Actions (CI/CD)
Automate continuous remediation in your CI/CD pipeline:
- uses: gomboc-action@v1
with:
path: ./terraform
auto-fix: true
See references/github-action.md for configuration.
Configuration
All configuration is via environment variables:
| Variable | Purpose | Required | Example |
|---|---|---|---|
GOMBOC_PAT |
Personal Access Token | Yes | gpt_abc123... |
GOMBOC_MCP_URL |
MCP server URL | No | http://localhost:3100 |
GOMBOC_POLICY |
Remediation policy | No | default or aws-cis |
Security & Audit
This skill has been:
- ✅ Security-audited for token handling
- ✅ Verified against live Gomboc API
- ✅ Tested with real vulnerabilities
- ✅ Confirmed production-ready
See SECURITY.md for complete audit details.
Support & Documentation
- Setup Guide:
references/setup.md - MCP Integration:
references/mcp-integration.md - GitHub Actions:
references/github-action.md - Security Audit:
SECURITY.md - Changelog:
CHANGELOG.md - GitHub Issues: https://github.com/Gomboc-AI/gomboc-ai-feedback/discussions
License
MIT License — See LICENSE file
Ready to remediate? Start with the Quick Start section above, then explore integration methods that fit your workflow.
Usage Guidance
This skill generally does what it says: it uses a Gomboc.ai bearer token (GOMBOC_PAT) to call an API that scans and can generate or apply fixes. Before installing: 1) Fix the metadata mismatch — the top-level registry info claiming "no env vars" is wrong; the skill requires GOMBOC_PAT. 2) Only provide a token with least privilege (create a token scoped narrowly to the repos you want to remediate; avoid a broad org-level deploy token). 3) Treat auto-remediation (remediate --commit/--push and CI steps) as high privilege: enable branch protection/required PR reviews or run in scan-only mode until you’ve audited fixes. 4) Verify the API endpoint and vendor: confirm https://api.app.gomboc.ai and the referenced GitHub repo/homepage exist and are maintained by trusted parties. 5) Run scripts/verify-setup.sh in an isolated environment to confirm behavior and that tokens are not printed. 6) If you allow autonomous agent invocation, monitor actions and restrict the skill’s runtime scope (e.g., limit agent permissions, require human approval for pushes). If you want, provide me the upstream repository URL or the Gomboc docs link so I can check whether the published claims (audit, 94% acceptance rate, security audit) are externally verifiable — that would raise confidence to high.
Capability Analysis
Type: OpenClaw Skill
Name: gomboc-security
Version: 0.2.0
The Gomboc Code Remediation Skill is a legitimate integration for the Gomboc.ai security platform, designed to scan and fix infrastructure and application code. The bundle includes a Python CLI wrapper (scripts/cli-wrapper.py) and a bash verification script (scripts/verify-setup.sh) that interact with the official Gomboc GraphQL API (api.app.gomboc.ai) using a Personal Access Token. The code follows security best practices, such as masking sensitive tokens in output, using read-only Docker mounts for the MCP server, and avoiding dangerous functions like eval or shell execution. The documentation (SKILL.md, SECURITY.md) clearly defines the tool's purpose and provides a transparent audit of its security posture.
Capability Assessment
Purpose & Capability
The skill claims deterministic remediation for IaC and the included CLI and MCP instructions call a Gomboc GraphQL API with a bearer token — that capability aligns with the stated purpose. However, the registry header at the top of the submission says "Required env vars: none / Primary credential: none" while .clawhub.yml, SKILL.md, and the scripts require GOMBOC_PAT. This metadata mismatch is an incoherence that should be fixed.
Instruction Scope
SKILL.md instructs agents to run local CLI, start an MCP server (docker-compose), and wire GitHub Actions. The runtime scripts only operate on a user-specified path and call the external API; they do not attempt to read arbitrary system files. However, the remediate command and GitHub Actions examples describe auto-commit and push behavior (server-side apply/push or CI runs that call remediate with commit/push), which grants the skill the ability to modify repositories if given credentials — that is expected for a remediation tool but must be considered a privileged capability.
Install Mechanism
No installer downloads or external package installs are present; this is an instruction + script bundle relying on Python and optional Docker. No remote arbitrary code downloads or URL-shortened installs were found.
Credentials
The only sensitive credential used is a single bearer token (GOMBOC_PAT) which is appropriate for an API-based remediation service. But the package metadata in the top summary incorrectly lists no required env vars whereas .clawhub.yml and the SKILL.md require GOMBOC_PAT. That inconsistency can mislead users. Also, because the token may be used in CI (GitHub Actions) or MCP server contexts to perform commits/pushes, users should ensure the token has least privilege (e.g., limited repo scope) and is stored as a secret.
Persistence & Privilege
always:false (no forced presence). Model invocation is allowed (default), so agents can autonomously call this skill. Autonomy plus the ability to request remediation/commit operations increases blast radius if misused — a legitimate design choice for remediation tools but something to monitor (use branch protections, require PR reviews). The skill does not attempt to modify other skills or global agent config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install gomboc-security - After installation, invoke the skill by name or use
/gomboc-security - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
- Major documentation update with simplified, streamlined instructions and integration paths.
- Added new files: .clawhub.yml, CHANGELOG.md, LICENSE, and a code example (examples/vulnerable.tf).
- Removed deprecated/renamed files: .clayhub.yml, LICENSE.md, and obsolete example.
- Updated "Quick Start", features, and CLI command documentation for clarity and ease of use.
- Enhanced description of agent and CI/CD integration, configuration, and security practices.
v0.1.1
Version 0.1.1 (gomboc-security)
- Refactored project structure: added 4 files (.clayhub.yml, LICENSE, SECURITY.md, examples/vulnerable.tf); removed 8 old and test-related files.
- Updated documentation to broaden from "security remediation" to "code remediation" for any codebase, not just infrastructure.
- Simplified and streamlined docs, improving quickstart and integration instructions.
- Expanded integration options: CLI, GitHub Actions, and agent workflows now highlighted equally.
- Updated support, troubleshooting, and references to cover more general use cases and improve clarity.
v0.1.0
Gomboc Security Remediation Skill v1.0.0
- Initial release of the Gomboc skill for deterministic security fixes on infrastructure code.
- Supports scanning and automatic remediation for Terraform, CloudFormation, Kubernetes YAML, and general IaC files.
- Integrates with CI/CD (GitHub Actions), local CLI, and agent workflows via MCP server.
- Provides merge-ready pull requests for detected issues, with a >94% fix acceptance rate.
- Includes setup guides, example workflows, and configuration via `.gomboc.yml` file.
- Free community edition available for individuals and small teams.
Metadata
Frequently Asked Questions
What is Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition?
Automatically scan and deterministically fix security issues in Terraform, CloudFormation, and IaC with merge-ready pull requests and CI/CD integration. It is an AI Agent Skill for Claude Code / OpenClaw, with 121 downloads so far.
How do I install Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition?
Run "/install gomboc-security" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition free?
Yes, Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition support?
Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition?
It is built and maintained by Gomboc AI (@gomboc-ai); the current version is v0.2.0.
More Skills