← Back to Skills Marketplace
matthewsweeney

Clawhub Gomboc Security Main V0.2.0

by matthewsweeney · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
105
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install clawhub-gomboc-security-main-v0-2-0
Description
Automatically scan any codebase for security issues and generate deterministic, merge-ready fixes for continuous remediation via CLI, CI/CD, or agents.
README (SKILL.md)

Gomboc Code Remediation Skill

Deterministic, merge-ready code fixes for any codebase.

Gomboc.ai Community Edition automatically scans and fixes code issues across your entire codebase — infrastructure, applications, configurations, and more — using deterministic AI (no hallucinations). This skill wraps Gomboc's power into agent workflows, CLI tools, and CI/CD pipelines, making it the perfect complement to agentic coding.

What It Does

  • Scan any codebase for issues (infrastructure, application code, configs)
  • Generate deterministic, merge-ready pull requests with fixes
  • Remediate continuously via GitHub Actions or interactive CLI/MCP
  • Trust 94%+ fix acceptance rate with zero hallucinations (ORL Engine)
  • Pair with agents — deterministic remediation that works perfectly alongside agentic coding systems

Supported Languages & Frameworks

  • Infrastructure as Code — Terraform, CloudFormation, Kubernetes YAML
  • Configuration Files — JSON, YAML, HCL
  • Security Issues — Across any codebase (IaC, applications, configs)
  • Expanding — More languages and frameworks added regularly

Quick Start

1. Get a Token

# Sign up at https://app.gomboc.ai (free, Community Edition)
# Generate Personal Access Token in Settings
export GOMBOC_PAT="gpt_your_token"

2. Scan Code

python scripts/cli-wrapper.py scan --path ./src

3. Generate Fixes

python scripts/cli-wrapper.py fix --path ./src

4. Apply Fixes (Optional)

python scripts/cli-wrapper.py remediate --path ./src --commit

Key Features

Deterministic AI — Same fix every time, no hallucinations
94%+ Accuracy — Merge-ready fixes users actually accept
Free Forever — Community Edition of Gomboc.ai
Production-Ready — Battle-tested implementation
Secure by Design — No token leaking, proper error handling
Agent-Friendly — Perfect for autonomous code improvement loops

CLI Commands

scan

Detect issues in your codebase

gomboc scan path:./terraform
gomboc scan path:./src policy:aws-cis format:markdown

fix

Generate merge-ready fixes

gomboc fix path:./terraform format:pull_request
gomboc fix path:./src format:json

remediate

Apply fixes directly to code

gomboc remediate path:./src commit:true
gomboc remediate path:./terraform commit:true push:true

config

Manage authentication

gomboc config --show-token

For Agents

This skill is designed as the ideal complement to agentic coding:

  • Deterministic — Reliable, repeatable remediation
  • Trustworthy — 94%+ of fixes are merged as-is
  • Autonomous — Agents can scan, generate, and apply fixes without human intervention
  • Continuous — Perfect for ongoing code improvement loops

Integration Methods

1. MCP Server (Agents)

Run the MCP server for interactive agent integration:

docker-compose -f scripts/docker-compose.yml up
# Server runs on http://localhost:3100

See references/mcp-integration.md for details.

2. CLI Tool (Developers)

Use the Python CLI for local scanning and fixing:

export GOMBOC_PAT="your_token"
python scripts/cli-wrapper.py scan --path ./src

See references/setup.md for detailed instructions.

3. GitHub Actions (CI/CD)

Automate continuous remediation in your CI/CD pipeline:

- uses: gomboc-action@v1
  with:
    path: ./terraform
    auto-fix: true

See references/github-action.md for configuration.

Configuration

All configuration is via environment variables:

Variable Purpose Required Example
GOMBOC_PAT Personal Access Token Yes gpt_abc123...
GOMBOC_MCP_URL MCP server URL No http://localhost:3100
GOMBOC_POLICY Remediation policy No default or aws-cis

Security & Audit

This skill has been:

  • ✅ Security-audited for token handling
  • ✅ Verified against live Gomboc API
  • ✅ Tested with real vulnerabilities
  • ✅ Confirmed production-ready

See SECURITY.md for complete audit details.

Support & Documentation

License

MIT License — See LICENSE file

Ready to remediate? Start with the Quick Start section above, then explore integration methods that fit your workflow.

Usage Guidance
Before installing or giving this skill a token: - Verify the GOMBOC_PAT requirement is intentionally missing from the registry metadata and ask the publisher to correct it. Treat the token as sensitive. - Understand where 'remediate' commits/pushes happen: the CLI calls applyFixes on the remote API, so ask the vendor how that mutation obtains repo push permissions (does Gomboc need a separate GitHub/GitLab token, or does it operate inside your CI runner?). Do not provide any repository write tokens until you confirm their usage model. - Run this skill in a safe, isolated repository first. Use 'scan' and 'fix' (inspect generated fixes) before enabling any auto-remediate or auto-push workflows. - Prefer scan-only CI runs or create PRs rather than allowing automatic pushes to protected branches; keep branch protection and mandatory PR review enabled. - Inspect the MCP Docker image (gombocai/mcp:latest) and the applyFixes server behavior if you plan to run it locally or on your network; ensure it cannot access secrets or write to workspaces unless you explicitly permit it. - If you need higher assurance, request the developer to: (1) declare GOMBOC_PAT in the package manifest, (2) document exactly where applyFixes writes commits and what credentials it uses, and (3) provide reproducible security audit artifacts or a source repository you can review. Confidence in this assessment is medium because the implementation is coherent with a legitimate remote remediation service, but the metadata omission and unclear commit/push semantics are non-trivial and should be resolved before trusting the skill with production repositories or credentials.
Capability Analysis
Type: OpenClaw Skill Name: clawhub-gomboc-security-main-v0-2-0 Version: 1.0.0 The Gomboc Code Remediation Skill is a legitimate integration for the Gomboc.ai security platform, providing tools for automated code scanning and remediation. The core logic in `scripts/cli-wrapper.py` and `scripts/verify-setup.sh` interacts with a verified GraphQL API (api.app.gomboc.ai) using standard Python libraries and follows security best practices by handling sensitive tokens via environment variables and masking them in outputs. The documentation, including `SKILL.md` and `SECURITY.md`, accurately describes the tool's capabilities without any evidence of malicious intent, data exfiltration, or prompt injection.
Capability Assessment
Purpose & Capability
The code and SKILL.md align with the stated purpose: a wrapper around a Gomboc GraphQL API to scan code and produce fixes. However the registry metadata claims 'Required env vars: none' while the documentation and CLI require a sensitive env var (GOMBOC_PAT). That metadata omission is an incoherence that could mislead users or automated approvals.
Instruction Scope
SKILL.md and the CLI instruct the agent to scan, generate, and optionally 'remediate' (commit/push) code. The CLI itself does not run local git operations — remediate calls an API mutation (applyFixes) and prints commit hashes returned from the server. It's unclear where commits/pushes actually happen (server-side using the token, or via the user's environment). The docs instruct running in CI (where runner git credentials exist) and also running an MCP server in Docker with the workspace mounted read-only — these behaviors conflict and should be clarified because they affect where code modifications occur and what credentials are needed.
Install Mechanism
No install spec; code is instruction-only plus small scripts that only use Python stdlib and Docker Compose. No external downloads or archive extraction are present in the package itself, which is low risk for local installation.
Credentials
The skill requires a sensitive bearer token (GOMBOC_PAT) for the API — that is expected for a remote scanning service. But the package metadata declares no required env vars (misleading). Additionally, remediation/auto-push semantics imply write access to repositories somewhere, but no repository credentials or details are requested or documented for where writes occur. This gap (missing declaration + unclear scope of where commit/push happen) is disproportionate and requires clarification.
Persistence & Privilege
The skill is not set to always:true and does not attempt to modify other skills or global agent config. It runs on-demand and is not persistently injected by metadata, which is appropriate.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install clawhub-gomboc-security-main-v0-2-0
  3. After installation, invoke the skill by name or use /clawhub-gomboc-security-main-v0-2-0
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the Gomboc Code Remediation Skill. - Provides deterministic, merge-ready code fixes for infrastructure, application, and configuration codebases. - Features scanning, fix generation, and automated remediation via CLI, MCP server, or GitHub Actions. - Supports Terraform, CloudFormation, Kubernetes YAML, JSON, YAML, and HCL files; more languages coming soon. - Integrates seamlessly with agentic coding workflows and ensures secure, audited token handling. - Includes detailed documentation and setup guides for quick onboarding.
Metadata
Slug clawhub-gomboc-security-main-v0-2-0
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Clawhub Gomboc Security Main V0.2.0?

Automatically scan any codebase for security issues and generate deterministic, merge-ready fixes for continuous remediation via CLI, CI/CD, or agents. It is an AI Agent Skill for Claude Code / OpenClaw, with 105 downloads so far.

How do I install Clawhub Gomboc Security Main V0.2.0?

Run "/install clawhub-gomboc-security-main-v0-2-0" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Clawhub Gomboc Security Main V0.2.0 free?

Yes, Clawhub Gomboc Security Main V0.2.0 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Clawhub Gomboc Security Main V0.2.0 support?

Clawhub Gomboc Security Main V0.2.0 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Clawhub Gomboc Security Main V0.2.0?

It is built and maintained by matthewsweeney (@matthewsweeney); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments