← Back to Skills Marketplace
OpenClaw Security Scanner
by
michealxie001
· GitHub ↗
· v1.0.0
· MIT-0
128
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-secscan
Description
Security analysis and vulnerability detection. Scans code for security issues, checks dependencies, and provides remediation advice.
README (SKILL.md)
Security - Security Analysis
安全分析工具,扫描代码漏洞、检查依赖、提供修复建议。
Version: 1.0
Features: 漏洞扫描、依赖检查、密钥检测、安全建议
Quick Start
1. 扫描代码
# 扫描单个文件
python3 scripts/main.py scan --file src/main.py
# 扫描整个项目
python3 scripts/main.py scan --dir src/
2. 检查依赖
# 检查依赖漏洞
python3 scripts/main.py deps --requirements requirements.txt
# 检查 package.json
python3 scripts/main.py deps --package-json package.json
3. 检测密钥泄露
# 扫描密钥泄露
python3 scripts/main.py secrets --dir .
Commands
| 命令 | 说明 | 示例 |
|---|---|---|
scan |
安全扫描 | scan --file src.py |
deps |
依赖检查 | deps --requirements req.txt |
secrets |
密钥检测 | secrets --dir . |
安全扫描
$ python3 scripts/main.py scan --file src/auth.py
🔒 Security Scan Results
=========================
File: src/auth.py
Issues found: 2
🔴 Critical:
Line 34: Hardcoded password
password = "admin123" # ← Move to environment variable
CWE-798: Use of Hard-coded Credentials
🟡 Medium:
Line 67: SQL injection risk
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
CWE-89: SQL Injection
Fix: Use parameterized queries
✅ No secrets detected
依赖检查
$ python3 scripts/main.py deps --requirements requirements.txt
📦 Dependency Check
===================
Checked: 15 packages
Issues: 2
🔴 CVE-2023-1234: requests \x3C 2.31.0
Severity: High
Fix: pip install requests>=2.31.0
🟡 CVE-2023-5678: flask \x3C 2.3.0
Severity: Medium
Fix: pip install flask>=2.3.0
✅ All other dependencies up to date
密钥检测
$ python3 scripts/main.py secrets --dir .
🔑 Secret Detection
===================
Scanned: 45 files
Secrets found: 1
🔴 .env (line 3):
AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
Type: AWS Secret Access Key
Action: Move to secrets manager or environment variable
⚠️ Remember to rotate exposed credentials!
检测规则
代码漏洞
| 规则 | 严重度 | CWE |
|---|---|---|
| Hardcoded credentials | 🔴 Critical | CWE-798 |
| SQL injection | 🔴 Critical | CWE-89 |
| Command injection | 🔴 Critical | CWE-78 |
| Path traversal | 🔴 Critical | CWE-22 |
| Insecure crypto | 🟡 Medium | CWE-327 |
| Weak random | 🟡 Medium | CWE-338 |
| Debug mode enabled | 🟡 Medium | CWE-489 |
密钥模式
| 类型 | 检测 |
|---|---|
| API Keys | ✅ |
| AWS Credentials | ✅ |
| Database URLs | ✅ |
| Private Keys | ✅ |
| JWT Secrets | ✅ |
| Passwords in code | ✅ |
Configuration
.security.json:
{
"severity_threshold": "medium",
"ignore_paths": [
"tests/**",
"vendor/**"
],
"ignore_rules": [
"debug-mode-in-production"
],
"custom_patterns": {
"company_api_key": "COMPANY_[A-Z0-9]{32}"
}
}
CI/CD 集成
# .github/workflows/security.yml
name: Security Scan
on: [pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan Code
run: python3 skills/security/scripts/main.py scan --dir src/
- name: Check Dependencies
run: python3 skills/security/scripts/main.py deps --requirements requirements.txt
- name: Detect Secrets
run: python3 skills/security/scripts/main.py secrets --dir .
Files
skills/security/
├── SKILL.md # 本文件
└── scripts/
├── main.py # ⭐ 统一入口
├── scanner.py # 漏洞扫描器
└── rules/ # 检测规则
├── python.yml
└── javascript.yml
Roadmap
- Basic vulnerability detection
- Secret detection
- Dependency checking
- SAST integration
- DAST support
Usage Guidance
This skill appears to be a local security scanner and is internally consistent, but note the following before running it:
- Running the bundled script executes arbitrary Python included in the skill. If you do not fully trust the author, review scripts/main.py line-by-line (it was provided) before execution.
- The scanner will read and enumerate files in the target directory (rglob('*')), which is expected for secret detection but means it will touch many repository files and print findings to stdout. Do not run it in a context where printing secrets to logs is unsafe; prefer a sandbox or run locally in a controlled environment.
- The CI example path in SKILL.md (skills/security/scripts/main.py) doesn't match the provided file layout (scripts/main.py). Confirm paths if you integrate this into CI to avoid accidental execution of a different script.
- The tool itself does not make network calls or request credentials, but it suggests using external tools (safety, pip-audit). Use those tools from trusted sources if you follow that guidance.
If you want higher assurance: run the script in an isolated container, inspect the full main.py (and any referenced modules/rules) for unexpected behavior, and test on a non-sensitive repository first.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-secscan
Version: 1.0.0
The skill bundle is a legitimate security analysis tool designed to perform static analysis on code for vulnerabilities and secrets. The primary logic in `scripts/main.py` uses the Python `ast` module and regular expressions to detect hardcoded credentials, SQL injection patterns, and dangerous function calls without executing the target code or exfiltrating data.
Capability Assessment
Purpose & Capability
The name/description match the provided code and SKILL.md: the bundle includes a Python scanner (scripts/main.py) that implements scanning, dependency guidance, and secret detection. The requested resources (none) are proportional to a local scanner.
Instruction Scope
SKILL.md tells the agent to run the included Python script to scan files/directories and to integrate in CI. The instructions and script operate on local files (rglob over project files) which is expected for this purpose, but will enumerate/print secrets found to stdout. Minor mismatch: the CI example references skills/security/scripts/main.py while the distributed file path is scripts/main.py — this may be a packaging/path inconsistency to verify before use.
Install Mechanism
No install spec is provided and the skill is instruction-only with a bundled script. Nothing is downloaded or written by an installer; the only code executed is the included Python file.
Credentials
The skill requires no environment variables, credentials, or config paths. The scanner searches files for credentials (which is its purpose) but does not attempt to read unrelated environment variables or request external credentials.
Persistence & Privilege
The skill does not set always:true, does not claim to persist or modify other skills, and has no install-time hooks. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-secscan - After installation, invoke the skill by name or use
/openclaw-secscan - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Security scanner for vulnerability detection and secret detection
Metadata
Frequently Asked Questions
What is OpenClaw Security Scanner?
Security analysis and vulnerability detection. Scans code for security issues, checks dependencies, and provides remediation advice. It is an AI Agent Skill for Claude Code / OpenClaw, with 128 downloads so far.
How do I install OpenClaw Security Scanner?
Run "/install openclaw-secscan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Security Scanner free?
Yes, OpenClaw Security Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does OpenClaw Security Scanner support?
OpenClaw Security Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Security Scanner?
It is built and maintained by michealxie001 (@michealxie001); the current version is v1.0.0.
More Skills