← Back to Skills Marketplace
xfire Security PR Review
by
Harish Kolla
· GitHub ↗
· v0.1.2
357
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install xfire-security-review
Description
Multi-agent adversarial security review — 3 AI agents debate every finding, only real vulnerabilities survive
Usage Guidance
Before installing or running this skill: 1) Be comfortable providing multiple LLM API keys and a GitHub token — if you only want one agent, confirm whether non-used keys can be omitted. 2) Use least-privilege credentials: restrict the GitHub token scope (e.g., repo:status/read or read-only) unless you intend to allow posting comments. 3) Verify the 'xfire' package on PyPI and its GitHub repo (review code, releases, and maintainers) before pip installing. 4) Run initial scans with dry-run and --debug in an isolated environment (or CI runner) and inspect any files written to XFIRE_CONFIG_PATH/XFIRE_AUTH_PATH. 5) If you need higher assurance, ask the publisher to make installing optional or to support running with a single provider key and to document exact token scopes and where auth is stored. These steps reduce risk from installation and credential exposure.
Capability Analysis
Type: OpenClaw Skill
Name: xfire-security-review
Version: 0.1.2
The skill bundle describes the usage of 'xfire', a multi-agent adversarial security review tool. The `skill.md` file, which serves as instructions for an AI agent, clearly defines when and how to invoke the `xfire` CLI tool with various arguments. While the `xfire` tool itself requires broad permissions (e.g., GitHub token, multiple AI API keys, access to codebases) and interacts with external services, these capabilities are explicitly stated and necessary for its legitimate purpose of performing security reviews. There is no evidence of prompt injection against the OpenClaw agent, intentional harmful behavior, unauthorized data exfiltration, or instructions to perform actions beyond the stated purpose of using the `xfire` tool for security analysis.
Capability Assessment
Purpose & Capability
The skill claims to run adversarial reviews across Claude, Codex, and Gemini and to analyze GitHub PRs — requesting Anthropic, OpenAI, Google API keys and a GitHub token is coherent with that stated purpose. The XFIRE_* env vars for config/cache/auth are consistent with a CLI tool that persists state.
Instruction Scope
SKILL.md instructs use of a CLI ('xfire analyze-pr', 'xfire init', 'xfire auth login') and to read repository contents, create debug traces, and optionally post GitHub comments — these are within the expected scope. However, the skill metadata declares no required binaries and provides no automated install spec while the instructions assume you can 'pip install xfire' or have an 'xfire' CLI available; that mismatch is an operational/incoherence concern (agent/runtime must have that CLI or the user must install it).
Install Mechanism
There is no install spec in the skill bundle (instruction-only), which limits automated risk. The README/skill instructs users to 'pip install xfire' — installing a third-party package from PyPI is a normal step but has moderate risk and should be verified (check PyPI package name, version, and upstream repo). Because installation is user-driven and not performed automatically by the skill, the surface for silent remote code execution from the skill bundle itself is low.
Credentials
The skill requires multiple high-sensitivity credentials: ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, and GITHUB_TOKEN. Requiring all three LLM provider keys as mandatory is potentially excessive — a user might want to run only one or two agents. XFIRE_CONFIG_PATH/XFIRE_AUTH_PATH/XFIRE_CACHE_DIR are plausible for a CLI, but XFIRE_AUTH_PATH may contain long-lived credentials. The demand for full sets of provider keys and a GitHub token should be justified or made optional; also consider least-privilege scopes (e.g., read-only GitHub token if posting comments isn't needed).
Persistence & Privilege
The skill is not set to always:true and does not declare modifications to other skills or system-wide settings. Runtime instructions include writing debug traces and cache/config files under XFIRE paths or the repo (expected for a CLI tool). No unusual persistence or privilege escalation is requested by the skill metadata or SKILL.md.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xfire-security-review - After installation, invoke the skill by name or use
/xfire-security-review - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
Initial release — OpenClaw skill file with full command reference, config docs, and CI/CD examples for the xfire multi-agent adversarial security review tool.
Metadata
Frequently Asked Questions
What is xfire Security PR Review?
Multi-agent adversarial security review — 3 AI agents debate every finding, only real vulnerabilities survive. It is an AI Agent Skill for Claude Code / OpenClaw, with 357 downloads so far.
How do I install xfire Security PR Review?
Run "/install xfire-security-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is xfire Security PR Review free?
Yes, xfire Security PR Review is completely free (open-source). You can download, install and use it at no cost.
Which platforms does xfire Security PR Review support?
xfire Security PR Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created xfire Security PR Review?
It is built and maintained by Harish Kolla (@har1sh-k); the current version is v0.1.2.
More Skills