← Back to Skills Marketplace
mpbshhx

Security Review

by mpbshhx · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
363
Downloads
0
Stars
7
Active Installs
1
Versions
Install in OpenClaw
/install security-review
Description
Run a world-class security assessment before installing any external package, CLI, npm module, Python library, or third-party integration. Produces a GO/NO-G...
README (SKILL.md)

\r \r

Security Review Skill\r

\r

Trigger\r

Run this skill BEFORE installing ANY external package, tool, CLI, npm module, Python library, browser extension, or third-party integration.\r \r No exceptions. "Open source" is not a security clearance.\r \r

What This Skill Does\r

Spawns a security review sub-agent that performs a world-class, current-intelligence security assessment and produces a GO / NO-GO / CONDITIONAL verdict.\r \r

How to Use\r

\r

1. Spawn the review agent\r

sessions_spawn with model: anthropic/claude-sonnet-4-6, task: [security review prompt below]\r
```\r
\r
### 2. Standard Review Prompt Template\r
Fill in [PACKAGE NAME], [INSTALL COMMAND], [DESCRIPTION], [SOURCE URL]:\r
\r
```\r
You are a world-class security analyst. Perform a comprehensive security review before installation.\r
\r
PACKAGE: [PACKAGE NAME]\r
Source: [GitHub URL or npm/pypi link]\r
Install: [INSTALL COMMAND]\r
Description: [what it claims to do]\r
\r
Cover ALL 7 sections:\r
\r
1. LEGITIMACY & TRUST SIGNALS\r
   - Author/maintainer: GitHub profile, history, reputation\r
   - Stars, forks, contributors, last commit\r
   - Red flags: new account, copied code, suspicious activity\r
\r
2. LATEST SECURITY INTELLIGENCE (USE web_search)\r
   Search: "[name] security vulnerability", "[name] malware", "[name] CVE",\r
   "[name] data exfiltration", "[author] security issues", HackerNews/Reddit discussions\r
\r
3. SOURCE CODE ANALYSIS (USE web_fetch on raw GitHub files)\r
   - What does the entry point actually do?\r
   - Network calls — to where?\r
   - File system access beyond documented scope?\r
   - Obfuscated code?\r
   - npm/pip dependencies — any known-bad?\r
\r
4. DATA FLOW ANALYSIS\r
   - What data does it access? (conversations, files, env vars, API keys)\r
   - Where does data go? Local only or external?\r
   - Telemetry/analytics present?\r
   - Exfiltration risk for workspace content?\r
\r
5. PERMISSION SCOPE\r
   - System access required\r
   - Network access?\r
   - Touches env vars or config files?\r
   - Can it interfere with other processes?\r
\r
6. DEPENDENCY RISK\r
   - Full dependency list\r
   - Any known-vulnerable deps?\r
   - Recent supply chain attacks on dependencies?\r
\r
7. VERDICT\r
   GO / NO-GO / CONDITIONAL\r
   - Confidence: High/Medium/Low\r
   - Top 3 specific risks\r
   - If CONDITIONAL: exact conditions required before install\r
\r
Write complete review to:\r
C:\Users\hhx-sandbox2\.openclaw\workspace\logs\security-review-[package-name]-[YYYY-MM-DD].md\r
\r
Verify file exists and is complete before reporting done.\r
```\r
\r
### 3. Read the output\r
After the sub-agent completes, read the file and surface the verdict to Marcus.\r
\r
### 4. Marcus decides\r
Present the verdict clearly. Never install without explicit Marcus approval after a GREEN or CONDITIONAL review.\r
\r
## Standing Rules\r
\r
- **NO install without a completed security review** — not even "quick" ones\r
- **Web search is mandatory** — latest CVEs and community reports must be checked\r
- **Source code must be read** — not just the README\r
- **All reviews logged** to `logs/security-review-[package]-[date].md`\r
- **MEMORY.md updated** with verdict after each review\r
\r
## Review Log Index\r
| Date | Package | Verdict | File |\r
|------|---------|---------|------|\r
| 2026-03-04 | claude-subconscious | Pending | logs/security-review-claude-subconscious-2026-03-04.md |\r
Usage Guidance
This skill appears to do what it says, but check a few things before installing/using it: (1) The SKILL.md writes results to a hard-coded Windows path (C:\Users\hhx-sandbox2\.openclaw\...) — replace that with a cross-platform workspace variable or confirm the path is correct and private. (2) It spawns a sub-agent (sessions_spawn) and requests use of web_search/web_fetch; ensure your agent policies limit what that sub-agent can do (it should not be allowed to auto-install packages or exfiltrate data). (3) The skill asks you to update MEMORY.md — verify whether persistent memory writes are acceptable in your environment. (4) The template forces a specific model (anthropic/claude-sonnet-4-6); confirm that model is available or adjust to a supported model. If you accept those caveats and restrict the sub-agent's permissions and storage location, the skill is coherent and appropriate for pre-install reviews. If you cannot limit file writes or sub-agent capabilities, treat it with caution.
Capability Analysis
Type: OpenClaw Skill Name: security-review Version: 1.0.0 The 'security-review' skill is a defensive utility designed to automate security assessments of third-party packages before installation. It uses standard tools (web_search, web_fetch, sessions_spawn) to analyze source code, check for CVEs, and evaluate maintainer reputation. While it contains a hardcoded file path (C:\Users\hhx-sandbox2\...) specific to a particular environment in SKILL.md, there is no evidence of malicious intent, data exfiltration, or unauthorized execution.
Capability Assessment
Purpose & Capability
Name/description (security review) match the instructions: the SKILL.md requires web_search and web_fetch and instructs source-code and CVE review. Asking to spawn a review sub-agent is reasonable for an in-depth assessment.
Instruction Scope
Instructions are explicit and narrowly scoped to security review tasks (legitimacy checks, web searches, raw source fetch, dependency analysis, data flow). However the skill mandates writing the review to a specific absolute Windows path and updating MEMORY.md, which is platform-specific and implies filesystem writes and persistent agent memory updates—things you should confirm are acceptable.
Install Mechanism
Instruction-only skill with no install steps or third-party downloads. Lowest install risk.
Credentials
No environment variables, credentials, or config paths are requested by the skill. The review process explicitly says to check for packages accessing env vars/API keys, which is appropriate for a security review.
Persistence & Privilege
always:false (good). The skill instructs spawning a sub-agent (sessions_spawn) and writing logs into the agent workspace and updating MEMORY.md — this requires file-write privileges and allows the review agent to act and persist findings. Confirm you are comfortable granting these capabilities to the agent and that the sub-agent is not given any install/autonomy beyond the review task.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install security-review
  3. After installation, invoke the skill by name or use /security-review
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
World-class security assessment before any install. Source code analysis, CVE search, data flow review. GO/NO-GO/CONDITIONAL verdict.
Metadata
Slug security-review
Version 1.0.0
License MIT-0
All-time Installs 7
Active Installs 7
Total Versions 1
Frequently Asked Questions

What is Security Review?

Run a world-class security assessment before installing any external package, CLI, npm module, Python library, or third-party integration. Produces a GO/NO-G... It is an AI Agent Skill for Claude Code / OpenClaw, with 363 downloads so far.

How do I install Security Review?

Run "/install security-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Security Review free?

Yes, Security Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Security Review support?

Security Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Security Review?

It is built and maintained by mpbshhx (@mpbshhx); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments