← Back to Skills Marketplace
308
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install zero2ai-security-audit
Description
Security auditing for git commits, repos, and skills before publishing. Run automatically before any `git commit`, `git push`, or `clawhub publish`. Detects...
Usage Guidance
This skill appears to be what it says: a local pre-publish/pre-commit scanner implemented in Python. Before installing or using it: 1) Review scripts/audit.py yourself to confirm you agree with its patterns and exclusions (it intentionally excludes certain directories and has a whitelist of 'safe' placeholders). 2) Update SKILL.md paths and the 'Report to Aladdin' text to match your environment so the doc doesn't leak a template user. 3) Note the scanner calls 'git' and reads repository files (normal for this use) and only prints or emits JSON — there are no network calls or credential requirements in the included code. 4) If you plan to let an autonomous agent run this skill automatically, ensure you trust the agent to run arbitrary local scans; the script does not exfiltrate data but will read repository contents. If you want extra assurance, run the script manually on a test copy of your repo to validate results and behavior.
Capability Analysis
Type: OpenClaw Skill
Name: zero2ai-security-audit
Version: 1.0.0
The OpenClaw AgentSkills bundle 'zero2ai-security-audit' is a benign security auditing tool. Its `SKILL.md` provides clear, non-malicious instructions for an AI agent to run `scripts/audit.py` for detecting hardcoded secrets, API keys, and sensitive patterns in code. The `audit.py` script uses standard Python libraries, defines comprehensive regex patterns for various secrets and risky configurations, and includes heuristics like entropy checks and safe value lists to reduce false positives. There is no evidence of data exfiltration, unauthorized command execution, persistence mechanisms, or prompt injection attempts designed to harm the agent or system. The use of `subprocess` for `git diff` is appropriate for its stated purpose.
Capability Assessment
Purpose & Capability
Name and description describe a pre-publish/pre-commit security scanner and the repository contains a single audit script (scripts/audit.py) plus SKILL.md that instructs how to run it. The skill declares no binaries, env vars, or installs — consistent with a local scanner.
Instruction Scope
SKILL.md confines runtime behavior to running the local Python scanner on staged, last-commit, or arbitrary paths. It references a concrete {skill_dir} path (/home/aladdin/...) and tells users to report findings to 'Aladdin' — these are documentation/template details to update to the deployer's environment but do not expand the scanner's scope. The instructions do not direct the agent to read unrelated system secrets or send results externally.
Install Mechanism
No install spec — instruction-only skill with a local Python script. This is the lowest-risk install model and matches the stated purpose.
Credentials
The skill requests no environment variables, credentials, or config paths. The scanner reads repository files and may call 'git' via subprocess (to enumerate staged/last-commit files), which is appropriate for a pre-commit scanner.
Persistence & Privilege
always:false and no special system modifications are requested. The skill does not try to persist itself or modify other skills. Autonomous invocation by the agent is allowed by default on the platform but combined with this skill's limited scope it does not raise additional concerns.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zero2ai-security-audit - After installation, invoke the skill by name or use
/zero2ai-security-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of zero2ai-security-audit for automated security checks.
- Automatically audits git commits, pushes, and skill publishing for sensitive info and patterns.
- Detects secrets, API keys, tokens, private key blocks, committed node_modules, .env files, absolute paths, and more.
- Enforces blocking rules for HIGH and MEDIUM severity findings to prevent accidental exposure.
- Provides clear instructions, severity definitions, and remediation steps.
- Includes a publish checklist to ensure best security practices before release.
Metadata
Frequently Asked Questions
What is Zero2ai Security Audit?
Security auditing for git commits, repos, and skills before publishing. Run automatically before any `git commit`, `git push`, or `clawhub publish`. Detects... It is an AI Agent Skill for Claude Code / OpenClaw, with 308 downloads so far.
How do I install Zero2ai Security Audit?
Run "/install zero2ai-security-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zero2ai Security Audit free?
Yes, Zero2ai Security Audit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Zero2ai Security Audit support?
Zero2ai Security Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zero2ai Security Audit?
It is built and maintained by Zero2Ai (@zero2ai-hub); the current version is v1.0.0.
More Skills