← Back to Skills Marketplace
OpenClaw Security Analysis
by
michealxie001
· GitHub ↗
· v1.1.0
· MIT-0
123
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install oc-security
Description
Security analysis and vulnerability detection. Scans code for security issues, checks dependencies, and provides remediation advice.
README (SKILL.md)
Security - Security Analysis
安全分析工具,扫描代码漏洞、检查依赖、提供修复建议。
Version: 1.1
Features: 漏洞扫描、依赖检查、密钥检测、安全建议、C/C++ 支持 (NEW)
Quick Start
1. 扫描代码
# 扫描单个文件
python3 scripts/main.py scan --file src/main.py
# 扫描整个项目
python3 scripts/main.py scan --dir src/
2. 检查依赖
# 检查依赖漏洞
python3 scripts/main.py deps --requirements requirements.txt
# 检查 package.json
python3 scripts/main.py deps --package-json package.json
3. 检测密钥泄露
# 扫描密钥泄露
python3 scripts/main.py secrets --dir .
Commands
| 命令 | 说明 | 示例 |
|---|---|---|
scan |
安全扫描 | scan --file src.py |
deps |
依赖检查 | deps --requirements req.txt |
secrets |
密钥检测 | secrets --dir . |
安全扫描
$ python3 scripts/main.py scan --file src/auth.py
🔒 Security Scan Results
=========================
File: src/auth.py
Issues found: 2
🔴 Critical:
Line 34: Hardcoded password
password = "admin123" # ← Move to environment variable
CWE-798: Use of Hard-coded Credentials
🟡 Medium:
Line 67: SQL injection risk
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
CWE-89: SQL Injection
Fix: Use parameterized queries
✅ No secrets detected
依赖检查
$ python3 scripts/main.py deps --requirements requirements.txt
📦 Dependency Check
===================
Checked: 15 packages
Issues: 2
🔴 CVE-2023-1234: requests \x3C 2.31.0
Severity: High
Fix: pip install requests>=2.31.0
🟡 CVE-2023-5678: flask \x3C 2.3.0
Severity: Medium
Fix: pip install flask>=2.3.0
✅ All other dependencies up to date
密钥检测
$ python3 scripts/main.py secrets --dir .
🔑 Secret Detection
===================
Scanned: 45 files
Secrets found: 1
🔴 .env (line 3):
AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
Type: AWS Secret Access Key
Action: Move to secrets manager or environment variable
⚠️ Remember to rotate exposed credentials!
检测规则
代码漏洞
| 规则 | 严重度 | CWE |
|---|---|---|
| Hardcoded credentials | 🔴 Critical | CWE-798 |
| SQL injection | 🔴 Critical | CWE-89 |
| Command injection | 🔴 Critical | CWE-78 |
| Path traversal | 🔴 Critical | CWE-22 |
| Insecure crypto | 🟡 Medium | CWE-327 |
| Weak random | 🟡 Medium | CWE-338 |
| Debug mode enabled | 🟡 Medium | CWE-489 |
密钥模式
| 类型 | 检测 |
|---|---|
| API Keys | ✅ |
| AWS Credentials | ✅ |
| Database URLs | ✅ |
| Private Keys | ✅ |
| JWT Secrets | ✅ |
| Passwords in code | ✅ |
Configuration
.security.json:
{
"severity_threshold": "medium",
"ignore_paths": [
"tests/**",
"vendor/**"
],
"ignore_rules": [
"debug-mode-in-production"
],
"custom_patterns": {
"company_api_key": "COMPANY_[A-Z0-9]{32}"
}
}
CI/CD 集成
# .github/workflows/security.yml
name: Security Scan
on: [pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan Code
run: python3 skills/security/scripts/main.py scan --dir src/
- name: Check Dependencies
run: python3 skills/security/scripts/main.py deps --requirements requirements.txt
- name: Detect Secrets
run: python3 skills/security/scripts/main.py secrets --dir .
Files
skills/security/
├── SKILL.md # 本文件
└── scripts/
├── main.py # ⭐ 统一入口
├── scanner.py # 漏洞扫描器
└── rules/ # 检测规则
├── python.yml
└── javascript.yml
Roadmap
- Basic vulnerability detection
- Secret detection
- Dependency checking
- SAST integration
- DAST support
Usage Guidance
This skill appears to do what it says: local static scans, dependency checks, and secret detection. Before installing or running it on sensitive repositories: 1) Review the full scripts/main.py (the provided snippet was truncated) to confirm there are no network calls or exfiltration paths. 2) Note the tool will read project files (including .env) to find secrets—run it in a safe/test environment if you are worried about exposing keys. 3) The code will optionally import a 'c-support' library from a relative parent path if present; ensure you trust any c-support/ code in your repo because it would be executed. 4) The SKILL.md references other files (scanner.py, rules/) that are not bundled—confirm you have the intended rule set if you expect C/C++ scanning. If you want higher assurance, run the script in an isolated environment and inspect the remainder of the code for network or subprocess usage before granting it broad autonomous access.
Capability Analysis
Type: OpenClaw Skill
Name: oc-security
Version: 1.1.0
The skill bundle provides a legitimate security analysis tool for Python and C/C++ code, performing static analysis to detect vulnerabilities (SQL injection, command injection), hardcoded secrets, and insecure configurations. The implementation in `scripts/main.py` uses standard Python libraries like `ast` and `re` for scanning and does not contain any evidence of data exfiltration, malicious execution, or prompt injection.
Capability Assessment
Purpose & Capability
The SKILL.md description (vulnerability scanning, dependency checks, secret detection) aligns with the included scripts/main.py functionality. The README mentions additional files (scanner.py, rules/) that are not present in the bundle—this is a documentation mismatch but not evidence of malicious intent. The code also attempts to import an optional 'c-support' library from a relative parent path to add C/C++ scanning; this is plausible for C support but means the tool may execute code from a repo-level c-support/ directory if present.
Instruction Scope
Runtime instructions are narrowly scoped to scanning files, directories, and dependency manifests (requirements.txt, package.json) and to CI integration steps. The SKILL.md explicitly instructs scanning project files and .env files for secrets, which is appropriate for a secret-detection tool. There are no instructions to read or transmit unrelated system state or credentials beyond the target codebase.
Install Mechanism
No install spec is provided; this is an instruction-only skill with an included Python script. Nothing in the package downloads or extracts external code by default.
Credentials
The skill declares no required environment variables or credentials. The code contains regexes to detect many secret types (AWS keys, OpenAI keys, GitHub tokens) but does not itself require those credentials to run. No unrelated credential access is requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request elevated privileges or attempt to modify other skills or global agent configuration in the provided files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install oc-security - After installation, invoke the skill by name or use
/oc-security - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Added C/C++ support: CWE detection, unsafe functions, buffer overflow, format string vulnerabilities
Metadata
Frequently Asked Questions
What is OpenClaw Security Analysis?
Security analysis and vulnerability detection. Scans code for security issues, checks dependencies, and provides remediation advice. It is an AI Agent Skill for Claude Code / OpenClaw, with 123 downloads so far.
How do I install OpenClaw Security Analysis?
Run "/install oc-security" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Security Analysis free?
Yes, OpenClaw Security Analysis is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does OpenClaw Security Analysis support?
OpenClaw Security Analysis is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Security Analysis?
It is built and maintained by michealxie001 (@michealxie001); the current version is v1.1.0.
More Skills