← Back to Skills Marketplace
80
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install gh-securitysuite
Description
Comprehensive agent security platform with 7 endpoints. Scan text for injection, audit SKILL.md files for malware and scope issues, generate detailed securit...
README (SKILL.md)
SecuritySuite
Full security platform for AI agents. Seven endpoints, one server.
Start the server
uvicorn securitysuite.app:app --port 8010
Endpoints
Scan text for prompt injection
curl -s -X POST http://localhost:8010/v1/scan-text \
-H "Content-Type: application/json" \
-d '{"text": "What is the weather?"}' | jq
Audit a SKILL.md (full check)
curl -s -X POST http://localhost:8010/v1/audit \
-H "Content-Type: application/json" \
-d "{\"skill_content\": $(cat SKILL.md | jq -Rs)}" | jq
Generate a security report with recommendations
curl -s -X POST http://localhost:8010/v1/report \
-H "Content-Type: application/json" \
-d "{\"skill_content\": $(cat SKILL.md | jq -Rs)}" | jq
Returns overall_rating, risk_level (LOW/MEDIUM/HIGH/CRITICAL), summary, findings_by_severity, recommendations, and details (each finding with category, severity, description, and fix).
List all known attack patterns
curl -s http://localhost:8010/v1/patterns | jq '.patterns[] | "\(.severity): \(.name) — \(.description)"' -r
Batch audit multiple skills
curl -s -X POST http://localhost:8010/v1/batch \
-H "Content-Type: application/json" \
-d "{\"skills\": [$(cat skill1.md | jq -Rs), $(cat skill2.md | jq -Rs)]}" | jq
Returns results (verdict per skill), safe_count, and flagged_count.
Usage Guidance
This package appears to implement a local FastAPI-based security scanner — that matches its description — but the bundle is incomplete: the code imports products.promptguard, products.skillscan, and products.scopecheck which are not included in the package or listed in the install metadata. Before installing or running it, verify that (a) the missing 'products.*' dependencies are provided (or the package author publishes them), (b) the install metadata is corrected to list all PyPI packages required, and (c) you run the service in a sandboxed environment because pip installs can execute arbitrary code. Also review the source files yourself (or ask the author for a verified source/homepage) and be aware SKILL.md contains a prompt-injection test string — this is expected for an auditor but treat any input to the running server as untrusted data. If you want to proceed only after these checks pass, consider running the code in an isolated container and verifying pip packages come from trusted registries.
Capability Analysis
Type: OpenClaw Skill
Name: gh-securitysuite
Version: 1.0.0
The gh-securitysuite skill is a security auditing platform for AI agents, providing a FastAPI-based server with endpoints for static analysis of skill files and text. It includes logic for detecting prompt injection, undeclared environment variables, and malicious patterns (e.g., credential harvesting, data exfiltration) based on a defined pattern catalog in securitysuite/reporter.py. While the core detection modules (products.*) are referenced but not provided in the file list, the available code in securitysuite/app.py and securitysuite/models.py is well-structured, transparent, and aligns perfectly with the stated purpose of providing security reports and risk assessments.
Capability Assessment
Purpose & Capability
Name, description, SKILL.md examples, and the FastAPI endpoints in the code are consistent with a local security/audit service. However, the Python code imports modules under products.* (products.promptguard, products.skillscan, products.scopecheck) that are not provided in the file manifest or declared in the install metadata, which means the bundle as published is incomplete or mis-declared.
Instruction Scope
SKILL.md instructions are limited to starting a local uvicorn server and sending SKILL.md or text to the server for scanning/audit/batch operations. The examples explicitly read local SKILL.md/skill files and send them to the local server (expected for an auditor). No instructions ask the agent to read unrelated system files or exfiltrate secrets, though the SKILL.md does contain text that matched a prompt-injection detector (see scan_findings_in_context).
Install Mechanism
Install metadata indicates pip-installable dependencies (fastapi, uvicorn, pydantic, pyyaml) which is reasonable. But the code depends on additional modules under products.* that are not declared or included; runtime will fail unless those packages are present. The registry's single install entry shows an id/kind 'uv' which is unusual and may be a packaging/metadata error. No external downloads or obfuscated install URLs are present.
Credentials
The skill declares no required environment variables or credentials, and SKILL.md doesn't request secrets. The reporter code warns about env access when it is detected in audited skills, which is appropriate. No disproportionate credential requests are present in the bundle itself.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. It runs as a local server when started and does not modify other skills or system configs in the provided code.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install gh-securitysuite - After installation, invoke the skill by name or use
/gh-securitysuite - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Updated description for greater clarity on endpoints and features.
- Improved metadata and installation instructions; added emoji and standardized package management.
- Condensed usage examples and enhanced curl command syntax using jq for better readability.
- Clarified endpoint outputs, especially for security reports and batch operations.
- Streamlined document structure for faster onboarding and reference.
v0.1.0
Initial release of gh-securitysuite — a comprehensive security platform for AI agent skills.
- Provides 7 API endpoints: text scan, skill scan, scope analysis, auditing, detailed reporting, pattern catalog, and batch operations.
- Scans text and SKILL.md files for common security risks and prompt injection patterns.
- Offers security scope checks and full audits with actionable recommendations.
- Batch capability to audit multiple skills at once.
- Report endpoint generates structured, severity-grouped security findings for easy review.
- Easy installation and server start instructions included.
Metadata
Frequently Asked Questions
What is Securitysuite?
Comprehensive agent security platform with 7 endpoints. Scan text for injection, audit SKILL.md files for malware and scope issues, generate detailed securit... It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.
How do I install Securitysuite?
Run "/install gh-securitysuite" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Securitysuite free?
Yes, Securitysuite is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Securitysuite support?
Securitysuite is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Securitysuite?
It is built and maintained by mirni (@mirni); the current version is v1.0.0.
More Skills