← Back to Skills Marketplace
Security Audit Pro
by
ai-gaoqian
· GitHub ↗
· v1.0.0
· MIT-0
36
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install security-audit-pro
Description
企业级全方位安全审计技能,覆盖代码静态分析、依赖漏洞扫描、容器镜像安全、云配置合规、密钥泄露检测、网络端口审计、权限审查。支持OWASP Top 10 / CIS Benchmark / SOC2 / ISO27001合规检查,自动生成修复优先级报告。
README (SKILL.md)
Security Audit Pro
企业级全方位安全审计技能,覆盖代码、依赖、容器、云配置、密钥、网络、权限七大安全维度,支持多种合规标准,自动生成按风险等级排序的修复优先级报告。
触发条件
- "安全审计这个项目"
- "扫描依赖漏洞"
- "检查AWS/Azure/GCP配置合规"
- "检测代码中的密钥泄露"
- "容器镜像安全扫描"
- "是否符合SOC2合规要求"
- "端口安全检测"
审计维度
| 维度 | 检查内容 | 覆盖标准 |
|---|---|---|
| 代码安全 | SQL注入、XSS、SSRF、路径遍历、硬编码密钥、不安全函数 | OWASP Top 10 |
| 依赖安全 | npm audit / pip audit / gem audit漏洞扫描,供应链攻击检测 | CVE / NVD |
| 容器安全 | 镜像层漏洞、非root运行、特权模式、敏感挂载 | CIS Docker Benchmark |
| 云配置 | IAM过度授权、S3公开桶、安全组0.0.0.0/0、密钥轮转 | CIS AWS/Azure/GCP |
| 密钥检测 | 正则+熵检测API Key/Token/私钥/证书,Git历史扫描 | 自定义规则 |
| 网络审计 | 开放端口、监听服务、防火墙规则、DNS泄漏、TLS版本 | NIST SP 800-53 |
| 权限审查 | 文件权限、SUID/SGID、sudo配置、SSH authorized_keys | CIS Benchmark |
合规标准
- OWASP Top 10 (2021): 注入/认证失效/敏感数据泄露/XXE/访问控制失效/安全配置错误/XSS/反序列化/已知漏洞/日志监控不足
- CIS Benchmark: Level 1(基本安全)和Level 2(深度防御)
- SOC2: 安全性/可用性/处理完整性/机密性/隐私性
- ISO 27001: 信息安全管理体系ISMS
输出格式
🔒 安全审计报告
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
审计目标: [项目/目录/API端点]
审计时间: [时间戳] | 覆盖维度: [N]/7
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔴 严重 (0day利用): [N] 个
- [漏洞详情 + CVE编号 + 修复建议]
🟠 高危 (\x3C=24h修复): [N] 个
- [漏洞详情 + 修复建议]
🟡 中危 (\x3C=7天修复): [N] 个
🟢 低危/建议: [N] 个
📊 合规评分: [0-100] | 通过: [标准列表] | 未通过: [标准列表]
📋 修复优先级: [按时间线排列]
注意事项
- 扫描结果基于静态分析,不模拟真实攻击
- 误报(false positive)标注为「可能」,建议人工确认
- 合规检查仅提供技术层面评估,不替代正式审计
- 密钥检测到泄露后建议立即轮转并撤销旧凭据
Usage Guidance
Install only if you intend to let an agent review security-sensitive project, dependency, container, or cloud configuration context. Provide scoped targets and avoid sharing production credentials unless the audit task truly requires them.
Capability Tags
Capability Assessment
Purpose & Capability
The stated purpose is security auditing across code, dependencies, containers, cloud configuration, secrets, networking, and permissions; the disclosed required tools and sensitive-credential tag fit that purpose.
Instruction Scope
The trigger examples are broad security-audit requests, but they are plainly related to the skill’s purpose and do not instruct automatic scanning outside a user-requested target.
Install Mechanism
The artifact contains only SKILL.md with no install scripts, executable components, hidden files, or package hooks.
Credentials
Broad local and cloud review can expose sensitive code, secrets, and configuration, but that access is expected for the advertised audit workflow and is disclosed.
Persistence & Privilege
No persistence, background worker, privilege escalation, credential storage, destructive action, or exfiltration behavior is present in the artifact.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install security-audit-pro - After installation, invoke the skill by name or use
/security-audit-pro - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Security Audit Pro?
企业级全方位安全审计技能,覆盖代码静态分析、依赖漏洞扫描、容器镜像安全、云配置合规、密钥泄露检测、网络端口审计、权限审查。支持OWASP Top 10 / CIS Benchmark / SOC2 / ISO27001合规检查,自动生成修复优先级报告。 It is an AI Agent Skill for Claude Code / OpenClaw, with 36 downloads so far.
How do I install Security Audit Pro?
Run "/install security-audit-pro" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Security Audit Pro free?
Yes, Security Audit Pro is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Security Audit Pro support?
Security Audit Pro is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Security Audit Pro?
It is built and maintained by ai-gaoqian (@ai-gaoqian); the current version is v1.0.0.
More Skills