← Back to Skills Marketplace
SecureVibes Scanner
by
Anshuman Bhartiya
· GitHub ↗
· v0.5.3
710
Downloads
0
Stars
0
Active Installs
8
Versions
Install in OpenClaw
/install securevibes-scanner
Description
Run AI-powered application security scans on codebases. Use when asked to scan code for security vulnerabilities, generate threat models, review code for sec...
Usage Guidance
This skill appears to be what it says: a wrapper around a third-party 'securevibes' CLI that runs scans (using Anthropic/Claude). Before installing or scheduling it, do the following: 1) Review the full ops/incremental_scan.py source (the provided listing was truncated in places) to confirm there are no unexpected network calls or obfuscated logic. 2) Inspect and vet the 'securevibes' CLI (pipx/pypi package) because that binary performs the actual scanning and will likely send code to Anthropic; verify its privacy/data-retention policy. 3) Only point scans at repositories you own or are allowed to test — scanning will read repository contents and may transmit code to Anthropic. 4) Prefer running an initial full scan manually to validate behavior and outputs before enabling cron/automation. 5) Keep ANTHROPIC credentials under your control (use service accounts or scoped keys where possible) and understand whether OAuth or API keys are used in your environment. If you want higher assurance, run the securevibes CLI in an isolated environment and inspect network traffic to confirm where scan data is sent.
Capability Analysis
Type: OpenClaw Skill
Name: securevibes-scanner
Version: 0.5.3
The OpenClaw skill 'securevibes-scanner' is benign. The `SKILL.md` explicitly addresses prompt injection risks, advising against unsanitized user input and stating that the `scripts/scan.sh` wrapper validates paths. The `scripts/scan.sh` file implements robust input validation using a regex to reject shell metacharacters from the `PROJECT_PATH` argument, effectively preventing shell injection. The `ops/incremental_scan.py` script uses `subprocess.run` with argument lists, which is the secure method for executing external commands in Python. There is no evidence of data exfiltration, unauthorized persistence, or other malicious intent; all actions align with its stated purpose as an AI-powered security scanner.
Capability Assessment
Purpose & Capability
Name/description claim an AI-based security scanner that uses Claude/Anthropic and supports full and incremental scans. The bundled wrapper scripts and an incremental scanner are exactly what you'd expect for that functionality. The skill does not request unrelated system credentials or binaries beyond git and the 'securevibes' CLI, which are appropriate for scanning and git-based incremental checks.
Instruction Scope
SKILL.md instructs running local scans, scheduling cron jobs, using the scripts/scan.sh wrapper, and having the incremental scanner update and read state files under the target repo's .securevibes/ directory — all consistent with the stated function. It also instructs the agent/subagent to 'cd' into the repo and run git pull, which is normal for incremental scanning but gives the skill access to repository contents (including any sensitive files in the repo). The SKILL.md references ANTHROPIC_API_KEY (optional) and OAuth; these are expected because analysis uses Claude. Overall scope stays within scanning behavior, but users should note that scans will cause code to be processed (and, via the securevibes CLI, likely sent to Anthropic) so do not point it at repos you cannot disclose.
Install Mechanism
No install spec in the registry bundle — the skill is instruction+scripts which call an external 'securevibes' CLI. The README recommends pipx install securevibes (a reasonable distribution method) and the scripts check for the binary. There are no remote downloads or archives embedded in the install spec, which reduces installer risk. The only external software required is the third-party 'securevibes' package, which should be reviewed separately.
Credentials
The registry metadata declares no required env vars, and the skill itself does not demand unrelated credentials. SKILL.md and scripts reference ANTHROPIC_API_KEY (optional) or OAuth for Anthropic/Claude access — proportionate because the scanner uses Claude. Users should be aware that leaving ANTHROPIC_API_KEY unset will rely on OAuth sessions, which in some environments may or may not exist; the securevibes CLI and Anthropic access are the only external auth surfaces mentioned.
Persistence & Privilege
always:false and normal autonomous invocation. The skill writes state and logs into the target repository under .securevibes/ (expected for incremental scans). It does not request persistent, cross-skill privileges or modify other skills' configuration. Cron scheduling is suggested but not enforced by the registry metadata.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install securevibes-scanner - After installation, invoke the skill by name or use
/securevibes-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.5.3
Fix: add minimum version check to scan.sh to catch stale shims from dual pip installs. Update install instructions to recommend pipx/uv tool instead of pip.
v0.5.2
v0.5.2: ANTHROPIC_API_KEY no longer required for Max/Pro subscribers. Claude Agent SDK picks up OAuth automatically. scan.sh now warns instead of hard-failing when key is unset.
v0.5.1
v0.5.1: Updated auth docs — ANTHROPIC_API_KEY is no longer required for Anthropic Max/Pro subscribers. The Claude Agent SDK picks up OAuth automatically. Updated scan.sh wrapper to warn instead of hard-fail when key is unset.
v0.5.0
**Adds incremental scanning and continuous monitoring support.**
- Added `ops/incremental_scan.py` and `ops/incremental_scan.sh` for incremental security scans.
- Now supports continuous security monitoring via cron: scan only new commits since last run.
- Updated documentation to include incremental scan setup, usage, and operational details.
- No breaking changes to full (one-shot) scan workflow.
v0.4.0
Declare ANTHROPIC_API_KEY in frontmatter env. Add dependencies block with pip package provenance. Add author/links to metadata. Remove agent-specific memory paths. Improved wrapper script.
v0.3.0
Security hardening: scan.sh wrapper validates paths (rejects shell metacharacters, resolves via realpath, verifies directory exists). SKILL.md uses concrete path examples instead of template variables. Added Security Notes section.
v0.2.0
Updated execution model: 45-min timeout, full cron payload template with weekly diffing, results storage docs, fixed rate limit install issue
v0.1.0
Initial release — AI-powered security scanner wrapping securevibes pip package. Runs assessment, threat modeling, code review, and report generation.
Metadata
Frequently Asked Questions
What is SecureVibes Scanner?
Run AI-powered application security scans on codebases. Use when asked to scan code for security vulnerabilities, generate threat models, review code for sec... It is an AI Agent Skill for Claude Code / OpenClaw, with 710 downloads so far.
How do I install SecureVibes Scanner?
Run "/install securevibes-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SecureVibes Scanner free?
Yes, SecureVibes Scanner is completely free (open-source). You can download, install and use it at no cost.
Which platforms does SecureVibes Scanner support?
SecureVibes Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SecureVibes Scanner?
It is built and maintained by Anshuman Bhartiya (@anshumanbh); the current version is v0.5.3.
More Skills