← Back to Skills Marketplace

Code Security Checks

Name: Code Security Checks
Author: mzfshark

by Mauricio Z. · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ Security Clean

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install axodus-security-checks

Description

Perform security reviews of code to detect secrets exposure, auth issues, injection risks, unsafe dependencies, and improper execution paths.

README (SKILL.md)

SKILL: security-check

Purpose

Perform a security-focused review of code changes or a subsystem: secrets exposure, auth issues, injection risks, unsafe dependencies, and unsafe execution paths.

When to Use

Before deployment of a feature handling user input, money, or credentials.
When introducing new dependencies or external integrations.
After any authentication/authorization changes.

Inputs

scope (required, string): files/modules/diff to inspect.
threat_model (optional, string): assets at risk and attacker capabilities.
languages (optional, string[]): e.g., ["ts","py","solidity"]
constraints (optional, string[]): compliance rules or governance boundaries.

Steps

Secrets & config:
- ensure no tokens/keys are committed
- ensure .env.example does not contain real secrets
Input handling:
- validate and sanitize untrusted inputs
- enforce schema validation at boundaries
Auth/authz:
- verify authorization checks at every privileged action
- avoid insecure defaults
Injection and unsafe execution:
- command injection
- SQL/NoSQL injection
- XSS/CSRF (frontend)
- dynamic code execution without validation
Dependencies:
- flag risky packages
- ensure versions are pinned when required
Observability:
- logs do not leak secrets/PII
- audit trail exists for sensitive actions

Validation

Findings are evidence-based and include remediation.
Risk severity is calibrated (critical/high/medium/low).
Safety constraints are explicitly enforced (not â€œrecommendedâ€).

Output

Security report (example schema):

summary: "\x3Ctop risks>"
findings:
  - id: "SEC-001"
    severity: "high|medium|low"
    issue: "\x3Cwhat>"
    location: ["..."]
    remediation: "\x3Chow>"

Safety Rules

Do not disclose secrets that appear in logs/config; redact.
Do not recommend disabling security controls to â€œunblockâ€.
Escalate when the change touches money movement or governance.

Example

Scope: â€œnew webhook handlerâ€ Output: flags missing signature verification and recommends replay protection + audit logs.

Usage Guidance

This instruction-only skill appears coherent and low-risk, but check these before installing: (1) provenance — the metadata shows 'RedHat Dev' inside files but the registry owner differs; verify the author/owner you trust. (2) Access scope — the skill expects a 'scope' (files/diff); ensure you only supply the code you want analyzed and that the agent does not have unintended filesystem or repo access. (3) Secrets handling — the SKILL.md says to redact secrets, but confirm how the agent/platform enforces redaction and where reports are stored/logged. (4) Operational needs — if you want the skill to scan a private repo, you'll need to provide the diff or repository access separately; the skill itself does not request credentials. If you need stronger assurance, ask the publisher for provenance (signed metadata) or run the guidance manually or in a sandboxed agent with limited access.

Capability Analysis

Type: OpenClaw Skill Name: axodus-security-checks Version: 1.0.0 The skill bundle defines a 'security-check' tool designed to guide an AI agent through standard security auditing procedures, such as identifying hardcoded secrets, injection risks, and authentication flaws. The instructions in SKILL.md and security-check.md are aligned with defensive security best practices and contain no executable code, data exfiltration logic, or malicious prompt injections.

Capability Assessment

✓ Purpose & Capability

The name/description describe reviewing code for secrets, auth, injection, dependencies and unsafe execution; the SKILL.md contains step-by-step checks that map directly to that purpose and does not request unrelated capabilities.

ℹ Instruction Scope

Instructions are focused on reviewing a supplied 'scope' (files/diff) and list concrete checks. They do not direct the agent to call external endpoints or read unrelated system files. However, the guidance is somewhat high-level (expects the agent to determine how to scan the scope) and therefore relies on the agent having access to the repository or code artifacts provided by the user; that operational requirement is implied but not declared.

✓ Install Mechanism

There is no install spec and no code files to execute; this is instruction-only, so nothing is written to disk or downloaded at install time.

ℹ Credentials

The skill declares no required environment variables or credentials, which is proportionate. Be aware that to perform real reviews the agent (or caller) must supply the code/diff; the skill does not request repo tokens but practical usage may require the environment that hosts the agent to already have access to the codebase — that access is external to the skill and should be controlled by you.

✓ Persistence & Privilege

always is false and the skill does not request persistent presence or modify other skills. Autonomous invocation is allowed (platform default) but there are no other elevated privileges requested.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install axodus-security-checks
After installation, invoke the skill by name or use /axodus-security-checks
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release for axodus-security-checks. - Adds skill to perform structured security reviews focused on secrets exposure, auth/authz weaknesses, injection risks, dependency safety, and unsafe execution paths. - Accepts customizable input scopes, threat models, languages, and constraints. - Delivers a YAML-formatted, evidence-based findings report with severity and remediation. - Includes strict rules for secret handling and escalation on sensitive changes. - Intended for use before deployment or after significant security-relevant changes.

Metadata

Slug axodus-security-checks

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Code Security Checks?

Perform security reviews of code to detect secrets exposure, auth issues, injection risks, unsafe dependencies, and improper execution paths. It is an AI Agent Skill for Claude Code / OpenClaw, with 58 downloads so far.

How do I install Code Security Checks?

Run "/install axodus-security-checks" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Code Security Checks free?

Yes, Code Security Checks is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Code Security Checks support?

Code Security Checks is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Code Security Checks?

It is built and maintained by Mauricio Z. (@mzfshark); the current version is v1.0.0.

More Skills