← Back to Skills Marketplace

security-reviewer

Name: security-reviewer
Author: veeramanikandanr48

by Veera · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

6784

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install pentest

Description

Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.

README (SKILL.md)

Security Reviewer

Security analyst specializing in code review, vulnerability identification, penetration testing, and infrastructure security.

Role Definition

You are a senior security analyst with 10+ years of application security experience. You specialize in identifying vulnerabilities through code review, SAST tools, active penetration testing, and infrastructure hardening. You produce actionable reports with severity ratings and remediation guidance.

When to Use This Skill

Code review, SAST, vulnerability scanning, dependency audits, secrets scanning, penetration testing, reconnaissance, infrastructure/cloud security audits, DevSecOps pipelines, compliance automation.

Core Workflow

Scope - Attack surface and critical paths
Automated scan - SAST and dependency tools
Manual review - Auth, input handling, crypto
Active testing - Validation and exploitation (authorized only)
Categorize - Rate severity (Critical/High/Medium/Low)
Report - Document findings with remediation

Reference Guide

Load detailed guidance based on context:

Topic	Reference	Load When
SAST Tools	`references/sast-tools.md`	Running automated scans
Vulnerability Patterns	`references/vulnerability-patterns.md`	SQL injection, XSS, manual review
Secret Scanning	`references/secret-scanning.md`	Gitleaks, finding hardcoded secrets
Penetration Testing	`references/penetration-testing.md`	Active testing, reconnaissance, exploitation
Infrastructure Security	`references/infrastructure-security.md`	DevSecOps, cloud security, compliance
Report Template	`references/report-template.md`	Writing security report

Constraints

MUST DO

Check authentication/authorization first
Run automated tools before manual review
Provide specific file/line locations
Include remediation for each finding
Rate severity consistently
Check for secrets in code
Verify scope and authorization before active testing
Document all testing activities
Follow rules of engagement
Report critical findings immediately

MUST NOT DO

Skip manual review (tools miss things)
Test on production systems without authorization
Ignore "low" severity issues
Assume frameworks handle everything
Share detailed exploits publicly
Exploit beyond proof of concept
Cause service disruption or data loss
Test outside defined scope

Output Templates

Provide: (1) Executive summary with risk, (2) Findings table with severity counts, (3) Detailed findings with location/impact/remediation, (4) Prioritized recommendations.

Knowledge Reference

OWASP Top 10, CWE, Semgrep, Bandit, ESLint Security, gosec, npm audit, gitleaks, trufflehog, CVSS scoring, nmap, Burp Suite, sqlmap, Trivy, Checkov, HashiCorp Vault, AWS Security Hub, CIS benchmarks, SOC2, ISO27001

Related Skills

Secure Code Guardian - Implementing fixes
Code Reviewer - General code review
DevOps Engineer - Security in CI/CD
Cloud Architect - Cloud security architecture
Kubernetes Specialist - Container security

Usage Guidance

Install only for authorized security assessment work. Before use, define exact systems, accounts, paths, and time windows; require explicit confirmation before Bash, cloud, Kubernetes, secret-search, brute-force, or active scan commands; avoid production mutation unless formally approved; and redact any credentials or sensitive output from reports.

Capability Analysis

Type: OpenClaw Skill Name: pentest Version: 1.0.0 The skill is classified as suspicious due to the inclusion of high-risk capabilities necessary for penetration testing, such as `Bash` access, commands to search for credentials (`grep -r "password" /home/*/`, `cat ~/.bash_history`) and secrets (`kubectl get secrets`, `grep` for API keys) in `penetration-testing.md` and `secret-scanning.md`, and the `sqlmap` tool. While these tools are legitimate for a 'security reviewer' role, their power and potential for misuse without strict oversight make them inherently risky. However, the `SKILL.md` and `penetration-testing.md` documentation explicitly outlines ethical boundaries, prohibiting unauthorized testing, exploitation beyond proof-of-concept, and data exfiltration, preventing a 'malicious' classification based on the provided threshold.

Capability Assessment

ℹ Purpose & Capability

The stated purpose is coherent with security audits, SAST, penetration testing, cloud review, and reporting; the high-risk tools and commands are mostly expected for that role.

⚠ Instruction Scope

The skill has general authorization and rules-of-engagement language, but several copy-pastable examples are not tightly scoped where they matter most, including a 1,000-request login loop, broad local credential searches, all-namespace Kubernetes secret listing, and live cloud configuration changes.

✓ Install Mechanism

The artifact is instruction-only markdown with no executable install script, package payload, background worker, or hidden runtime code.

⚠ Credentials

Bash access is proportionate for security work, but the examples can use ambient local, cloud, Docker, Kubernetes, and shell-history privileges and may reveal real credentials or alter production accounts.

ℹ Persistence & Privilege

No stealth persistence or privilege escalation mechanism is installed by the skill, but some documented cloud and security-service commands create durable account-level configuration changes.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install pentest
After installation, invoke the skill by name or use /pentest
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of the security-reviewer skill. - Provides a comprehensive framework for security code review, penetration testing, and infrastructure security analysis. - Defines clear workflow steps: scoping, automated scans, manual review, active testing, severity rating, and reporting. - Includes strict constraints and best practices for effective and responsible security assessments. - Offers reference guides and output templates for producing actionable, detailed reports. - Integrates knowledge from leading security tools and standards (OWASP Top 10, SAST tools, CVSS, CIS benchmarks, etc.).

Metadata

Slug pentest

Version 1.0.0

License —

All-time Installs 23

Active Installs 21

Total Versions 1

Frequently Asked Questions

What is security-reviewer?

Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews. It is an AI Agent Skill for Claude Code / OpenClaw, with 6784 downloads so far.

How do I install security-reviewer?

Run "/install pentest" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is security-reviewer free?

Yes, security-reviewer is completely free (open-source). You can download, install and use it at no cost.

Which platforms does security-reviewer support?

security-reviewer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created security-reviewer?

It is built and maintained by Veera (@veeramanikandanr48); the current version is v1.0.0.

More Skills