← Back to Skills Marketplace
S³ Security Audit
by
Solomon Neas
· GitHub ↗
· v1.0.0
· MIT-0
242
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install s3-security-audit
Description
Run security audits on codebases using static analysis, dependency scanning, and manual code review patterns. Covers OWASP Top 10, secrets detection, depende...
Usage Guidance
This instruction-only skill mostly does what it claims (local static checks and dependency scans), but note two important caveats: (1) the registry metadata omits required binaries (grep/find/sed, npm, pip), so ensure the executing environment has those tools before use; (2) the SKILL.md will try to install tooling at runtime (e.g., 'pip install pip-audit') and run network queries (npm audit/pip-audit), which introduces supply-chain and network exposure risks. Before installing or running: run the commands manually or inside an isolated container/VM, review and pin any packages that would be installed, avoid running against repositories with live secrets unless in a controlled environment, and consider using curated, signed scanner binaries or your organization's approved security tools instead of allowing implicit installs.
Capability Analysis
Type: OpenClaw Skill
Name: s3-security-audit
Version: 1.0.0
The skill bundle provides a comprehensive set of instructions and shell commands for performing static security audits on codebases, including secrets detection, dependency scanning, and vulnerability pattern matching using grep. The logic is transparent, uses standard security tools (like pip-audit and npm audit), and aligns perfectly with its stated purpose without any signs of data exfiltration, malicious execution, or prompt injection.
Capability Assessment
Purpose & Capability
The SKILL.md describes a security-audit tool that performs local static checks and dependency scans, which matches the name/description. However the registry metadata declares no required binaries or env vars while the instructions assume common CLI tools (find, grep, sed), language toolchains (npm, pip) and optional scanners (pip-audit, npm audit). This mismatch between declared requirements and actual runtime expectations is an incoherence a user should be aware of.
Instruction Scope
Instructions perform broad local repository scans (searching for .env, *.pem, keys, and secret-like patterns) which is expected for auditing, but they also include commands that will attempt to install tooling at runtime (e.g., 'pip install pip-audit'). Installing packages and running network-backed audits (npm audit, pip-audit) are side effects with network/supply-chain implications. The guidance otherwise stays within the audit scope and does not instruct exfiltration or posting results externally.
Install Mechanism
There is no formal install spec in the registry (instruction-only), yet the SKILL.md contains an implicit install step ('pip install pip-audit') and expects npm/pip to be present. Implicit runtime installs are higher risk than an explicit vetted install spec because they pull code from package registries at execution time and may alter the agent environment.
Credentials
The skill requests no environment variables or credentials in metadata. The audit scripts search for secret patterns (AWS-like tokens, private keys) within the repository which is appropriate for a security audit and does not itself request unrelated external credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system/service configuration changes. It does not attempt to modify other skills or global agent settings in the provided instructions.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install s3-security-audit - After installation, invoke the skill by name or use
/s3-security-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the security-audit skill for codebase security assessments.
- Provides structured methodology adapted from Trail of Bits for comprehensive code security audits.
- Covers static analysis, secrets detection, dependency scanning, and infrastructure misconfigurations.
- Includes command-line snippets for automated security checks focused on OWASP Top 10 risks.
- Offers a clear report template for summarizing findings and recommendations.
- Lists limitations, emphasizing the need for manual review and highlighting the scope of automated checks.
Metadata
Frequently Asked Questions
What is S³ Security Audit?
Run security audits on codebases using static analysis, dependency scanning, and manual code review patterns. Covers OWASP Top 10, secrets detection, depende... It is an AI Agent Skill for Claude Code / OpenClaw, with 242 downloads so far.
How do I install S³ Security Audit?
Run "/install s3-security-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is S³ Security Audit free?
Yes, S³ Security Audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does S³ Security Audit support?
S³ Security Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created S³ Security Audit?
It is built and maintained by Solomon Neas (@solomonneas); the current version is v1.0.0.
More Skills