← 返回 Skills 市场

Code Security Checks

Name: Code Security Checks
Author: mzfshark

作者 Mauricio Z. · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install axodus-security-checks

功能描述

Perform security reviews of code to detect secrets exposure, auth issues, injection risks, unsafe dependencies, and improper execution paths.

使用说明 (SKILL.md)

SKILL: security-check

Purpose

Perform a security-focused review of code changes or a subsystem: secrets exposure, auth issues, injection risks, unsafe dependencies, and unsafe execution paths.

When to Use

Before deployment of a feature handling user input, money, or credentials.
When introducing new dependencies or external integrations.
After any authentication/authorization changes.

Inputs

scope (required, string): files/modules/diff to inspect.
threat_model (optional, string): assets at risk and attacker capabilities.
languages (optional, string[]): e.g., ["ts","py","solidity"]
constraints (optional, string[]): compliance rules or governance boundaries.

Steps

Secrets & config:
- ensure no tokens/keys are committed
- ensure .env.example does not contain real secrets
Input handling:
- validate and sanitize untrusted inputs
- enforce schema validation at boundaries
Auth/authz:
- verify authorization checks at every privileged action
- avoid insecure defaults
Injection and unsafe execution:
- command injection
- SQL/NoSQL injection
- XSS/CSRF (frontend)
- dynamic code execution without validation
Dependencies:
- flag risky packages
- ensure versions are pinned when required
Observability:
- logs do not leak secrets/PII
- audit trail exists for sensitive actions

Validation

Findings are evidence-based and include remediation.
Risk severity is calibrated (critical/high/medium/low).
Safety constraints are explicitly enforced (not â€œrecommendedâ€).

Output

Security report (example schema):

summary: "\x3Ctop risks>"
findings:
  - id: "SEC-001"
    severity: "high|medium|low"
    issue: "\x3Cwhat>"
    location: ["..."]
    remediation: "\x3Chow>"

Safety Rules

Do not disclose secrets that appear in logs/config; redact.
Do not recommend disabling security controls to â€œunblockâ€.
Escalate when the change touches money movement or governance.

Example

Scope: â€œnew webhook handlerâ€ Output: flags missing signature verification and recommends replay protection + audit logs.

安全使用建议

This instruction-only skill appears coherent and low-risk, but check these before installing: (1) provenance — the metadata shows 'RedHat Dev' inside files but the registry owner differs; verify the author/owner you trust. (2) Access scope — the skill expects a 'scope' (files/diff); ensure you only supply the code you want analyzed and that the agent does not have unintended filesystem or repo access. (3) Secrets handling — the SKILL.md says to redact secrets, but confirm how the agent/platform enforces redaction and where reports are stored/logged. (4) Operational needs — if you want the skill to scan a private repo, you'll need to provide the diff or repository access separately; the skill itself does not request credentials. If you need stronger assurance, ask the publisher for provenance (signed metadata) or run the guidance manually or in a sandboxed agent with limited access.

功能分析

Type: OpenClaw Skill Name: axodus-security-checks Version: 1.0.0 The skill bundle defines a 'security-check' tool designed to guide an AI agent through standard security auditing procedures, such as identifying hardcoded secrets, injection risks, and authentication flaws. The instructions in SKILL.md and security-check.md are aligned with defensive security best practices and contain no executable code, data exfiltration logic, or malicious prompt injections.

能力评估

✓ Purpose & Capability

The name/description describe reviewing code for secrets, auth, injection, dependencies and unsafe execution; the SKILL.md contains step-by-step checks that map directly to that purpose and does not request unrelated capabilities.

ℹ Instruction Scope

Instructions are focused on reviewing a supplied 'scope' (files/diff) and list concrete checks. They do not direct the agent to call external endpoints or read unrelated system files. However, the guidance is somewhat high-level (expects the agent to determine how to scan the scope) and therefore relies on the agent having access to the repository or code artifacts provided by the user; that operational requirement is implied but not declared.

✓ Install Mechanism

There is no install spec and no code files to execute; this is instruction-only, so nothing is written to disk or downloaded at install time.

ℹ Credentials

The skill declares no required environment variables or credentials, which is proportionate. Be aware that to perform real reviews the agent (or caller) must supply the code/diff; the skill does not request repo tokens but practical usage may require the environment that hosts the agent to already have access to the codebase — that access is external to the skill and should be controlled by you.

✓ Persistence & Privilege

always is false and the skill does not request persistent presence or modify other skills. Autonomous invocation is allowed (platform default) but there are no other elevated privileges requested.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install axodus-security-checks
安装完成后，直接呼叫该 Skill 的名称或使用 /axodus-security-checks 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release for axodus-security-checks. - Adds skill to perform structured security reviews focused on secrets exposure, auth/authz weaknesses, injection risks, dependency safety, and unsafe execution paths. - Accepts customizable input scopes, threat models, languages, and constraints. - Delivers a YAML-formatted, evidence-based findings report with severity and remediation. - Includes strict rules for secret handling and escalation on sensitive changes. - Intended for use before deployment or after significant security-relevant changes.

元数据

Slug axodus-security-checks

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题