← 返回 Skills 市场

Clawhub Gomboc Security Main V0.2.0

Name: Clawhub Gomboc Security Main V0.2.0
Author: matthewsweeney

作者 matthewsweeney · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

105

总下载

当前安装

版本数

在 OpenClaw 中安装

/install clawhub-gomboc-security-main-v0-2-0

功能描述

Automatically scan any codebase for security issues and generate deterministic, merge-ready fixes for continuous remediation via CLI, CI/CD, or agents.

使用说明 (SKILL.md)

Gomboc Code Remediation Skill

Deterministic, merge-ready code fixes for any codebase.

Gomboc.ai Community Edition automatically scans and fixes code issues across your entire codebase — infrastructure, applications, configurations, and more — using deterministic AI (no hallucinations). This skill wraps Gomboc's power into agent workflows, CLI tools, and CI/CD pipelines, making it the perfect complement to agentic coding.

What It Does

Scan any codebase for issues (infrastructure, application code, configs)
Generate deterministic, merge-ready pull requests with fixes
Remediate continuously via GitHub Actions or interactive CLI/MCP
Trust 94%+ fix acceptance rate with zero hallucinations (ORL Engine)
Pair with agents — deterministic remediation that works perfectly alongside agentic coding systems

Supported Languages & Frameworks

Infrastructure as Code — Terraform, CloudFormation, Kubernetes YAML
Configuration Files — JSON, YAML, HCL
Security Issues — Across any codebase (IaC, applications, configs)
Expanding — More languages and frameworks added regularly

Quick Start

1. Get a Token

# Sign up at https://app.gomboc.ai (free, Community Edition)
# Generate Personal Access Token in Settings
export GOMBOC_PAT="gpt_your_token"

2. Scan Code

python scripts/cli-wrapper.py scan --path ./src

3. Generate Fixes

python scripts/cli-wrapper.py fix --path ./src

4. Apply Fixes (Optional)

python scripts/cli-wrapper.py remediate --path ./src --commit

Key Features

✅ Deterministic AI — Same fix every time, no hallucinations
✅ 94%+ Accuracy — Merge-ready fixes users actually accept
✅ Free Forever — Community Edition of Gomboc.ai
✅ Production-Ready — Battle-tested implementation
✅ Secure by Design — No token leaking, proper error handling
✅ Agent-Friendly — Perfect for autonomous code improvement loops

CLI Commands

scan

Detect issues in your codebase

gomboc scan path:./terraform
gomboc scan path:./src policy:aws-cis format:markdown

fix

Generate merge-ready fixes

gomboc fix path:./terraform format:pull_request
gomboc fix path:./src format:json

remediate

Apply fixes directly to code

gomboc remediate path:./src commit:true
gomboc remediate path:./terraform commit:true push:true

config

Manage authentication

gomboc config --show-token

For Agents

This skill is designed as the ideal complement to agentic coding:

Deterministic — Reliable, repeatable remediation
Trustworthy — 94%+ of fixes are merged as-is
Autonomous — Agents can scan, generate, and apply fixes without human intervention
Continuous — Perfect for ongoing code improvement loops

Integration Methods

1. MCP Server (Agents)

Run the MCP server for interactive agent integration:

docker-compose -f scripts/docker-compose.yml up
# Server runs on http://localhost:3100

See references/mcp-integration.md for details.

2. CLI Tool (Developers)

Use the Python CLI for local scanning and fixing:

export GOMBOC_PAT="your_token"
python scripts/cli-wrapper.py scan --path ./src

See references/setup.md for detailed instructions.

3. GitHub Actions (CI/CD)

Automate continuous remediation in your CI/CD pipeline:

- uses: gomboc-action@v1
  with:
    path: ./terraform
    auto-fix: true

See references/github-action.md for configuration.

Configuration

All configuration is via environment variables:

Variable	Purpose	Required	Example
`GOMBOC_PAT`	Personal Access Token	Yes	`gpt_abc123...`
`GOMBOC_MCP_URL`	MCP server URL	No	`http://localhost:3100`
`GOMBOC_POLICY`	Remediation policy	No	`default` or `aws-cis`

Security & Audit

This skill has been:

✅ Security-audited for token handling
✅ Verified against live Gomboc API
✅ Tested with real vulnerabilities
✅ Confirmed production-ready

See SECURITY.md for complete audit details.

Support & Documentation

Setup Guide: references/setup.md
MCP Integration: references/mcp-integration.md
GitHub Actions: references/github-action.md
Security Audit: SECURITY.md
Changelog: CHANGELOG.md
GitHub Discussions: https://github.com/Gomboc-AI/gomboc-ai-feedback/discussions

License

MIT License — See LICENSE file

Ready to remediate? Start with the Quick Start section above, then explore integration methods that fit your workflow.

安全使用建议

Before installing or giving this skill a token: - Verify the GOMBOC_PAT requirement is intentionally missing from the registry metadata and ask the publisher to correct it. Treat the token as sensitive. - Understand where 'remediate' commits/pushes happen: the CLI calls applyFixes on the remote API, so ask the vendor how that mutation obtains repo push permissions (does Gomboc need a separate GitHub/GitLab token, or does it operate inside your CI runner?). Do not provide any repository write tokens until you confirm their usage model. - Run this skill in a safe, isolated repository first. Use 'scan' and 'fix' (inspect generated fixes) before enabling any auto-remediate or auto-push workflows. - Prefer scan-only CI runs or create PRs rather than allowing automatic pushes to protected branches; keep branch protection and mandatory PR review enabled. - Inspect the MCP Docker image (gombocai/mcp:latest) and the applyFixes server behavior if you plan to run it locally or on your network; ensure it cannot access secrets or write to workspaces unless you explicitly permit it. - If you need higher assurance, request the developer to: (1) declare GOMBOC_PAT in the package manifest, (2) document exactly where applyFixes writes commits and what credentials it uses, and (3) provide reproducible security audit artifacts or a source repository you can review. Confidence in this assessment is medium because the implementation is coherent with a legitimate remote remediation service, but the metadata omission and unclear commit/push semantics are non-trivial and should be resolved before trusting the skill with production repositories or credentials.

功能分析

Type: OpenClaw Skill Name: clawhub-gomboc-security-main-v0-2-0 Version: 1.0.0 The Gomboc Code Remediation Skill is a legitimate integration for the Gomboc.ai security platform, providing tools for automated code scanning and remediation. The core logic in `scripts/cli-wrapper.py` and `scripts/verify-setup.sh` interacts with a verified GraphQL API (api.app.gomboc.ai) using standard Python libraries and follows security best practices by handling sensitive tokens via environment variables and masking them in outputs. The documentation, including `SKILL.md` and `SECURITY.md`, accurately describes the tool's capabilities without any evidence of malicious intent, data exfiltration, or prompt injection.

能力评估

ℹ Purpose & Capability

The code and SKILL.md align with the stated purpose: a wrapper around a Gomboc GraphQL API to scan code and produce fixes. However the registry metadata claims 'Required env vars: none' while the documentation and CLI require a sensitive env var (GOMBOC_PAT). That metadata omission is an incoherence that could mislead users or automated approvals.

⚠ Instruction Scope

SKILL.md and the CLI instruct the agent to scan, generate, and optionally 'remediate' (commit/push) code. The CLI itself does not run local git operations — remediate calls an API mutation (applyFixes) and prints commit hashes returned from the server. It's unclear where commits/pushes actually happen (server-side using the token, or via the user's environment). The docs instruct running in CI (where runner git credentials exist) and also running an MCP server in Docker with the workspace mounted read-only — these behaviors conflict and should be clarified because they affect where code modifications occur and what credentials are needed.

✓ Install Mechanism

No install spec; code is instruction-only plus small scripts that only use Python stdlib and Docker Compose. No external downloads or archive extraction are present in the package itself, which is low risk for local installation.

⚠ Credentials

The skill requires a sensitive bearer token (GOMBOC_PAT) for the API — that is expected for a remote scanning service. But the package metadata declares no required env vars (misleading). Additionally, remediation/auto-push semantics imply write access to repositories somewhere, but no repository credentials or details are requested or documented for where writes occur. This gap (missing declaration + unclear scope of where commit/push happen) is disproportionate and requires clarification.

✓ Persistence & Privilege

The skill is not set to always:true and does not attempt to modify other skills or global agent config. It runs on-demand and is not persistently injected by metadata, which is appropriate.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install clawhub-gomboc-security-main-v0-2-0
安装完成后，直接呼叫该 Skill 的名称或使用 /clawhub-gomboc-security-main-v0-2-0 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of the Gomboc Code Remediation Skill. - Provides deterministic, merge-ready code fixes for infrastructure, application, and configuration codebases. - Features scanning, fix generation, and automated remediation via CLI, MCP server, or GitHub Actions. - Supports Terraform, CloudFormation, Kubernetes YAML, JSON, YAML, and HCL files; more languages coming soon. - Integrates seamlessly with agentic coding workflows and ensures secure, audited token handling. - Includes detailed documentation and setup guides for quick onboarding.

元数据

Slug clawhub-gomboc-security-main-v0-2-0

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题