← 返回 Skills 市场
Elixir Security Review
作者
Kevin Anderson
· GitHub ↗
· v1.2.1
· MIT-0
183
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install elixir-security-review
功能描述
Reviews Elixir code for security vulnerabilities including code injection, atom exhaustion, and secret handling. Use when reviewing code handling user input,...
使用说明 (SKILL.md)
Elixir Security Review
Quick Reference
| Issue Type | Reference |
|---|---|
| Code.eval_string, binary_to_term | references/code-injection.md |
| String.to_atom dangers | references/atom-exhaustion.md |
| Config, environment variables | references/secrets.md |
| ETS visibility, process dictionary | references/process-exposure.md |
Review Checklist
Critical (Block Merge)
- No
Code.eval_string/1on user input - No
:erlang.binary_to_term/1without:safeon untrusted data - No
String.to_atom/1on external input - No hardcoded secrets in source code
Major
- ETS tables use appropriate access controls
- No sensitive data in process dictionary
- No dynamic module creation from user input
- Path traversal prevented in file operations
Configuration
- Secrets loaded from environment
- No secrets in config/*.exs committed to git
- Runtime config used for deployment secrets
Valid Patterns (Do NOT Flag)
- String.to_atom on compile-time constants - Atoms created at compile time are safe
- Code.eval_string in dev/test - May be needed for tooling
- ETS :public tables - Valid when intentionally shared
- binary_to_term with :safe - Explicitly safe option used
Context-Sensitive Rules
| Issue | Flag ONLY IF |
|---|---|
| String.to_atom | Input comes from external source (user, API, file) |
| binary_to_term | Data comes from untrusted source |
| ETS :public | Contains sensitive data |
Hard gates (before reporting)
Complete in order for each finding you intend to report. Do not advance until the pass condition is satisfied.
- Location artifact — The finding includes
[FILE:LINE](or a line range) that you copied from the current file contents; the path resolves in this repo. - Scope read — You read the full surrounding function or module section that contains the flagged code, not only a diff hunk or summary.
- External-data claim (only if the finding depends on “user/untrusted input”) — You can name one concrete ingress (for example
conn.params,Jason.decode!/1result, uploaded file path, message from another node) or you drop the finding because the value is compile-time, test-only, or internal per Context-Sensitive Rules. - Protocol — Pre-report steps in
beagle-elixir:review-verification-protocol(skill) are satisfied for this item (no finding if they are not).
Before Submitting Findings
Use the issue format: [FILE:LINE] ISSUE_TITLE for each finding.
Hard gate 4 requires beagle-elixir:review-verification-protocol (skill); use it as the full pre-report checklist and issue-type verification (it extends beyond this skill’s summary).
安全使用建议
This is an instruction-only Elixir security checklist that will read repository files and produce location-tagged findings — that behavior is expected for a code-review skill. Before installing, confirm you're comfortable with the agent reading your repo contents during reviews and verify the referenced verification skill (beagle-elixir:review-verification-protocol) if it will be invoked; since no credentials or installs are requested, the main risk is accidental disclosure of secrets found in the repo during reporting, so avoid running it on code containing live secrets or ensure findings are handled appropriately.
功能分析
Type: OpenClaw Skill
Name: elixir-security-review
Version: 1.2.1
The skill bundle is a legitimate security review tool for Elixir applications. It contains well-documented reference materials (references/code-injection.md, references/atom-exhaustion.md, etc.) and structured instructions in SKILL.md to guide an AI agent in identifying common vulnerabilities like atom exhaustion and unsafe deserialization. There is no evidence of malicious intent, data exfiltration, or prompt injection.
能力标签
能力评估
Purpose & Capability
Name, description, and included reference documents all match an Elixir security-review checklist; there are no unexpected binaries, environment variables, or install steps requested.
Instruction Scope
The SKILL.md explicitly instructs the agent to read repository files (full surrounding function/module) and to produce location-tagged findings — this is appropriate for a code-review skill. It also requires running a separate verification protocol (beagle-elixir:review-verification-protocol) before reporting; relying on another skill increases the review surface and you should verify that referenced skill's behavior, but this is not inherently incoherent.
Install Mechanism
No install specification or code files are included (instruction-only), so nothing is written to disk or downloaded during install — lowest-risk delivery model.
Credentials
The skill requests no environment variables, secrets, or config paths. Its guidance to inspect code and config files is consistent with a static review and does not demand unrelated credentials.
Persistence & Privilege
Defaults are used (not always:true). The skill does not request permanent presence or elevated privileges. Autonomous invocation is allowed (platform default) but not excessive here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install elixir-security-review - 安装完成后,直接呼叫该 Skill 的名称或使用
/elixir-security-review触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.1
elixir-security-review v1.2.1
- Clarified “Before Submitting Findings” section with hard gate requirements and protocol references.
- Added explicit “Hard gates” checklist to be completed before reporting findings, enforcing stricter verification.
- Updated instructions to require use of the beagle-elixir:review-verification-protocol for pre-report procedures.
- No changes to issue list, review checklist, or valid pattern guidance.
v1.2.0
elixir-security-review v1.2.0
- Expanded documentation with specific review checklists for critical, major, and configuration issues.
- Added quick reference links for common vulnerabilities: code injection, atom exhaustion, secret exposure, and process exposure.
- Clarified valid/safe coding patterns that should not be flagged.
- Introduced context-sensitive rules for when to flag certain patterns.
- Provided guidelines for reporting findings and verification protocol.
元数据
常见问题
Elixir Security Review 是什么?
Reviews Elixir code for security vulnerabilities including code injection, atom exhaustion, and secret handling. Use when reviewing code handling user input,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 183 次。
如何安装 Elixir Security Review?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install elixir-security-review」即可一键安装,无需额外配置。
Elixir Security Review 是免费的吗?
是的,Elixir Security Review 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Elixir Security Review 支持哪些平台?
Elixir Security Review 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Elixir Security Review?
由 Kevin Anderson(@anderskev)开发并维护,当前版本 v1.2.1。
推荐 Skills