← 返回 Skills 市场
🔌
121
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install gomboc-security
功能描述
Automatically scan and deterministically fix security issues in Terraform, CloudFormation, and IaC with merge-ready pull requests and CI/CD integration.
使用说明 (SKILL.md)
Gomboc Code Remediation Skill
Deterministic, merge-ready code fixes for any codebase.
Gomboc.ai Community Edition automatically scans and fixes code issues across your entire codebase — infrastructure, applications, configurations, and more — using deterministic AI (no hallucinations). This skill wraps Gomboc's power into agent workflows, CLI tools, and CI/CD pipelines, making it the perfect complement to agentic coding.
What It Does
- Scan any codebase for issues (infrastructure, application code, configs)
- Generate deterministic, merge-ready pull requests with fixes
- Remediate continuously via GitHub Actions or interactive CLI/MCP
- Trust 94%+ fix acceptance rate with zero hallucinations (ORL Engine)
- Pair with agents — deterministic remediation that works perfectly alongside agentic coding systems
Supported Languages & Frameworks
- Infrastructure as Code — Terraform, CloudFormation, Kubernetes YAML
- Configuration Files — JSON, YAML, HCL
- Security Issues — Across any codebase (IaC, applications, configs)
- Expanding — More languages and frameworks added regularly
Quick Start
1. Get a Token
# Sign up at https://app.gomboc.ai (free, Community Edition)
# Generate Personal Access Token in Settings
export GOMBOC_PAT="gpt_your_token"
2. Scan Code
python scripts/cli-wrapper.py scan --path ./src
3. Generate Fixes
python scripts/cli-wrapper.py fix --path ./src
4. Apply Fixes (Optional)
python scripts/cli-wrapper.py remediate --path ./src --commit
Key Features
✅ Deterministic AI — Same fix every time, no hallucinations ✅ 94%+ Accuracy — Merge-ready fixes users actually accept ✅ Free Forever — Community Edition of Gomboc.ai ✅ Production-Ready — Battle-tested implementation ✅ Secure by Design — No token leaking, proper error handling ✅ Agent-Friendly — Perfect for autonomous code improvement loops
CLI Commands
scan
Detect issues in your codebase
gomboc scan path:./terraform
gomboc scan path:./src policy:aws-cis format:markdown
fix
Generate merge-ready fixes
gomboc fix path:./terraform format:pull_request
gomboc fix path:./src format:json
remediate
Apply fixes directly to code
gomboc remediate path:./src commit:true
gomboc remediate path:./terraform commit:true push:true
config
Manage authentication
gomboc config --show-token
For Agents
This skill is designed as the ideal complement to agentic coding:
- Deterministic — Reliable, repeatable remediation
- Trustworthy — 94%+ of fixes are merged as-is
- Autonomous — Agents can scan, generate, and apply fixes without human intervention
- Continuous — Perfect for ongoing code improvement loops
Integration Methods
1. MCP Server (Agents)
Run the MCP server for interactive agent integration:
docker-compose -f scripts/docker-compose.yml up
# Server runs on http://localhost:3100
See references/mcp-integration.md for details.
2. CLI Tool (Developers)
Use the Python CLI for local scanning and fixing:
export GOMBOC_PAT="your_token"
python scripts/cli-wrapper.py scan --path ./src
See references/setup.md for detailed instructions.
3. GitHub Actions (CI/CD)
Automate continuous remediation in your CI/CD pipeline:
- uses: gomboc-action@v1
with:
path: ./terraform
auto-fix: true
See references/github-action.md for configuration.
Configuration
All configuration is via environment variables:
| Variable | Purpose | Required | Example |
|---|---|---|---|
GOMBOC_PAT |
Personal Access Token | Yes | gpt_abc123... |
GOMBOC_MCP_URL |
MCP server URL | No | http://localhost:3100 |
GOMBOC_POLICY |
Remediation policy | No | default or aws-cis |
Security & Audit
This skill has been:
- ✅ Security-audited for token handling
- ✅ Verified against live Gomboc API
- ✅ Tested with real vulnerabilities
- ✅ Confirmed production-ready
See SECURITY.md for complete audit details.
Support & Documentation
- Setup Guide:
references/setup.md - MCP Integration:
references/mcp-integration.md - GitHub Actions:
references/github-action.md - Security Audit:
SECURITY.md - Changelog:
CHANGELOG.md - GitHub Issues: https://github.com/Gomboc-AI/gomboc-ai-feedback/discussions
License
MIT License — See LICENSE file
Ready to remediate? Start with the Quick Start section above, then explore integration methods that fit your workflow.
安全使用建议
This skill generally does what it says: it uses a Gomboc.ai bearer token (GOMBOC_PAT) to call an API that scans and can generate or apply fixes. Before installing: 1) Fix the metadata mismatch — the top-level registry info claiming "no env vars" is wrong; the skill requires GOMBOC_PAT. 2) Only provide a token with least privilege (create a token scoped narrowly to the repos you want to remediate; avoid a broad org-level deploy token). 3) Treat auto-remediation (remediate --commit/--push and CI steps) as high privilege: enable branch protection/required PR reviews or run in scan-only mode until you’ve audited fixes. 4) Verify the API endpoint and vendor: confirm https://api.app.gomboc.ai and the referenced GitHub repo/homepage exist and are maintained by trusted parties. 5) Run scripts/verify-setup.sh in an isolated environment to confirm behavior and that tokens are not printed. 6) If you allow autonomous agent invocation, monitor actions and restrict the skill’s runtime scope (e.g., limit agent permissions, require human approval for pushes). If you want, provide me the upstream repository URL or the Gomboc docs link so I can check whether the published claims (audit, 94% acceptance rate, security audit) are externally verifiable — that would raise confidence to high.
功能分析
Type: OpenClaw Skill
Name: gomboc-security
Version: 0.2.0
The Gomboc Code Remediation Skill is a legitimate integration for the Gomboc.ai security platform, designed to scan and fix infrastructure and application code. The bundle includes a Python CLI wrapper (scripts/cli-wrapper.py) and a bash verification script (scripts/verify-setup.sh) that interact with the official Gomboc GraphQL API (api.app.gomboc.ai) using a Personal Access Token. The code follows security best practices, such as masking sensitive tokens in output, using read-only Docker mounts for the MCP server, and avoiding dangerous functions like eval or shell execution. The documentation (SKILL.md, SECURITY.md) clearly defines the tool's purpose and provides a transparent audit of its security posture.
能力评估
Purpose & Capability
The skill claims deterministic remediation for IaC and the included CLI and MCP instructions call a Gomboc GraphQL API with a bearer token — that capability aligns with the stated purpose. However, the registry header at the top of the submission says "Required env vars: none / Primary credential: none" while .clawhub.yml, SKILL.md, and the scripts require GOMBOC_PAT. This metadata mismatch is an incoherence that should be fixed.
Instruction Scope
SKILL.md instructs agents to run local CLI, start an MCP server (docker-compose), and wire GitHub Actions. The runtime scripts only operate on a user-specified path and call the external API; they do not attempt to read arbitrary system files. However, the remediate command and GitHub Actions examples describe auto-commit and push behavior (server-side apply/push or CI runs that call remediate with commit/push), which grants the skill the ability to modify repositories if given credentials — that is expected for a remediation tool but must be considered a privileged capability.
Install Mechanism
No installer downloads or external package installs are present; this is an instruction + script bundle relying on Python and optional Docker. No remote arbitrary code downloads or URL-shortened installs were found.
Credentials
The only sensitive credential used is a single bearer token (GOMBOC_PAT) which is appropriate for an API-based remediation service. But the package metadata in the top summary incorrectly lists no required env vars whereas .clawhub.yml and the SKILL.md require GOMBOC_PAT. That inconsistency can mislead users. Also, because the token may be used in CI (GitHub Actions) or MCP server contexts to perform commits/pushes, users should ensure the token has least privilege (e.g., limited repo scope) and is stored as a secret.
Persistence & Privilege
always:false (no forced presence). Model invocation is allowed (default), so agents can autonomously call this skill. Autonomy plus the ability to request remediation/commit operations increases blast radius if misused — a legitimate design choice for remediation tools but something to monitor (use branch protections, require PR reviews). The skill does not attempt to modify other skills or global agent config.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install gomboc-security - 安装完成后,直接呼叫该 Skill 的名称或使用
/gomboc-security触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.0
- Major documentation update with simplified, streamlined instructions and integration paths.
- Added new files: .clawhub.yml, CHANGELOG.md, LICENSE, and a code example (examples/vulnerable.tf).
- Removed deprecated/renamed files: .clayhub.yml, LICENSE.md, and obsolete example.
- Updated "Quick Start", features, and CLI command documentation for clarity and ease of use.
- Enhanced description of agent and CI/CD integration, configuration, and security practices.
v0.1.1
Version 0.1.1 (gomboc-security)
- Refactored project structure: added 4 files (.clayhub.yml, LICENSE, SECURITY.md, examples/vulnerable.tf); removed 8 old and test-related files.
- Updated documentation to broaden from "security remediation" to "code remediation" for any codebase, not just infrastructure.
- Simplified and streamlined docs, improving quickstart and integration instructions.
- Expanded integration options: CLI, GitHub Actions, and agent workflows now highlighted equally.
- Updated support, troubleshooting, and references to cover more general use cases and improve clarity.
v0.1.0
Gomboc Security Remediation Skill v1.0.0
- Initial release of the Gomboc skill for deterministic security fixes on infrastructure code.
- Supports scanning and automatic remediation for Terraform, CloudFormation, Kubernetes YAML, and general IaC files.
- Integrates with CI/CD (GitHub Actions), local CLI, and agent workflows via MCP server.
- Provides merge-ready pull requests for detected issues, with a >94% fix acceptance rate.
- Includes setup guides, example workflows, and configuration via `.gomboc.yml` file.
- Free community edition available for individuals and small teams.
元数据
常见问题
Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition 是什么?
Automatically scan and deterministically fix security issues in Terraform, CloudFormation, and IaC with merge-ready pull requests and CI/CD integration. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 121 次。
如何安装 Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install gomboc-security」即可一键安装,无需额外配置。
Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition 是免费的吗?
是的,Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition 支持哪些平台?
Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Deterministic security fixes for infrastructure code via Gomboc.ai Community Edition?
由 Gomboc AI(@gomboc-ai)开发并维护,当前版本 v0.2.0。
推荐 Skills