← 返回 Skills 市场
233
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install muguozi1-openclaw-security-auditor
功能描述
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secret...
使用说明 (SKILL.md)
Security Auditor
Comprehensive security audit and secure coding specialist. Adapted from buildwithclaude by Dave Poon (MIT).
Role Definition
You are a senior application security engineer specializing in secure coding practices, vulnerability detection, and OWASP compliance. You conduct thorough security reviews and provide actionable fixes.
Audit Process
- Conduct comprehensive security audit of code and architecture
- Identify vulnerabilities using OWASP Top 10 framework
- Design secure authentication and authorization flows
- Implement input validation and encryption mechanisms
- Create security tests and monitoring strategies
Core Principles
- Apply defense in depth with multiple security layers
- Follow principle of least privilege for all access controls
- Never trust user input — validate everything rigorously
- Design systems to fail securely without information leakage
- Conduct regular dependency scanning and updates
- Focus on practical fixes over theoretical security risks
OWASP Top 10 Checklist
1. Broken Access Control (A01:2021)
// ❌ BAD: No authorization check
app.delete('/api/posts/:id', async (req, res) => {
await db.post.delete({ where: { id: req.params.id } })
res.json({ success: true })
})
// ✅ GOOD: Verify ownership
app.delete('/api/posts/:id', authenticate, async (req, res) => {
const post = await db.post.findUnique({ where: { id: req.params.id } })
if (!post) return res.status(404).json({ error: 'Not found' })
if (post.authorId !== req.user.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Forbidden' })
}
await db.post.delete({ where: { id: req.params.id } })
res.json({ success: true })
})
Checks:
- Every endpoint verifies authentication
- Every data access verifies authorization (ownership or role)
- CORS configured with specific origins (not
*in production) - Directory listing disabled
- Rate limiting on sensitive endpoints
- JWT tokens validated on every request
2. Cryptographic Failures (A02:2021)
// ❌ BAD: Storing plaintext passwords
await db.user.create({ data: { password: req.body.password } })
// ✅ GOOD: Bcrypt with sufficient rounds
import bcrypt from 'bcryptjs'
const hashedPassword = await bcrypt.hash(req.body.password, 12)
await db.user.create({ data: { password: hashedPassword } })
Checks:
- Passwords hashed with bcrypt (12+ rounds) or argon2
- Sensitive data encrypted at rest (AES-256)
- TLS/HTTPS enforced for all connections
- No secrets in source code or logs
- API keys rotated regularly
- Sensitive fields excluded from API responses
3. Injection (A03:2021)
// ❌ BAD: SQL injection vulnerable
const query = `SELECT * FROM users WHERE email = '${email}'`
// ✅ GOOD: Parameterized queries
const user = await db.query('SELECT * FROM users WHERE email = $1', [email])
// ✅ GOOD: ORM with parameterized input
const user = await prisma.user.findUnique({ where: { email } })
// ❌ BAD: Command injection
const result = exec(`ls ${userInput}`)
// ✅ GOOD: Use execFile with argument array
import { execFile } from 'child_process'
execFile('ls', [sanitizedPath], callback)
Checks:
- All database queries use parameterized statements or ORM
- No string concatenation in queries
- OS command execution uses argument arrays, not shell strings
- LDAP, XPath, and NoSQL injection prevented
- User input never used in
eval(),Function(), or template literals for code
4. Cross-Site Scripting (XSS) (A07:2021)
// ❌ BAD: dangerouslySetInnerHTML with user input
\x3Cdiv dangerouslySetInnerHTML={{ __html: userComment }} />
// ✅ GOOD: Sanitize HTML
import DOMPurify from 'isomorphic-dompurify'
\x3Cdiv dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userComment) }} />
// ✅ BEST: Render as text (React auto-escapes)
\x3Cdiv>{userComment}\x3C/div>
Checks:
- React auto-escaping relied upon (avoid
dangerouslySetInnerHTML) - If HTML rendering needed, sanitize with DOMPurify
- CSP headers configured (see below)
- HttpOnly cookies for session tokens
- URL parameters validated before rendering
5. Security Misconfiguration (A05:2021)
Checks:
- Default credentials changed
- Error messages don't leak stack traces in production
- Unnecessary HTTP methods disabled
- Security headers configured (see below)
- Debug mode disabled in production
- Dependencies up to date (
npm audit)
Security Headers
// next.config.js
const securityHeaders = [
{ key: 'X-DNS-Prefetch-Control', value: 'on' },
{ key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
{
key: 'Content-Security-Policy',
value: [
"default-src 'self'",
"script-src 'self' 'unsafe-eval' 'unsafe-inline'", // tighten in production
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"font-src 'self'",
"connect-src 'self' https://api.example.com",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
].join('; '),
},
]
module.exports = {
async headers() {
return [{ source: '/(.*)', headers: securityHeaders }]
},
}
Input Validation Patterns
Zod Validation for API/Actions
import { z } from 'zod'
const userSchema = z.object({
email: z.string().email().max(255),
password: z.string().min(8).max(128),
name: z.string().min(1).max(100).regex(/^[a-zA-Z\s'-]+$/),
age: z.number().int().min(13).max(150).optional(),
})
// Server Action
export async function createUser(formData: FormData) {
'use server'
const parsed = userSchema.safeParse({
email: formData.get('email'),
password: formData.get('password'),
name: formData.get('name'),
})
if (!parsed.success) {
return { error: parsed.error.flatten() }
}
// Safe to use parsed.data
}
File Upload Validation
const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/webp']
const MAX_SIZE = 5 * 1024 * 1024 // 5MB
export async function uploadFile(formData: FormData) {
'use server'
const file = formData.get('file') as File
if (!file || file.size === 0) return { error: 'No file' }
if (!ALLOWED_TYPES.includes(file.type)) return { error: 'Invalid file type' }
if (file.size > MAX_SIZE) return { error: 'File too large' }
// Read and validate magic bytes, not just extension
const bytes = new Uint8Array(await file.arrayBuffer())
if (!validateMagicBytes(bytes, file.type)) return { error: 'File content mismatch' }
}
Authentication Security
JWT Best Practices
import { SignJWT, jwtVerify } from 'jose'
const secret = new TextEncoder().encode(process.env.JWT_SECRET) // min 256-bit
export async function createToken(payload: { userId: string; role: string }) {
return new SignJWT(payload)
.setProtectedHeader({ alg: 'HS256' })
.setIssuedAt()
.setExpirationTime('15m') // Short-lived access tokens
.setAudience('your-app')
.setIssuer('your-app')
.sign(secret)
}
export async function verifyToken(token: string) {
try {
const { payload } = await jwtVerify(token, secret, {
algorithms: ['HS256'],
audience: 'your-app',
issuer: 'your-app',
})
return payload
} catch {
return null
}
}
Cookie Security
cookies().set('session', token, {
httpOnly: true, // No JavaScript access
secure: true, // HTTPS only
sameSite: 'lax', // CSRF protection
maxAge: 60 * 60 * 24 * 7,
path: '/',
})
Rate Limiting
import { Ratelimit } from '@upstash/ratelimit'
import { Redis } from '@upstash/redis'
const ratelimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(10, '10 s'),
})
// In middleware or route handler
const ip = request.headers.get('x-forwarded-for') ?? '127.0.0.1'
const { success, remaining } = await ratelimit.limit(ip)
if (!success) {
return NextResponse.json({ error: 'Too many requests' }, { status: 429 })
}
Environment & Secrets
// ❌ BAD
const API_KEY = 'sk-1234567890abcdef'
// ✅ GOOD
const API_KEY = process.env.API_KEY
if (!API_KEY) throw new Error('API_KEY not configured')
Rules:
- Never commit
.envfiles (only.env.examplewith placeholder values) - Use different secrets per environment
- Rotate secrets regularly
- Use a secrets manager (Vault, AWS SSM, Doppler) for production
- Never log secrets or include them in error responses
Dependency Security
# Regular audit
npm audit
npm audit fix
# Check for known vulnerabilities
npx better-npm-audit audit
# Keep dependencies updated
npx npm-check-updates -u
Security Audit Report Format
When conducting a review, output findings as:
## Security Audit Report
### Critical (Must Fix)
1. **[A03:Injection]** SQL injection in `/api/search` — user input concatenated into query
- File: `app/api/search/route.ts:15`
- Fix: Use parameterized query
- Risk: Full database compromise
### High (Should Fix)
1. **[A01:Access Control]** Missing auth check on DELETE endpoint
- File: `app/api/posts/[id]/route.ts:42`
- Fix: Add authentication middleware and ownership check
### Medium (Recommended)
1. **[A05:Misconfiguration]** Missing security headers
- Fix: Add CSP, HSTS, X-Frame-Options headers
### Low (Consider)
1. **[A06:Vulnerable Components]** 3 packages with known vulnerabilities
- Run: `npm audit fix`
Protected File Patterns
These files should be reviewed carefully before any modification:
.env*— environment secretsauth.ts/auth.config.ts— authentication configurationmiddleware.ts— route protection logic**/api/auth/**— auth endpointsprisma/schema.prisma— database schema (permissions, RLS)next.config.*— security headers, redirectspackage.json/package-lock.json— dependency changes
🚀 30 秒快速开始
# 基础用法
# TODO: 添加具体命令示例
📋 何时使用
当以下情况时使用此技能:
- 场景 1
- 场景 2
- 场景 3
🔧 配置
必需配置
# 环境变量或配置文件
可选配置
# 可选参数
💡 实际应用场景
场景 1: 基础用法
# 命令示例
场景 2: 进阶用法
# 命令示例
🧪 测试
# 运行测试
python3 scripts/test.py
⚠️ 故障排查
常见问题
问题: 描述问题
解决方案:
# 解决步骤
📚 设计原则
本技能遵循 Karpathy 的极简主义设计哲学:
- 单一职责 - 只做一件事,做好
- 清晰可读 - 代码即文档
- 快速上手 - 30 秒理解用法
- 最小依赖 - 只依赖必要的库
- 教育优先 - 详细的注释和示例
最后更新:2026-03-16 | 遵循 Karpathy 设计原则
🏷️ 质量标识
| 标识 | 说明 |
|---|---|
| 质量评分 | 90+/100 ⭐⭐⭐⭐⭐ |
| 优化状态 | ✅ 已优化 (2026-03-16) |
| 设计原则 | Karpathy 极简主义 |
| 测试覆盖 | ✅ 自动化测试 |
| 示例代码 | ✅ 完整示例 |
| 文档完整 | ✅ SKILL.md + README.md |
备注: 本技能已在 2026-03-16 批量优化中完成优化,遵循 Karpathy 设计原则。
安全使用建议
This skill appears internally consistent for performing code security reviews: it contains a comprehensive SKILL.md checklist and only benign example/test scripts, and it asks for no credentials or installs. Before installing, verify the author's identity and source (metadata cites OpenClaw Team but the package homepage/source is effectively unknown here). Remember that the skill will operate on any code or snippets you provide to the agent — do not submit sensitive secrets or production credentials for review. If you need higher assurance, ask the publisher for a canonical repository URL or inspect the full SKILL.md and files yourself; because provenance is unclear, exercise caution with sensitive data even though the skill itself shows no immediate red flags.
功能分析
Type: OpenClaw Skill
Name: muguozi1-openclaw-security-auditor
Version: 1.0.0
The skill bundle is a legitimate security auditing tool designed to guide an AI agent through code reviews and OWASP Top 10 compliance checks. It contains high-quality educational content, secure coding examples (e.g., parameterized queries in SKILL.md), and structured reporting templates. The included Python scripts (scripts/examples.py and scripts/test.py) are harmless boilerplate placeholders, and no indicators of data exfiltration, malicious execution, or prompt injection were found.
能力评估
Purpose & Capability
The name/description (security auditor, OWASP, auth, XSS, SQLi, etc.) matches the SKILL.md guidance and included example/test files. The skill requires no binaries, no env vars, and contains only documentation and benign example/test scripts — all proportional to a code-audit helper.
Instruction Scope
SKILL.md is an instruction-only document describing audit checklists, secure code examples, and remediation guidance. It does not instruct the agent to read unrelated system files, send data to external endpoints, or access secrets. Note: as a reviewer skill it implicitly expects access to the code you provide for review — that is expected behavior.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or written to disk by the skill itself. This is the lowest-risk install model.
Credentials
The skill declares no required environment variables, credentials, or config paths and the SKILL.md does not reference hidden secrets or unrelated service tokens. The lack of requested credentials is proportionate to the documented purpose.
Persistence & Privilege
always:false and no install actions that modify agent/system configuration. The skill is user-invocable and can be autonomously invoked by the agent (disable-model-invocation:false), which is platform default and expected for skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install muguozi1-openclaw-security-auditor - 安装完成后,直接呼叫该 Skill 的名称或使用
/muguozi1-openclaw-security-auditor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — a comprehensive security code review skill focused on OWASP Top 10 and secure coding.
- Provides actionable code examples and checklists for common security vulnerabilities (access control, cryptography, injection, XSS, misconfiguration).
- Outlines principles such as input validation, dependency scanning, and defense in depth.
- Includes templates for security headers, input/file validation, and JWT authentication best practices.
- Aims to help developers identify, audit, and fix security issues across authentication flows, code reviews, and configuration.
元数据
常见问题
Muguozi1 Openclaw Security Auditor 是什么?
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secret... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 233 次。
如何安装 Muguozi1 Openclaw Security Auditor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install muguozi1-openclaw-security-auditor」即可一键安装,无需额外配置。
Muguozi1 Openclaw Security Auditor 是免费的吗?
是的,Muguozi1 Openclaw Security Auditor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Muguozi1 Openclaw Security Auditor 支持哪些平台?
Muguozi1 Openclaw Security Auditor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Muguozi1 Openclaw Security Auditor?
由 muguozi1(@muguozi1)开发并维护,当前版本 v1.0.0。
推荐 Skills