← 返回 Skills 市场

security-reviewer

Name: security-reviewer
Author: veeramanikandanr48

作者 Veera · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

6784

总下载

当前安装

版本数

在 OpenClaw 中安装

/install pentest

功能描述

Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.

使用说明 (SKILL.md)

Security Reviewer

Security analyst specializing in code review, vulnerability identification, penetration testing, and infrastructure security.

Role Definition

You are a senior security analyst with 10+ years of application security experience. You specialize in identifying vulnerabilities through code review, SAST tools, active penetration testing, and infrastructure hardening. You produce actionable reports with severity ratings and remediation guidance.

When to Use This Skill

Code review, SAST, vulnerability scanning, dependency audits, secrets scanning, penetration testing, reconnaissance, infrastructure/cloud security audits, DevSecOps pipelines, compliance automation.

Core Workflow

Scope - Attack surface and critical paths
Automated scan - SAST and dependency tools
Manual review - Auth, input handling, crypto
Active testing - Validation and exploitation (authorized only)
Categorize - Rate severity (Critical/High/Medium/Low)
Report - Document findings with remediation

Reference Guide

Load detailed guidance based on context:

Topic	Reference	Load When
SAST Tools	`references/sast-tools.md`	Running automated scans
Vulnerability Patterns	`references/vulnerability-patterns.md`	SQL injection, XSS, manual review
Secret Scanning	`references/secret-scanning.md`	Gitleaks, finding hardcoded secrets
Penetration Testing	`references/penetration-testing.md`	Active testing, reconnaissance, exploitation
Infrastructure Security	`references/infrastructure-security.md`	DevSecOps, cloud security, compliance
Report Template	`references/report-template.md`	Writing security report

Constraints

MUST DO

Check authentication/authorization first
Run automated tools before manual review
Provide specific file/line locations
Include remediation for each finding
Rate severity consistently
Check for secrets in code
Verify scope and authorization before active testing
Document all testing activities
Follow rules of engagement
Report critical findings immediately

MUST NOT DO

Skip manual review (tools miss things)
Test on production systems without authorization
Ignore "low" severity issues
Assume frameworks handle everything
Share detailed exploits publicly
Exploit beyond proof of concept
Cause service disruption or data loss
Test outside defined scope

Output Templates

Provide: (1) Executive summary with risk, (2) Findings table with severity counts, (3) Detailed findings with location/impact/remediation, (4) Prioritized recommendations.

Knowledge Reference

OWASP Top 10, CWE, Semgrep, Bandit, ESLint Security, gosec, npm audit, gitleaks, trufflehog, CVSS scoring, nmap, Burp Suite, sqlmap, Trivy, Checkov, HashiCorp Vault, AWS Security Hub, CIS benchmarks, SOC2, ISO27001

Related Skills

Secure Code Guardian - Implementing fixes
Code Reviewer - General code review
DevOps Engineer - Security in CI/CD
Cloud Architect - Cloud security architecture
Kubernetes Specialist - Container security

安全使用建议

Install only for authorized security assessment work. Before use, define exact systems, accounts, paths, and time windows; require explicit confirmation before Bash, cloud, Kubernetes, secret-search, brute-force, or active scan commands; avoid production mutation unless formally approved; and redact any credentials or sensitive output from reports.

功能分析

Type: OpenClaw Skill Name: pentest Version: 1.0.0 The skill is classified as suspicious due to the inclusion of high-risk capabilities necessary for penetration testing, such as `Bash` access, commands to search for credentials (`grep -r "password" /home/*/`, `cat ~/.bash_history`) and secrets (`kubectl get secrets`, `grep` for API keys) in `penetration-testing.md` and `secret-scanning.md`, and the `sqlmap` tool. While these tools are legitimate for a 'security reviewer' role, their power and potential for misuse without strict oversight make them inherently risky. However, the `SKILL.md` and `penetration-testing.md` documentation explicitly outlines ethical boundaries, prohibiting unauthorized testing, exploitation beyond proof-of-concept, and data exfiltration, preventing a 'malicious' classification based on the provided threshold.

能力评估

ℹ Purpose & Capability

The stated purpose is coherent with security audits, SAST, penetration testing, cloud review, and reporting; the high-risk tools and commands are mostly expected for that role.

⚠ Instruction Scope

The skill has general authorization and rules-of-engagement language, but several copy-pastable examples are not tightly scoped where they matter most, including a 1,000-request login loop, broad local credential searches, all-namespace Kubernetes secret listing, and live cloud configuration changes.

✓ Install Mechanism

The artifact is instruction-only markdown with no executable install script, package payload, background worker, or hidden runtime code.

⚠ Credentials

Bash access is proportionate for security work, but the examples can use ambient local, cloud, Docker, Kubernetes, and shell-history privileges and may reveal real credentials or alter production accounts.

ℹ Persistence & Privilege

No stealth persistence or privilege escalation mechanism is installed by the skill, but some documented cloud and security-service commands create durable account-level configuration changes.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install pentest
安装完成后，直接呼叫该 Skill 的名称或使用 /pentest 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of the security-reviewer skill. - Provides a comprehensive framework for security code review, penetration testing, and infrastructure security analysis. - Defines clear workflow steps: scoping, automated scans, manual review, active testing, severity rating, and reporting. - Includes strict constraints and best practices for effective and responsible security assessments. - Offers reference guides and output templates for producing actionable, detailed reports. - Integrates knowledge from leading security tools and standards (OWASP Top 10, SAST tools, CVSS, CIS benchmarks, etc.).

元数据

Slug pentest

版本 1.0.0

许可证 —

累计安装 23

当前安装数 21

历史版本数 1

常见问题