← 返回 Skills 市场
SecureVibes Scanner
作者
Anshuman Bhartiya
· GitHub ↗
· v0.5.3
710
总下载
0
收藏
0
当前安装
8
版本数
在 OpenClaw 中安装
/install securevibes-scanner
功能描述
Run AI-powered application security scans on codebases. Use when asked to scan code for security vulnerabilities, generate threat models, review code for sec...
安全使用建议
This skill appears to be what it says: a wrapper around a third-party 'securevibes' CLI that runs scans (using Anthropic/Claude). Before installing or scheduling it, do the following: 1) Review the full ops/incremental_scan.py source (the provided listing was truncated in places) to confirm there are no unexpected network calls or obfuscated logic. 2) Inspect and vet the 'securevibes' CLI (pipx/pypi package) because that binary performs the actual scanning and will likely send code to Anthropic; verify its privacy/data-retention policy. 3) Only point scans at repositories you own or are allowed to test — scanning will read repository contents and may transmit code to Anthropic. 4) Prefer running an initial full scan manually to validate behavior and outputs before enabling cron/automation. 5) Keep ANTHROPIC credentials under your control (use service accounts or scoped keys where possible) and understand whether OAuth or API keys are used in your environment. If you want higher assurance, run the securevibes CLI in an isolated environment and inspect network traffic to confirm where scan data is sent.
功能分析
Type: OpenClaw Skill
Name: securevibes-scanner
Version: 0.5.3
The OpenClaw skill 'securevibes-scanner' is benign. The `SKILL.md` explicitly addresses prompt injection risks, advising against unsanitized user input and stating that the `scripts/scan.sh` wrapper validates paths. The `scripts/scan.sh` file implements robust input validation using a regex to reject shell metacharacters from the `PROJECT_PATH` argument, effectively preventing shell injection. The `ops/incremental_scan.py` script uses `subprocess.run` with argument lists, which is the secure method for executing external commands in Python. There is no evidence of data exfiltration, unauthorized persistence, or other malicious intent; all actions align with its stated purpose as an AI-powered security scanner.
能力评估
Purpose & Capability
Name/description claim an AI-based security scanner that uses Claude/Anthropic and supports full and incremental scans. The bundled wrapper scripts and an incremental scanner are exactly what you'd expect for that functionality. The skill does not request unrelated system credentials or binaries beyond git and the 'securevibes' CLI, which are appropriate for scanning and git-based incremental checks.
Instruction Scope
SKILL.md instructs running local scans, scheduling cron jobs, using the scripts/scan.sh wrapper, and having the incremental scanner update and read state files under the target repo's .securevibes/ directory — all consistent with the stated function. It also instructs the agent/subagent to 'cd' into the repo and run git pull, which is normal for incremental scanning but gives the skill access to repository contents (including any sensitive files in the repo). The SKILL.md references ANTHROPIC_API_KEY (optional) and OAuth; these are expected because analysis uses Claude. Overall scope stays within scanning behavior, but users should note that scans will cause code to be processed (and, via the securevibes CLI, likely sent to Anthropic) so do not point it at repos you cannot disclose.
Install Mechanism
No install spec in the registry bundle — the skill is instruction+scripts which call an external 'securevibes' CLI. The README recommends pipx install securevibes (a reasonable distribution method) and the scripts check for the binary. There are no remote downloads or archives embedded in the install spec, which reduces installer risk. The only external software required is the third-party 'securevibes' package, which should be reviewed separately.
Credentials
The registry metadata declares no required env vars, and the skill itself does not demand unrelated credentials. SKILL.md and scripts reference ANTHROPIC_API_KEY (optional) or OAuth for Anthropic/Claude access — proportionate because the scanner uses Claude. Users should be aware that leaving ANTHROPIC_API_KEY unset will rely on OAuth sessions, which in some environments may or may not exist; the securevibes CLI and Anthropic access are the only external auth surfaces mentioned.
Persistence & Privilege
always:false and normal autonomous invocation. The skill writes state and logs into the target repository under .securevibes/ (expected for incremental scans). It does not request persistent, cross-skill privileges or modify other skills' configuration. Cron scheduling is suggested but not enforced by the registry metadata.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install securevibes-scanner - 安装完成后,直接呼叫该 Skill 的名称或使用
/securevibes-scanner触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.5.3
Fix: add minimum version check to scan.sh to catch stale shims from dual pip installs. Update install instructions to recommend pipx/uv tool instead of pip.
v0.5.2
v0.5.2: ANTHROPIC_API_KEY no longer required for Max/Pro subscribers. Claude Agent SDK picks up OAuth automatically. scan.sh now warns instead of hard-failing when key is unset.
v0.5.1
v0.5.1: Updated auth docs — ANTHROPIC_API_KEY is no longer required for Anthropic Max/Pro subscribers. The Claude Agent SDK picks up OAuth automatically. Updated scan.sh wrapper to warn instead of hard-fail when key is unset.
v0.5.0
**Adds incremental scanning and continuous monitoring support.**
- Added `ops/incremental_scan.py` and `ops/incremental_scan.sh` for incremental security scans.
- Now supports continuous security monitoring via cron: scan only new commits since last run.
- Updated documentation to include incremental scan setup, usage, and operational details.
- No breaking changes to full (one-shot) scan workflow.
v0.4.0
Declare ANTHROPIC_API_KEY in frontmatter env. Add dependencies block with pip package provenance. Add author/links to metadata. Remove agent-specific memory paths. Improved wrapper script.
v0.3.0
Security hardening: scan.sh wrapper validates paths (rejects shell metacharacters, resolves via realpath, verifies directory exists). SKILL.md uses concrete path examples instead of template variables. Added Security Notes section.
v0.2.0
Updated execution model: 45-min timeout, full cron payload template with weekly diffing, results storage docs, fixed rate limit install issue
v0.1.0
Initial release — AI-powered security scanner wrapping securevibes pip package. Runs assessment, threat modeling, code review, and report generation.
元数据
常见问题
SecureVibes Scanner 是什么?
Run AI-powered application security scans on codebases. Use when asked to scan code for security vulnerabilities, generate threat models, review code for sec... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 710 次。
如何安装 SecureVibes Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install securevibes-scanner」即可一键安装,无需额外配置。
SecureVibes Scanner 是免费的吗?
是的,SecureVibes Scanner 完全免费(开源免费),可自由下载、安装和使用。
SecureVibes Scanner 支持哪些平台?
SecureVibes Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SecureVibes Scanner?
由 Anshuman Bhartiya(@anshumanbh)开发并维护,当前版本 v0.5.3。
推荐 Skills