← 返回 Skills 市场

Security Review

Name: Security Review
Author: solomonneas

作者 Solomon Neas · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

225

总下载

当前安装

版本数

在 OpenClaw 中安装

/install sn-security-review

功能描述

Review code changes for security vulnerabilities. Checks for OWASP Top 10, secrets exposure, injection flaws, auth issues, and insecure defaults. Use when re...

使用说明 (SKILL.md)

Security Code Review

Review code changes for security vulnerabilities, following OWASP Top 10 and secure coding best practices.

What to Check

Injection (SQL, Command, LDAP, XSS)

User input used in queries without parameterization
Template literals in SQL strings
eval(), exec(), os.system() with user input
Unescaped output in HTML templates

Authentication & Session

Hardcoded credentials or API keys
Weak password requirements
Missing rate limiting on auth endpoints
Session fixation or missing regeneration
JWT without expiration or with weak signing

Authorization

Missing access control checks on endpoints
IDOR (direct object reference without ownership check)
Role checks that can be bypassed
Privilege escalation paths

Secrets & Data Exposure

API keys, tokens, passwords in code or configs
Sensitive data in logs
PII without encryption
.env files or secrets committed to git

Configuration

Debug mode enabled in production
CORS set to wildcard (*)
Missing security headers
Default credentials unchanged
Verbose error messages exposing internals

Output Format

For each finding:

**FINDING:** [Title]
**Severity:** CRITICAL | HIGH | MEDIUM | LOW
**File:** [path:line]
**Code:** [the problematic code]
**Issue:** [what's wrong]
**Fix:** [how to fix it, with code example]
**OWASP:** [category reference]

Rules

Focus on HIGH and CRITICAL findings first
Provide working fix code, not just descriptions
If no security issues found, say so clearly
Note any areas that need manual review (business logic, auth flows)

安全使用建议

This skill is coherent and lightweight, but keep these practical points in mind before using it with real projects: (1) It will analyze whatever code you give it — do not supply secrets or private tokens in plain text. If findings include secrets, treat those as sensitive and rotate credentials as needed. (2) The skill produces suggested fixes and code examples but cannot safely apply changes; always review and test suggestions before merging. (3) If you plan to let the agent run autonomously on private repos, restrict its access and monitor outputs (the skill could surface sensitive snippets from code). (4) This checklist doesn't replace manual review of business-logic issues; note any areas requiring human assessment. If you want stronger guarantees, require the skill only be run interactively and avoid granting repository credentials or automated access to production systems.

功能分析

Type: OpenClaw Skill Name: sn-security-review Version: 1.0.0 The skill bundle contains standard instructions for an AI agent to perform security code reviews based on OWASP Top 10 principles. The SKILL.md file provides a structured framework for identifying vulnerabilities such as injection, credential exposure, and authorization flaws without any evidence of malicious intent, data exfiltration, or prompt injection attacks.

能力评估

✓ Purpose & Capability

The name/description describe a security code review and the SKILL.md contains checks and output format consistent with that purpose. There are no unrelated required binaries, env vars, or config paths.

✓ Instruction Scope

Runtime instructions focus on reviewing code for OWASP Top 10, secrets, injections, auth/authorization, and configuration issues. The document does not instruct the agent to read unrelated system files, access environment variables, or transmit data to external endpoints. It does not give broad, open-ended permissions beyond reviewing provided code diffs/PRs.

✓ Install Mechanism

There is no install spec and no shipped code — the skill is instruction-only, so nothing will be written to disk or downloaded during install.

✓ Credentials

The skill declares no required environment variables, credentials, or config paths. That is proportionate for a checklist-style review tool.

✓ Persistence & Privilege

always is false and the skill is user-invocable; it does not request permanent/system-wide privileges or modifications to other skills.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install sn-security-review
安装完成后，直接呼叫该 Skill 的名称或使用 /sn-security-review 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial publish. Security-focused code review for PRs: OWASP Top 10, secrets, injection, auth, configuration issues.

元数据

Slug sn-security-review

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Security Review 是什么？

Review code changes for security vulnerabilities. Checks for OWASP Top 10, secrets exposure, injection flaws, auth issues, and insecure defaults. Use when re... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 225 次。

如何安装 Security Review？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install sn-security-review」即可一键安装，无需额外配置。

Security Review 是免费的吗？

是的，Security Review 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Security Review 支持哪些平台？

Security Review 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Security Review？

由 Solomon Neas（@solomonneas）开发并维护，当前版本 v1.0.0。