← 返回 Skills 市场
xfire Security PR Review
作者
Harish Kolla
· GitHub ↗
· v0.1.2
357
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install xfire-security-review
功能描述
Multi-agent adversarial security review — 3 AI agents debate every finding, only real vulnerabilities survive
安全使用建议
Before installing or running this skill: 1) Be comfortable providing multiple LLM API keys and a GitHub token — if you only want one agent, confirm whether non-used keys can be omitted. 2) Use least-privilege credentials: restrict the GitHub token scope (e.g., repo:status/read or read-only) unless you intend to allow posting comments. 3) Verify the 'xfire' package on PyPI and its GitHub repo (review code, releases, and maintainers) before pip installing. 4) Run initial scans with dry-run and --debug in an isolated environment (or CI runner) and inspect any files written to XFIRE_CONFIG_PATH/XFIRE_AUTH_PATH. 5) If you need higher assurance, ask the publisher to make installing optional or to support running with a single provider key and to document exact token scopes and where auth is stored. These steps reduce risk from installation and credential exposure.
功能分析
Type: OpenClaw Skill
Name: xfire-security-review
Version: 0.1.2
The skill bundle describes the usage of 'xfire', a multi-agent adversarial security review tool. The `skill.md` file, which serves as instructions for an AI agent, clearly defines when and how to invoke the `xfire` CLI tool with various arguments. While the `xfire` tool itself requires broad permissions (e.g., GitHub token, multiple AI API keys, access to codebases) and interacts with external services, these capabilities are explicitly stated and necessary for its legitimate purpose of performing security reviews. There is no evidence of prompt injection against the OpenClaw agent, intentional harmful behavior, unauthorized data exfiltration, or instructions to perform actions beyond the stated purpose of using the `xfire` tool for security analysis.
能力评估
Purpose & Capability
The skill claims to run adversarial reviews across Claude, Codex, and Gemini and to analyze GitHub PRs — requesting Anthropic, OpenAI, Google API keys and a GitHub token is coherent with that stated purpose. The XFIRE_* env vars for config/cache/auth are consistent with a CLI tool that persists state.
Instruction Scope
SKILL.md instructs use of a CLI ('xfire analyze-pr', 'xfire init', 'xfire auth login') and to read repository contents, create debug traces, and optionally post GitHub comments — these are within the expected scope. However, the skill metadata declares no required binaries and provides no automated install spec while the instructions assume you can 'pip install xfire' or have an 'xfire' CLI available; that mismatch is an operational/incoherence concern (agent/runtime must have that CLI or the user must install it).
Install Mechanism
There is no install spec in the skill bundle (instruction-only), which limits automated risk. The README/skill instructs users to 'pip install xfire' — installing a third-party package from PyPI is a normal step but has moderate risk and should be verified (check PyPI package name, version, and upstream repo). Because installation is user-driven and not performed automatically by the skill, the surface for silent remote code execution from the skill bundle itself is low.
Credentials
The skill requires multiple high-sensitivity credentials: ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, and GITHUB_TOKEN. Requiring all three LLM provider keys as mandatory is potentially excessive — a user might want to run only one or two agents. XFIRE_CONFIG_PATH/XFIRE_AUTH_PATH/XFIRE_CACHE_DIR are plausible for a CLI, but XFIRE_AUTH_PATH may contain long-lived credentials. The demand for full sets of provider keys and a GitHub token should be justified or made optional; also consider least-privilege scopes (e.g., read-only GitHub token if posting comments isn't needed).
Persistence & Privilege
The skill is not set to always:true and does not declare modifications to other skills or system-wide settings. Runtime instructions include writing debug traces and cache/config files under XFIRE paths or the repo (expected for a CLI tool). No unusual persistence or privilege escalation is requested by the skill metadata or SKILL.md.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xfire-security-review - 安装完成后,直接呼叫该 Skill 的名称或使用
/xfire-security-review触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.2
Initial release — OpenClaw skill file with full command reference, config docs, and CI/CD examples for the xfire multi-agent adversarial security review tool.
元数据
常见问题
xfire Security PR Review 是什么?
Multi-agent adversarial security review — 3 AI agents debate every finding, only real vulnerabilities survive. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 357 次。
如何安装 xfire Security PR Review?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xfire-security-review」即可一键安装,无需额外配置。
xfire Security PR Review 是免费的吗?
是的,xfire Security PR Review 完全免费(开源免费),可自由下载、安装和使用。
xfire Security PR Review 支持哪些平台?
xfire Security PR Review 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 xfire Security PR Review?
由 Harish Kolla(@har1sh-k)开发并维护,当前版本 v0.1.2。
推荐 Skills