skill-security-auditor
Security audit and vulnerability scanner for AI agent skills before installation. Use when: (1) evaluating a skill from an untrusted source, (2) auditing a skill directory or git repo URL for malicious code, (3) pre-install security gate for Claude Code plugins, OpenClaw skills, or Codex skills, (4) scanning Python scripts for dangerous patterns like os.system, eval, subprocess, network exfiltration, (5) detecting prompt injection in SKILL.md files, (6) checking dependency supply chain risks, (7) verifying file system access stays within skill boundaries. Triggers: "audit this skill", "is this skill safe", "scan skill for security", "check skill before install", "skill security check", "skill vulnerability scan".
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/alirezarezvani/cs-skill-security-auditorWhat This Skill Does
The skill-security-auditor is an essential diagnostic utility for the OpenClaw ecosystem, designed to act as a robust gatekeeper before any third-party AI skill is integrated into your environment. It performs a deep static analysis of incoming skills, targeting common attack vectors that malicious actors might use to compromise an agent. By scanning source code for dangerous execution patterns—such as shell injection, unauthorized credential exfiltration, and unsafe deserialization—it provides users with a comprehensive security verdict. Beyond code, it inspects documentation files like SKILL.md for prompt injection techniques that aim to bypass agent safety protocols. This tool is fundamental for developers and power users who prioritize security in their AI-driven workflows.
Installation
To integrate this security auditor into your local development environment, use the OpenClaw package manager:
clawhub install openclaw/skills/skills/alirezarezvani/cs-skill-security-auditor
Once installed, the command-line interface allows you to scan local directories or remote Git repositories directly. For automated pipelines, utilize the --json flag to integrate security reports into your existing CI/CD dashboard.
Use Cases
This skill is designed for scenarios where trust needs to be established programmatically. Use it to audit skills sourced from public directories, verify git-based pull requests, or enforce a strict security policy within corporate agent deployments. It is specifically intended for pre-installation checks, ensuring that no skill with "CRITICAL" severity vulnerabilities reaches your active memory space.
Example Prompts
- "OpenClaw, audit this skill: https://github.com/unknown-dev/experimental-tool-v1. Please run a full vulnerability scan and report back."
- "I found a new skill locally in ./plugins/web-scraper. Can you run a security check and let me know if it contains any dangerous system calls?"
- "Is this skill safe to install? Scan the repository at https://github.com/user/test-skill and alert me if it attempts to access my .aws folder."
Tips & Limitations
For maximum protection, always use the --strict flag when auditing skills from unverified sources, as this elevates all potential warnings to failure events. Remember that static analysis has limitations; it is highly effective at identifying known patterns like os.system or eval(), but it cannot predict sophisticated zero-day logical exploits or subtle obfuscation techniques. Always review the final report manually if the tool flags suspicious behavior in code you do not fully trust.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-alirezarezvani-cs-skill-security-auditor": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution
Related Skills
intl-expansion
International market expansion strategy. Market selection, entry modes, localization, regulatory compliance, and go-to-market by region. Use when expanding to new countries, evaluating international markets, planning localization, or building regional teams.
marketing-strategy-pmm
Product marketing skill for positioning, GTM strategy, competitive intelligence, and product launches. Use when the user asks about product positioning, go-to-market planning, competitive analysis, target audience definition, ICP definition, market research, launch plans, or sales enablement. Covers April Dunford positioning, ICP definition, competitive battlecards, launch playbooks, and international market entry. Produces deliverables including positioning statements, battlecard documents, launch plans, and go-to-market strategies.
paid-ads
When the user wants help with paid advertising campaigns on Google Ads, Meta (Facebook/Instagram), LinkedIn, Twitter/X, or other ad platforms. Also use when the user mentions 'PPC,' 'paid media,' 'ad copy,' 'ad creative,' 'ROAS,' 'CPA,' 'ad campaign,' 'retargeting,' or 'audience targeting.' This skill covers campaign strategy, ad creation, audience targeting, and optimization.
qms-audit-expert
ISO 13485 internal audit expertise for medical device QMS. Covers audit planning, execution, nonconformity classification, and CAPA verification. Use for internal audit planning, audit execution, finding classification, external audit preparation, or audit program management.
code-reviewer
Code review automation for TypeScript, JavaScript, Python, Go, Swift, Kotlin. Analyzes PRs for complexity and risk, checks code quality for SOLID violations and code smells, generates review reports. Use when reviewing pull requests, analyzing code quality, identifying issues, generating review checklists.