alon-github-security-audit
USE WHEN user wants to audit a GitHub repository or local directory for malicious code, backdoors, suspicious behavior, or supply-chain risk before trusting or installing it. Performs a static-first security review, adds source and permission preflight for agent and automation repos, and writes a structured report to a local audit directory.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/alondotsh/alon-github-security-auditGitHub Security Audit Skill
Perform a comprehensive security audit of a GitHub repository or a local code directory without executing the target project by default.
This skill is CIK-aware for agent and automation repositories:
Capability: executable scripts, install chains, CI steps, and tool definitionsIdentity: agent rules, trust anchors, approval rules, and operator-profile filesKnowledge: persistent memory, learned preferences, and long-lived factual state
Workflow
Step 1: Determine the Audit Target
Interpret the user input:
- If the user provides a GitHub URL, clone the repository into a temporary directory.
- If the user says "current directory", "local", or does not provide a URL, audit the current working directory.
Case A: GitHub URL
cd <skill-root> && \
python3 tools/clone_repo.py "<user-provided-github-url>"
The helper returns the cloned temporary directory path, typically in the form /tmp/github_audit_<repo>_<id>.
Important:
- Download only the latest code.
- Do not install dependencies.
Case B: Local Directory
Use the current working directory (pwd) as the audit target.
Important:
- Do not clone anything.
- Do not run cleanup for local user code.
- Treat the report source as a local path instead of a GitHub URL.
Step 1.5: Determine the Audit Mode
Default to offline static audit mode:
- no network access
- no dependency installation
- no execution of target repository code
Default scope is limited to:
- the cloned GitHub repository copy, or
- the user-specified current working directory
Unless the user explicitly expands scope, do not proactively read unrelated home-directory paths such as ~/.ssh, browser profile data, or similar personal locations.
Default Mode: Offline Static Audit
- suitable for all projects
- reads source code, configs, scripts, static assets, and dependency manifests
- runs by default without extra confirmation
Optional Mode: Online Vulnerability Intelligence
Prompt the user only after all of the following are true:
- the offline static audit is complete
- the project clearly contains dependency manifests such as
package.json,package-lock.json, ornpm-shrinkwrap.json - the user wants a more complete dependency-vulnerability conclusion, or the offline audit found dependency risk that needs confirmation
Recommended prompt:
This project includes Node.js dependency manifests. I can continue with online dependency vulnerability intelligence (for example, lockfile-based vulnerability checks), which will access external vulnerability databases. Do you want me to continue?
Do not ask this at the beginning unless the user explicitly requests a full audit that includes dependency vulnerability scanning.
Step 2: Source and Permission Preflight
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-alondotsh-alon-github-security-audit": {
"enabled": true,
"auto_update": true
}
}
}