elixir-security-review
Reviews Elixir code for security vulnerabilities including code injection, atom exhaustion, and secret handling. Use when reviewing code handling user input, external data, or sensitive configuration.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/anderskev/elixir-security-reviewWhat This Skill Does
The elixir-security-review skill is a specialized security auditor designed for the OpenClaw AI agent to perform deep inspections of Elixir and Phoenix application code. It specifically targets common foot-guns in the Erlang VM ecosystem, such as atom exhaustion, dangerous code execution, and improper secret management. By acting as a static analysis layer, it helps developers prevent critical security regressions before they are merged into the codebase. The skill uses a structured checklist to ensure consistency and follows the rigorous review-verification-protocol, ensuring that false positives are minimized and potential vulnerabilities are validated against the context of the running application.
Installation
To integrate this security auditor into your environment, run the following command in your terminal:
clawhub install openclaw/skills/skills/anderskev/elixir-security-review
This will link the module to your agent, enabling the security review context for your repository analysis sessions.
Use Cases
This skill is ideal for:
- Pull Request Reviews: Automating the check for dangerous functions like
String.to_atomwhen processing API requests. - Security Auditing: Scanning configuration files to ensure that secrets are not committed to source control and are instead loaded via runtime environment variables.
- Legacy Code Cleanup: Identifying unsafe use of
:erlang.binary_to_termthat could lead to remote code execution (RCE) via serialized malicious input. - Performance Safety: Reviewing ETS table access settings to ensure sensitive data is not exposed to the entire VM.
Example Prompts
- "Perform a security audit on
lib/my_app_web/controllers/upload_controller.exfocusing on input sanitization and potential atom exhaustion." - "Review the current repository for any hardcoded secrets and verify that the
config/runtime.exsis configured to use environment variables for database credentials." - "Analyze the use of
binary_to_termin our message parsing module. Is the current implementation safe given that it processes untrusted user data?"
Tips & Limitations
To maximize the effectiveness of this skill, ensure you provide the agent with the relevant context of the codebase. The skill is context-aware; it will not flag String.to_atom if it detects that the input is a compile-time constant or a hardcoded string. However, it is a static analysis tool and cannot predict runtime behavior perfectly. Always follow the review-verification-protocol before declaring a finding as a critical bug. When dealing with complex macro-generated code, you may need to provide additional details about how the modules are being compiled or invoked to assist the agent in its reasoning.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-anderskev-elixir-security-review": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read
Related Skills
tutorial-docs
Tutorial patterns for documentation - learning-oriented guides that teach through guided doing
fetch-pr-feedback
Fetch review comments from a PR and evaluate with receive-feedback skill
swift-testing-code-review
Reviews Swift Testing code for proper use of
rust-testing-code-review
Reviews Rust test code for unit test patterns, integration test structure, async testing, mocking approaches, and property-based testing. Covers Rust 2024 edition changes including async fn in traits for mocks,
explanation-docs
Explanation documentation patterns for understanding-oriented content - conceptual guides that explain why things work the way they do