ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified

securevibes-scanner

Run AI-powered application security scans on codebases. Use when asked to scan code for security vulnerabilities, generate threat models, review code for security issues, run incremental security scans, or set up continuous security monitoring via cron. Supports full scans (one-shot) and incremental scans (cron-driven, only new commits).

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/anshumanbh/securevibes-scanner
Or

SecureVibes Scanner

AI-native security platform that detects vulnerabilities using Claude AI. Multi-subagent pipeline: assessment → threat modeling → code review → report generation → optional DAST. Supports incremental scanning for continuous monitoring.

Prerequisites

  1. Install the CLI: pipx install securevibes (preferred) or uv tool install securevibes. Avoid pip install — it can create stale shims if you have multiple Python environments.
  2. Authenticate with Anthropic (one of):
    • Max/Pro subscription (recommended): If you're authenticated via Claude Code or Claude CLI OAuth, no API key is needed. The Claude Agent SDK picks up your OAuth session automatically. When running inside OpenClaw, leave ANTHROPIC_API_KEY unset or blank — the SDK handles auth.
    • API key: export ANTHROPIC_API_KEY=your-key-here (from console.anthropic.com)

Security Notes

  • Always use the scripts/scan.sh wrapper for full scans — it validates paths and rejects shell metacharacters before invoking securevibes.
  • Never interpolate unsanitized user input into shell commands.
  • The wrapper uses realpath to resolve paths safely and rejects any path containing ;, |, &, $, backticks, or other metacharacters.
  • Scan targets must be local directories. Clone remote repos to a known safe location first, then pass the resolved path to the wrapper.
  • DAST scans make network requests to the --target-url you provide. Only use against apps you own or have permission to test.

Execution Model

Full scans take 10-30 minutes across 4 phases. Run them as background jobs (cron or subagent), not inline.

Incremental scans take 2-10 minutes — they only scan commits since the last run.

Full Scan (One-Shot)

Running a Scan

  1. Clone the target repo to a local directory
  2. Run the wrapper script: bash scripts/scan.sh /path/to/repo --force --debug
  3. Results appear in /path/to/repo/.securevibes/

Background Execution (Recommended)

For OpenClaw users, schedule scans as cron jobs:

  • Use sessionTarget: "isolated" with payload.kind: "agentTurn"
  • Set payload.timeoutSeconds: 2700 (45 minutes) to allow all phases to complete
  • Use delivery.mode: "announce" to get notified when done

The agentTurn message should instruct the subagent to:

  1. cd into the repo and git pull for latest code
  2. Clean previous .securevibes/ artifacts
  3. Run securevibes scan . --force via the wrapper script
  4. Read and summarize the results from .securevibes/scan_report.md

Incremental Scan (Continuous Monitoring)

The incremental scanner (ops/incremental_scan.py) tracks the last-scanned commit and only scans new commits. Designed for cron-driven continuous security monitoring.

How It Works

Read Full Documentation on GitHub

Metadata

Author@anshumanbh
Stars4473
Views0
Updated2026-05-01
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-anshumanbh-securevibes-scanner": {
      "enabled": true,
      "auto_update": true
    }
  }
}
Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.

Related Skills

qmd

Search markdown knowledge bases efficiently using qmd. Use this when searching Obsidian vaults or markdown collections to find relevant content with minimal token usage.

anshumanbh 4473