ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified developer tools Safety 4/5

insecure-defaults

Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/atlas-secint/insecure-defaults
Or

What This Skill Does

The insecure-defaults skill acts as an automated security auditor for OpenClaw. It is specifically engineered to identify 'fail-open' vulnerabilities—instances where application code provides a hardcoded or weak default value for critical settings (like secrets, authentication flags, or encryption parameters) when the environment configuration is missing or malformed. Unlike simple scanners that flag any hardcoded string, this skill performs contextual analysis to distinguish between dangerous fail-open patterns and safe, fail-secure patterns where an application is designed to crash if a required secret is absent.

Installation

To integrate this skill into your environment, use the OpenClaw command-line interface: clawhub install openclaw/skills/skills/atlas-secint/insecure-defaults Once installed, ensure your project permissions allow the agent to read source files and environment configuration scripts.

Use Cases

This skill is essential for:

  • Production Hardening: Scanning production-ready branches for accidentally committed default credentials.
  • IaC & Config Reviews: Identifying insecure permissive security settings in Kubernetes manifests, Terraform files, or Docker build configurations.
  • Security Debt Audits: Establishing a baseline of existing weak defaults across legacy codebases to prioritize remediation.
  • CI/CD Gating: Integrating into pre-deployment pipelines to prevent the merge of code that contains critical security regressions.

Example Prompts

  1. "Perform an audit of the config/ and auth/ directories. Identify any instances where hardcoded secrets are used as fallbacks for environment variables."
  2. "Review the current codebase for fail-open patterns. Specifically, look for any DEBUG or CORS settings that default to insecure values if the environment variable isn't explicitly set."
  3. "Analyze how we handle database credentials in the application startup script. Are there any default values that would allow the app to boot without a proper production key?"

Tips & Limitations

To get the most accurate results, ensure you provide the agent with the appropriate directory context. The skill is highly sensitive to file paths; it is optimized to ignore test fixtures, README files, and documented examples. However, if your project uses non-standard naming conventions (e.g., custom environment variable loaders), you may need to provide additional context to the agent to prevent false negatives. Always verify flagged issues by tracing the code execution path to confirm if the default value is truly accessible at runtime in production environments. Do not treat this as a substitute for manual penetration testing.

Read Full Documentation on GitHub

Metadata

Author@atlas-secint
Stars4473
Views0
Updated2026-05-01
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-atlas-secint-insecure-defaults": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Tags(AI)

#security#auditing#vulnerability-scanner#devsecops#configuration-management
Safety Score: 4/5

Flags: file-read