security-audit
Audit codebases and infrastructure for security issues. Use when scanning dependencies for vulnerabilities, detecting hardcoded secrets, checking OWASP top 10 issues, verifying SSL/TLS, auditing file permissions, or reviewing code for injection and auth flaws.
Why use this skill?
Secure your codebases and infrastructure with automated security auditing. Detect vulnerabilities, hardcoded secrets, and configuration flaws using OpenClaw.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/gitgoodordietrying/security-audit-toolkitWhat This Skill Does
The security-audit skill transforms your OpenClaw agent into a powerful cybersecurity assistant capable of auditing codebases, infrastructure, and configuration files. It provides deep visibility into your project's security posture by identifying vulnerabilities, detecting leaked credentials, and verifying compliance with industry standards like the OWASP Top 10. By leveraging both native language tooling (npm, pip, cargo, govulncheck) and universal scanners like Trivy, the agent can perform automated assessments across diverse technology stacks to minimize risk before deployment.
Installation
To integrate this capability into your environment, run the following installation command in your agent interface:
clawhub install openclaw/skills/skills/gitgoodordietrying/security-audit-toolkit
Ensure your agent has the necessary permissions to execute system-level commands and access your source code directories to allow the underlying scanners (e.g., Trivy, grep) to perform a recursive audit of your file structure.
Use Cases
This skill is indispensable for security-conscious development workflows. Use it to:
- Automatically identify outdated dependencies with known CVEs in Node.js, Python, Go, and Rust projects.
- Perform sanity checks for hardcoded API keys, database credentials, or AWS tokens before committing to version control.
- Scan Docker images for OS-level vulnerabilities that could compromise containerized deployments.
- Validate file permission structures to ensure sensitive configuration files are not world-readable.
- Audit existing source code for common injection vulnerabilities, insecure authentication patterns, and cross-site scripting (XSS) risks.
Example Prompts
- "Perform a high-level security audit on this directory, focusing specifically on detecting any hardcoded AWS keys or database connection strings."
- "Run a dependency vulnerability scan on my package.json file and provide a summary of the critical issues along with fix recommendations."
- "Verify the SSL/TLS configuration for our production API endpoint and check the local infrastructure for any lax file permissions."
Tips & Limitations
While automated tools are powerful, they are not a replacement for manual peer review. Use the grep-based patterns as a first-line defense but combine them with rigorous automated CI/CD gating. Always verify that your Trivy and language-specific tools are updated regularly to ensure they have the latest vulnerability databases. Note that secret detection through regex can generate false positives; treat audit results as actionable alerts rather than definitive security breaches.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-gitgoodordietrying-security-audit-toolkit": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution
Related Skills
shell-scripting
Write robust, portable shell scripts. Use when parsing arguments, handling errors properly, writing POSIX-compatible scripts, managing temp files, running commands in parallel, managing background processes, or adding --help to scripts.
api-dev
Scaffold, test, document, and debug REST and GraphQL APIs. Use when the user needs to create API endpoints, write integration tests, generate OpenAPI specs, test with curl, mock APIs, or troubleshoot HTTP issues.
skill-writer
Write high-quality agent skills (SKILL.md files) for ClawdHub/MoltHub. Use when creating a new skill from scratch, structuring skill content, writing effective frontmatter and descriptions, choosing section patterns, or following best practices for agent-consumable technical documentation.
log-analyzer
Parse, search, and analyze application logs across formats. Use when debugging from log files, setting up structured logging, analyzing error patterns, correlating events across services, parsing stack traces, or monitoring log output in real time.
data-validation
Validate data with schemas across languages and formats. Use when defining JSON Schema, using Zod (TypeScript) or Pydantic (Python), validating API request/response shapes, checking CSV/JSON data integrity, or setting up data contracts between services.