Back to Registry
View Author Profile
Official Verified
xfire-security-review
Multi-agent adversarial security review — 3 AI agents debate every finding, only real vulnerabilities survive
skill-install — Terminal
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/har1sh-k/xfire-security-reviewOr
xfire — Multi-Agent Adversarial Security Review
Multiple agents. One verdict. Zero blind spots.
xfire sends your code to 3 AI agents (Claude, Codex, Gemini) independently, then runs an adversarial debate where they cross-examine each other's findings. Only vulnerabilities that survive prosecution, defense, and a judge's ruling make the final report.
When to Use
Invoke xfire when a user asks for any of these:
- "security review this PR"
- "find vulnerabilities in this code"
- "audit this repo for security issues"
- "run a security scan"
- "analyze this diff for security problems"
- "check this pull request for vulnerabilities"
- "code review for security"
- "pentest this codebase"
- "threat model this change"
Do NOT use xfire for:
- General code quality / style reviews (use a linter)
- Performance profiling
- Dependency license auditing
- Non-security functional testing
Prerequisites
- Python 3.11+
- Install:
pip install xfire - At least one AI agent CLI or API key configured:
| Agent | CLI tool | API key env var |
|---|---|---|
| Claude | claude | ANTHROPIC_API_KEY |
| Codex | codex | OPENAI_API_KEY |
| Gemini | gemini | GOOGLE_API_KEY |
Setup
# Initialize config in current repo
xfire init
# Test agent connectivity
xfire test-llm
# Set up agent credentials
xfire auth login --provider claude
xfire auth login --provider codex
xfire auth login --provider gemini
Commands
Core Analysis
analyze-pr — Analyze a GitHub pull request
xfire analyze-pr --repo owner/repo --pr 123
| Flag | Type | Default | Env var | Description |
|---|---|---|---|---|
--repo | str | required | — | GitHub repo in owner/repo format |
--pr | int | required | — | PR number |
--github-token | str | None | GITHUB_TOKEN | GitHub token |
--agents | str | None | — | Comma-separated agent list (claude,codex,gemini) |
--skip-debate | bool | False | — | Skip adversarial debate phase |
--context-depth | str | None | — | Context depth: shallow|medium|deep |
--output | str | None | — | Output file path |
--format | str | markdown | — | Output format: markdown|json|sarif |
--post-comment | bool | False | — | Post review as GitHub PR comment |
--cache-dir | str | None | XFIRE_CACHE_DIR | Cache directory for context/intent persistence |
--verbose | bool | False | — | Enable verbose logging |
--dry-run | bool | False | — | Show what would be analyzed without calling agents |
--debate | bool | False | — | Show adversarial debate transcript after the report |
--debug | bool | False | — | Write full debug trace to xfire-debug-TIMESTAMP.md |
--silent | bool | False | — | Suppress all output — exit code only (for git hooks) |
analyze-diff — Analyze a local diff or staged changes
Metadata
AI Skill Finder
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skill Add to Configuration
Paste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-har1sh-k-xfire-security-review": {
"enabled": true,
"auto_update": true
}
}
}Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.