security-checker
Security scanner for Python skills before publishing to ClawHub. Use before publishing any skill to check for dangerous imports, hardcoded secrets, unsafe file operations, and dangerous functions like eval/exec/subprocess. Essential for maintaining trust and ensuring published skills are safe for others to install and run.
Why use this skill?
Use the OpenClaw security-checker to scan your Python skills for dangerous imports, hardcoded secrets, and unsafe code before publishing to ClawHub.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/johstracke/security-checkerWhat This Skill Does
The security-checker is an essential static analysis tool designed specifically for OpenClaw AI developers. Before publishing any skill to the ClawHub repository, this agent scans your Python codebase to identify potential vulnerabilities, including dangerous system imports (os, subprocess, socket), hazardous function calls (eval, exec), and accidental exposure of hardcoded credentials like API keys or JWT tokens. It ensures that the ecosystem remains secure for all users by preventing the distribution of malicious or poorly written code.
Installation
To integrate this safety measure into your workflow, install it directly from the OpenClaw repository using the command: clawhub install openclaw/skills/skills/johstracke/security-checker. Once installed, ensure you have the necessary execution permissions for the script to traverse your local directories and analyze files.
Use Cases
This skill is primarily used by developers as the final gate in a CI/CD pipeline or a manual pre-publish checklist. It is ideal for:
- Auditing third-party open-source code before executing it in your local environment.
- Performing self-audits on your personal skills to ensure no secrets were accidentally committed.
- Enforcing security standards within an organization's internal agent development lifecycle.
Example Prompts
- "Run a security scan on my current project located at /home/user/workspace/new-skill and show me a summary of all warnings."
- "Check my skill for any hardcoded API keys and suggest how to replace them with environment variables."
- "Scan my entire skills directory and highlight any files that use os.system or subprocess.call."
Tips & Limitations
The security-checker performs static analysis; it does not execute the code and therefore cannot detect vulnerabilities that only manifest at runtime. While it catches common security smells, it is not a replacement for comprehensive manual code reviews or advanced security penetration testing. Always annotate legitimate, safe use of system modules with comments to reduce false positives in your scan reports.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-johstracke-security-checker": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read