security-review

What This Skill Does

The security-review skill is a comprehensive diagnostic engine designed to audit codebases, environment configurations, and operational workflows for OpenClaw AI agents. It acts as an automated security analyst, proactively identifying vulnerabilities across four critical domains: Code Security (aligned with OWASP Top 10), Configuration Security (environment variables, API keys), Crypto Asset Security (DeFi and wallet management), and AI-specific threats (prompt injection and skill exploitation). By automating the discovery of vulnerabilities such as injection flaws, credential leaks, and insecure authentication patterns, it ensures that your agent deployment remains resilient against both traditional software threats and modern AI-centric attacks.

Installation

You can install the skill directly via the ClawKit command-line interface. Use the following command in your terminal:

clawhub install openclaw/skills/skills/sa9saq/security-review

Ensure that your OpenClaw agent has sufficient permissions to access your source files and environment configurations for the scan to perform optimally.

Use Cases

• Continuous Integration/Deployment: Automatically trigger scans whenever code is pushed to sensitive directories or when environment configuration files (like wrangler.toml or package.json) are modified.
• Pre-Deployment Audits: Run a 'Deep Review' before finalizing a production release to ensure no secrets are hardcoded and all API endpoints are correctly secured.
• Crypto Transaction Monitoring: Verify DApp interactions and assess the risk of smart contracts before authorizing large transactions through the agent.
• AI Adversarial Defense: Evaluate system prompts for potential susceptibility to role-change, instruction-override, or encoding attacks.

Example Prompts

1. "Perform a security review on the current codebase and list any OWASP Top 10 vulnerabilities."
2. "I am planning to connect to this new DeFi protocol; can you run a risk assessment on the contract before I proceed?"
3. "Review my environment variables in the current project to ensure no secrets are exposed or insecure settings are enabled."

Tips & Limitations

• Review Levels: Use 'Quick Review' for rapid feedback during coding, 'Standard' for regular pull request audits, and 'Deep Review' for final production readiness checks.
• Context is Key: Ensure the agent has access to your repository metadata to allow the skill to map potential vulnerabilities to specific files and line numbers.
• Limitations: While this skill detects numerous attack vectors, it is a tool to support your security posture, not replace it. Always conduct manual security audits for high-stakes financial operations or sensitive production systems.