openclaw-policy-check
Scan repositories for risky security patterns before execution. Use when users ask for a quick preflight security check, policy enforcement scan, suspicious code triage, or detection of unsafe commands, secret leakage, and dangerous shell behavior.
Why use this skill?
Use OpenClaw Policy Check to scan repositories for security vulnerabilities, secret leaks, and unsafe shell patterns before executing code.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/spbavarva/openclaw-policy-checkWhat This Skill Does
The openclaw-policy-check skill provides a robust mechanism for preemptive security scanning within your local development repositories. By utilizing the scripts/policy_check.py engine, it performs a static analysis of your codebase to identify high-risk security patterns, potential secret leakage, and unsafe shell command execution before those scripts are ever run. It acts as a gatekeeper, ensuring that your automated workflows comply with internal security policies and industry best practices. The tool is designed to be lightweight, allowing for quick integration into your standard development cycle without incurring significant performance overhead.
Installation
To integrate this skill into your OpenClaw environment, execute the following command in your terminal:
clawhub install openclaw/skills/skills/spbavarva/openclaw-policy-check
Once installed, the tool will register itself as an available agent skill, allowing you to trigger security audits via simple natural language requests.
Use Cases
This skill is indispensable in several scenarios:
- Pre-deployment Audits: Verify that new commits or configuration files do not contain hardcoded API keys, passwords, or tokens.
- Security Triage: Quickly analyze a legacy repository or a newly cloned codebase to identify potential attack vectors before executing any scripts contained within.
- Policy Enforcement: Automate the compliance check by setting the
fail-onflag, which forces a non-zero exit code if policies regarding 'critical' or 'high' severity vulnerabilities are violated. - Code Review Assistance: Provide developers with instant feedback on unsafe shell usage or common vulnerabilities like insecure file permissions.
Example Prompts
- "Scan the current directory for any hardcoded secrets or unsafe shell commands before I run the setup script."
- "Run a policy check on the /src folder and fail if you find any critical security vulnerabilities."
- "Perform a preflight security scan on this repo and summarize any high-severity findings for me."
Tips & Limitations
- Precision vs. Recall: While
openclaw-policy-checkis excellent at catching common patterns, it is a static analysis tool; it cannot replace comprehensive manual security audits or dynamic application security testing (DAST). - Context Awareness: The tool scans files at the path level; ensure the
target_pathis correctly scoped to avoid unnecessary scan times on large, irrelevant directories. - Remediation: Always verify the tool's suggestions. When a finding is flagged, review the line of code manually to confirm the context, as static analysis tools may occasionally trigger false positives on benign code blocks.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-spbavarva-openclaw-policy-check": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution