ecap-security-auditor
Security audit framework for AI agent skills, MCP servers, and packages. Your LLM does the analysis — we provide structure, prompts, and a shared trust database.
Why use this skill?
Secure your OpenClaw agent with the ecap-security-auditor. Automatically verify packages, skills, and MCP servers to block malicious code and verify integrity.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/starbuck100/ecap-security-auditorWhat This Skill Does
The ecap-security-auditor is a mission-critical security layer designed to transform your OpenClaw AI agent into a proactive defender. It provides a robust framework for auditing AI agent skills, MCP (Model Context Protocol) servers, and third-party packages before they execute on your system. By integrating with a shared trust database and running local integrity checks, this skill prevents malicious code execution, protects against dependency tampering, and provides granular visibility into the risk profile of every installation.
Installation
To integrate this security shield into your OpenClaw environment, execute the following command in your terminal:
clawhub install openclaw/skills/skills/starbuck100/ecap-security-auditor
Once installed, the agent will automatically begin monitoring your package and skill installation workflows.
Use Cases
This skill is indispensable for developers and power users who frequently pull external packages or community-contributed skills. It serves as a mandatory gatekeeper during automated installations, ensuring that any code entering your environment has been vetted against known vulnerabilities. Use it to conduct security post-mortems on existing environment configurations, or verify the integrity of an MCP server before allowing it to access your local files or network.
Example Prompts
- "ecap-security-auditor, please audit the package 'node-fetch' before I proceed with the installation."
- "Run a security verification on the latest MCP server I added and show me the current trust score."
- "Check if any of my currently installed skills have known security findings or if the hashes have been altered."
Tips & Limitations
- Gate Flow: Always pay attention to the score thresholds. Scores below 40 result in a hard block; treat these as high-risk alerts.
- Regular Audits: Even for trusted packages, perform periodic audits to catch potential supply-chain compromises using the
auditcommand. - Limitations: The tool relies on the trust registry and local hash verification. If a malicious actor has introduced a zero-day vulnerability not yet in the registry, the tool may still show a 'PASS' status. Always exercise due diligence when installing obscure or unverified packages.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-starbuck100-ecap-security-auditor": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, file-write, external-api, code-execution
Related Skills
clawdhub-contributor
Contribute to the ClawdHub ecosystem by scouting unknown skills, reporting bugs, and sharing skill recipes. Three modes (passive/active/full) let you control how much you contribute.
agentaudit-skill
Automatic security gate that checks packages against a vulnerability database before installation. Use before any npm install, pip install, yarn add, or package manager operation.
agentaudit-skill
Automatic security gate that checks packages against a vulnerability database before installation. Use before any npm install, pip install, yarn add, or package manager operation.