security-audit
Fail-closed security auditing for OpenClaw/ClawHub skills & repos: trufflehog secrets scanning, semgrep SAST, prompt-injection/persistence signals, and supply-chain hygiene checks before enabling or installing.
Why use this skill?
Use the OpenClaw security-audit skill to scan repositories for secrets, prompt-injection, and supply-chain risks with a fail-closed, zero-trust approach.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/virtaava/sona-security-auditWhat This Skill Does
The security-audit skill is a critical defense layer for the OpenClaw ecosystem, designed to act as a hostile-by-design, fail-closed checkpoint for any skill, repository, or codebase intended for integration with ClawHub. Unlike traditional performance testing or functionality verification, this tool focuses exclusively on threat detection. Its primary mission is to answer a single, vital question: "Can this skill betray the system?"
To provide this defense, it aggregates multiple security disciplines into a single workflow. It utilizes trufflehog to scan for accidental credential or API key leakage. It employs semgrep for automated static analysis (SAST) to identify known insecure patterns. Furthermore, it incorporates custom-built logic specifically tuned for the OpenClaw platform, searching for prompt-injection signals, hidden persistence mechanisms, and supply-chain hygiene violations. If any one of these layers flags an issue, the entire audit results in a hard failure, ensuring the security of the host environment.
Installation
To integrate this security layer into your workflow, use the standard ClawHub installation command:
clawhub install openclaw/skills/skills/virtaava/sona-security-audit
Once installed, you can trigger an audit by navigating to the target codebase and executing bash scripts/run_audit_json.sh <path>. This script is designed to output detailed JSON reports, making it easy to pipe results into analytical tools like jq.
Use Cases
This skill is indispensable for developers and system administrators who frequently integrate third-party AI agents. Use it to audit repositories before running npm install or executing unknown scripts. It is particularly effective for zero-trust environments where you must enforce the presence of an openclaw-skill.json manifest file before any code execution can proceed. It is ideal for CI/CD pipelines to block malicious updates from entering your development environment.
Example Prompts
- "OpenClaw, run a strict security audit on the local repository folder ./plugins/experimental-agent and output the results as a JSON file."
- "Perform a paranoid-level audit on the ClawHub skill located at ./tmp/downloaded-plugin to check for hidden persistence hooks."
- "Verify if the repository at ~/workspace/untrusted-skill meets the security requirements and check for the presence of a valid openclaw-skill.json manifest."
Tips & Limitations
The audit is highly configurable via the OPENCLAW_AUDIT_LEVEL environment variable. While the standard level is sufficient for most use cases, use paranoid mode for high-stakes integrations. Remember that this tool is a static analyzer; it does not replace the need for an isolated sandbox environment when running untrusted code. Always combine static auditing with Docker-based execution to maximize safety.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-virtaava-sona-security-audit": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution