2.5k
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill flaw0- _meta.json267 B
- SKILL.md11.8 KB
Overview
This skill is a security and vulnerability scanner tailored for OpenClaw projects, plugins, skills, and Node.js dependencies. It combines pattern-based checks with OpenClaw AI models to detect code flaws, dependency CVEs, and risky patterns. The goal is to help teams reach and maintain a "flaw 0" security score through actionable findings and suggested fixes.
How this skill works
flaw0 scans source files and dependency trees using fast pattern matching, then enriches findings with AI-powered context analysis to reduce false positives and provide remediation steps. It integrates npm audit and CVE databases for dependency issues, weights findings by severity, and computes a cumulative flaw score. Results can be exported as JSON for CI/CD gates or reviewed interactively in the terminal.
When to use it
- Before installing third-party skills or plugins to verify safety
- During development to catch injections, hardcoded secrets, and unsafe APIs early
- As a pre-commit or CI step to prevent regressions and enforce security thresholds
- Before releasing or deploying to validate dependencies and configuration
- When auditing an entire OpenClaw installation (core, plugins, and skills)
Best practices
- Fix critical and high-severity issues immediately; they have largest score impact
- Run both code and dependency scans; some vulnerabilities appear only in package trees
- Use configuration file to ignore noisy patterns and set acceptable flaw score
- Integrate scans into CI with JSON output to block builds above threshold
- Validate AI suggestions manually and apply recommended fixes in code reviews
Example use cases
- Scan a downloaded skill before installing: fl aw0 scan /tmp/some-skill
- Run full project audit and save report for compliance: flaw0 audit --output report.json
- Automate security gate in GitHub Actions to fail on non-zero flaw score
- Check dependencies after package updates with flaw0 deps --deep
- Periodic maintenance scan across all installed OpenClaw skills and plugins
FAQ
The flaw score is a weighted sum of findings (critical=3, high=2, medium=1, low=0.5). Lower is better; flaw 0 means no issues detected.
Do I need an API key?
Yes. AI analysis requires an Anthropic API key set in ANTHROPIC_API_KEY. Dependency checks use npm and the public CVE sources.
Can I run flaw0 in CI?
Yes. Use flaw0 audit --json and fail the build when flawScore exceeds your configured maxFlawScore.