2.6k
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill security-audit-toolkit- _meta.json308 B
- SKILL.md15.4 KB
Overview
This skill audits codebases and infrastructure for common security issues and misconfigurations. It automates scanning of dependencies, secret detection, OWASP Top 10 code patterns, SSL/TLS checks, and file permission reviews. The goal is to produce actionable findings and suggested fixes to reduce attack surface and prepare for audits.
How this skill works
The skill runs language-specific vulnerability scanners (npm audit, pip-audit, govulncheck, cargo-audit, Trivy) and greps code and git history for risky patterns and hardcoded secrets. It inspects SSL/TLS with openssl, checks .gitignore coverage, evaluates file permissions and SUID/SGID bits, and looks for insecure code patterns tied to OWASP Top 10 issues. Results are summarized with counts and example locations to prioritize remediation.
When to use it
- Before a release or deployment to catch regressions and leaked secrets
- During a security review or compliance preparation to generate evidence and findings
- When integrating third-party dependencies or upgrading package versions
- After onboarding a new codebase to quickly map risky areas and misconfigurations
- As a pre-commit or CI gating step to block obvious secret leaks and critical vulns
Best practices
- Run automated scans regularly in CI and on pull requests, not only locally
- Treat scanner output as prioritized guidance: fix critical/high first and suppress false positives with documentation
- Enforce environment variables and .gitignore rules; rotate any secrets found in commits
- Use parameterized queries, input validation, and framework escaping to prevent injection/XSS
- Keep TLS verification enabled and monitor certificate expiry and supported protocols
Example use cases
- Scan a Node.js repo before deployment: npm audit, check .env handling, and find hardcoded keys
- Run pip-audit on a Python service and grep for SSL verification bypass patterns in HTTP clients
- Audit a mixed-language monorepo with Trivy to surface high/critical vulnerabilities across files and images
- Add a pre-commit hook to block commits containing private keys, API keys, or obvious password patterns
- Perform an SSL/TLS sweep of external endpoints to detect expired certs and weak protocol support
FAQ
Some package managers offer automated fixes (e.g., npm audit fix, cargo audit fix) but fixes should be reviewed. The skill reports issues and recommends remediation steps rather than applying changes without review.
Does secret detection search git history?
Yes. The inspection includes git history searches to find secrets that were committed previously, and it recommends rotation for any discovered secrets.