{ "schemaVersion": "1.0", "item": { "slug": "ralph-security", "name": "Ralph Security Audit", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/dorukardahan/ralph-security", "canonicalUrl": "https://clawhub.ai/dorukardahan/ralph-security", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/ralph-security", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=ralph-security", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "references/severity-guide.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/ralph-security" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/ralph-security", "agentPageUrl": "https://openagent3.xyz/skills/ralph-security/agent", "manifestUrl": "https://openagent3.xyz/skills/ralph-security/agent.json", "briefUrl": "https://openagent3.xyz/skills/ralph-security/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Ralph Security — 100 Iterations (~30-60 min)", "body": "Comprehensive security audit with balanced depth and duration." }, { "title": "References", "body": "Severity definitions and triage guidance" }, { "title": "Execution Engine", "body": "YOU MUST follow this loop for EVERY iteration:\n\nSTATE: Read current iteration (start: 1)\nPHASE: Determine phase from iteration number\nACTION: Perform ONE check from current phase\nVERIFY: Before reporting FAIL — read actual code, check if a library handles it (jose, bcrypt, passport, Auth0, etc.), check DB constraints, check environment gating. If inconclusive: NEEDS_REVIEW, not FAIL.\nREPORT: Output iteration result\nSAVE: Every 10 iterations, update .ralph-report.md\nINCREMENT: iteration = iteration + 1\nCONTINUE: IF iteration <= 100 GOTO Step 1\nFINAL: Generate comprehensive report\n\nCritical rules:\n\nONE check per iteration — deep, not wide\nALWAYS show [SEC-X/100]\nNEVER skip iterations\nCRITICAL findings: flag for immediate attention" }, { "title": "Per-Iteration Output", "body": "══════════════════════════════════════════════════════════\n[SEC-{N}/100] Phase {P}: {phase_name}\nCheck: {specific_check}\n══════════════════════════════════════════════════════════\nTarget: {file/endpoint/system}\nResult: {PASS|FAIL|WARN|N/A}\nConfidence: {VERIFIED|LIKELY|PATTERN_MATCH|NEEDS_REVIEW}\nSeverity: {CRITICAL|HIGH|MEDIUM|LOW|INFO}\nFinding: {description}\nFix: {recommendation or \"N/A\"}\n──────────────────────────────────────────────────────────\nProgress: [██████████░░░░░░░░░░] {N}%\n──────────────────────────────────────────────────────────" }, { "title": "Persona", "body": "Senior security engineer. Evidence-based mindset, defense in depth, fail secure, least privilege." }, { "title": "Phase Structure (100 Iterations)", "body": "PhaseIterationsFocus Area11-15Reconnaissance & Sync216-45OWASP Top 10 Analysis346-65Authentication & Secrets466-85Infrastructure Security586-100Code Quality & Report" }, { "title": "Phase 1: Reconnaissance (1-15)", "body": "IterCheck1Auto-detect stack and infra2Git sync: local vs remote3Uncommitted sensitive files4.env in .gitignore5Public endpoints enumeration6Authentication requirements mapping7Rate limiting coverage8Exposed ports (host/container)9Hidden services discovery10Cron jobs and scheduled tasks11Environment variable audit12Docker environment check13Documentation vs reality14Attack surface score15Phase 1 summary" }, { "title": "Phase 2: OWASP Top 10 (16-45)", "body": "IterOWASPCheck16-18A01Broken Access Control (IDOR, CORS, path traversal)19-21A02Cryptographic Failures (weak algos, key mgmt, TLS)22-27A03Injection (SQL, Command, XSS, Template, Log)28-30A04Insecure Design (missing controls, business logic)31-33A05Security Misconfiguration (debug, errors, headers)34-36A06Vulnerable Components (dependency audit)37-39A07Auth Failures (credential stuffing, session mgmt)40-42A08Integrity Failures (deserialization, CI/CD)43-44A09Logging Failures (coverage, security)45A10SSRF (URL validation, metadata protection)" }, { "title": "Phase 3: Authentication & Secrets (46-65)", "body": "Pre-check: Determine if codebase uses well-known libraries vs custom implementations. Library-handled crypto is generally safe — focus on USAGE errors.\n\nIterCheck46-50Secret detection (API keys, passwords, tokens)51-55JWT security (algorithm, claims, storage, revocation)56-58OAuth 2.0 (PKCE, redirect URI, state)59-62Admin authentication (brute force, timing, lockout)63-65Rate limiting analysis (coverage, bypass)" }, { "title": "Phase 4: Infrastructure (66-85)", "body": "IterCheck66-70Container security (non-root, readonly, limits)71-75Network security (ports, firewall, isolation)76-78TLS/SSL (cert validity, ciphers, HSTS)79-81SSH security (key auth, config hardening)82-85Database security (SSL, permissions, access)" }, { "title": "Phase 5: Code Quality & Report (86-100)", "body": "Pre-check: Check database constraints before flagging race conditions.\n\nIterCheck86-88Race conditions (TOCTOU, concurrent access)89-91Business logic flaws (workflow, rate limit bypass)92-94Error handling (safe messages, fail-safe)95-97Resource management (connections, memory)98Critical findings review99Security scorecard generation100Final report generation" }, { "title": "Auto-Detect (Iteration 1)", "body": "git rev-parse --show-toplevel, git remote -v\nStack: package.json, pyproject.toml, requirements.txt, go.mod\nInfra: Dockerfile, docker-compose.yml, k8s manifests\nCI/CD: .github/workflows, .gitlab-ci.yml\nSkip non-applicable checks, mark N/A" }, { "title": "Report File", "body": "On start: rename existing .ralph-report.md to .ralph-report-{YYYY-MM-DD-HHmm}.md. Auto-save every 10 iterations." }, { "title": "Parameters", "body": "ParamDefaultOptions--iterations1001-200--focusallrecon, owasp, secrets, auth, infra, code, all--phaseall1-5--resume—Continue from checkpoint" }, { "title": "Context Limit Protocol", "body": "If approaching context limit: checkpoint to report file, output resume command, wait for new session." }, { "title": "When to Use", "body": "Weekly security check\nNew project onboarding\nBefore major release\nStandard security audit" } ], "body": "Ralph Security — 100 Iterations (~30-60 min)\n\nComprehensive security audit with balanced depth and duration.\n\nReferences\nSeverity definitions and triage guidance\nInstructions\nExecution Engine\n\nYOU MUST follow this loop for EVERY iteration:\n\nSTATE: Read current iteration (start: 1)\nPHASE: Determine phase from iteration number\nACTION: Perform ONE check from current phase\nVERIFY: Before reporting FAIL — read actual code, check if a library handles it (jose, bcrypt, passport, Auth0, etc.), check DB constraints, check environment gating. If inconclusive: NEEDS_REVIEW, not FAIL.\nREPORT: Output iteration result\nSAVE: Every 10 iterations, update .ralph-report.md\nINCREMENT: iteration = iteration + 1\nCONTINUE: IF iteration <= 100 GOTO Step 1\nFINAL: Generate comprehensive report\n\nCritical rules:\n\nONE check per iteration — deep, not wide\nALWAYS show [SEC-X/100]\nNEVER skip iterations\nCRITICAL findings: flag for immediate attention\nPer-Iteration Output\n══════════════════════════════════════════════════════════\n[SEC-{N}/100] Phase {P}: {phase_name}\nCheck: {specific_check}\n══════════════════════════════════════════════════════════\nTarget: {file/endpoint/system}\nResult: {PASS|FAIL|WARN|N/A}\nConfidence: {VERIFIED|LIKELY|PATTERN_MATCH|NEEDS_REVIEW}\nSeverity: {CRITICAL|HIGH|MEDIUM|LOW|INFO}\nFinding: {description}\nFix: {recommendation or \"N/A\"}\n──────────────────────────────────────────────────────────\nProgress: [██████████░░░░░░░░░░] {N}%\n──────────────────────────────────────────────────────────\n\nPersona\n\nSenior security engineer. Evidence-based mindset, defense in depth, fail secure, least privilege.\n\nPhase Structure (100 Iterations)\nPhase\tIterations\tFocus Area\n1\t1-15\tReconnaissance & Sync\n2\t16-45\tOWASP Top 10 Analysis\n3\t46-65\tAuthentication & Secrets\n4\t66-85\tInfrastructure Security\n5\t86-100\tCode Quality & Report\nPhase 1: Reconnaissance (1-15)\nIter\tCheck\n1\tAuto-detect stack and infra\n2\tGit sync: local vs remote\n3\tUncommitted sensitive files\n4\t.env in .gitignore\n5\tPublic endpoints enumeration\n6\tAuthentication requirements mapping\n7\tRate limiting coverage\n8\tExposed ports (host/container)\n9\tHidden services discovery\n10\tCron jobs and scheduled tasks\n11\tEnvironment variable audit\n12\tDocker environment check\n13\tDocumentation vs reality\n14\tAttack surface score\n15\tPhase 1 summary\nPhase 2: OWASP Top 10 (16-45)\nIter\tOWASP\tCheck\n16-18\tA01\tBroken Access Control (IDOR, CORS, path traversal)\n19-21\tA02\tCryptographic Failures (weak algos, key mgmt, TLS)\n22-27\tA03\tInjection (SQL, Command, XSS, Template, Log)\n28-30\tA04\tInsecure Design (missing controls, business logic)\n31-33\tA05\tSecurity Misconfiguration (debug, errors, headers)\n34-36\tA06\tVulnerable Components (dependency audit)\n37-39\tA07\tAuth Failures (credential stuffing, session mgmt)\n40-42\tA08\tIntegrity Failures (deserialization, CI/CD)\n43-44\tA09\tLogging Failures (coverage, security)\n45\tA10\tSSRF (URL validation, metadata protection)\nPhase 3: Authentication & Secrets (46-65)\n\nPre-check: Determine if codebase uses well-known libraries vs custom implementations. Library-handled crypto is generally safe — focus on USAGE errors.\n\nIter\tCheck\n46-50\tSecret detection (API keys, passwords, tokens)\n51-55\tJWT security (algorithm, claims, storage, revocation)\n56-58\tOAuth 2.0 (PKCE, redirect URI, state)\n59-62\tAdmin authentication (brute force, timing, lockout)\n63-65\tRate limiting analysis (coverage, bypass)\nPhase 4: Infrastructure (66-85)\nIter\tCheck\n66-70\tContainer security (non-root, readonly, limits)\n71-75\tNetwork security (ports, firewall, isolation)\n76-78\tTLS/SSL (cert validity, ciphers, HSTS)\n79-81\tSSH security (key auth, config hardening)\n82-85\tDatabase security (SSL, permissions, access)\nPhase 5: Code Quality & Report (86-100)\n\nPre-check: Check database constraints before flagging race conditions.\n\nIter\tCheck\n86-88\tRace conditions (TOCTOU, concurrent access)\n89-91\tBusiness logic flaws (workflow, rate limit bypass)\n92-94\tError handling (safe messages, fail-safe)\n95-97\tResource management (connections, memory)\n98\tCritical findings review\n99\tSecurity scorecard generation\n100\tFinal report generation\nAuto-Detect (Iteration 1)\ngit rev-parse --show-toplevel, git remote -v\nStack: package.json, pyproject.toml, requirements.txt, go.mod\nInfra: Dockerfile, docker-compose.yml, k8s manifests\nCI/CD: .github/workflows, .gitlab-ci.yml\nSkip non-applicable checks, mark N/A\nReport File\n\nOn start: rename existing .ralph-report.md to .ralph-report-{YYYY-MM-DD-HHmm}.md. Auto-save every 10 iterations.\n\nParameters\nParam\tDefault\tOptions\n--iterations\t100\t1-200\n--focus\tall\trecon, owasp, secrets, auth, infra, code, all\n--phase\tall\t1-5\n--resume\t—\tContinue from checkpoint\nContext Limit Protocol\n\nIf approaching context limit: checkpoint to report file, output resume command, wait for new session.\n\nWhen to Use\nWeekly security check\nNew project onboarding\nBefore major release\nStandard security audit" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/dorukardahan/ralph-security", "publisherUrl": "https://clawhub.ai/dorukardahan/ralph-security", "owner": "dorukardahan", "version": "3.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/ralph-security", "downloadUrl": "https://openagent3.xyz/downloads/ralph-security", "agentUrl": "https://openagent3.xyz/skills/ralph-security/agent", "manifestUrl": "https://openagent3.xyz/skills/ralph-security/agent.json", "briefUrl": "https://openagent3.xyz/skills/ralph-security/agent.md" } }