Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub ยท Security & Compliance
SecureVibes Scanner
Run AI-powered application security scans on codebases. Use when asked to scan code for security vulnerabilities, generate threat models, review code for sec...
skill openclawclawhub Free
Run AI-powered application security scans on codebases. Use when asked to scan code for security vulnerabilities, generate threat models, review code for sec...
โฌ 0 downloads โ
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md, _meta.json, ops/incremental_scan.py, ops/incremental_scan.sh, scripts/scan.sh
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 0.5.3
Provenance
- Publisher
- anshumanbh
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
SecureVibes Scanner
AI-native security platform that detects vulnerabilities using Claude AI. Multi-subagent pipeline: assessment โ threat modeling โ code review โ report generation โ optional DAST. Supports incremental scanning for continuous monitoring.
Prerequisites
Install the CLI: pipx install securevibes (preferred) or uv tool install securevibes. Avoid pip install โ it can create stale shims if you have multiple Python environments. Authenticate with Anthropic (one of): Max/Pro subscription (recommended): If you're authenticated via Claude Code or Claude CLI OAuth, no API key is needed. The Claude Agent SDK picks up your OAuth session automatically. When running inside OpenClaw, leave ANTHROPIC_API_KEY unset or blank โ the SDK handles auth. API key: export ANTHROPIC_API_KEY=your-key-here (from console.anthropic.com)
Security Notes
Always use the scripts/scan.sh wrapper for full scans โ it validates paths and rejects shell metacharacters before invoking securevibes. Never interpolate unsanitized user input into shell commands. The wrapper uses realpath to resolve paths safely and rejects any path containing ;, |, &, $, backticks, or other metacharacters. Scan targets must be local directories. Clone remote repos to a known safe location first, then pass the resolved path to the wrapper. DAST scans make network requests to the --target-url you provide. Only use against apps you own or have permission to test.
Execution Model
Full scans take 10-30 minutes across 4 phases. Run them as background jobs (cron or subagent), not inline. Incremental scans take 2-10 minutes โ they only scan commits since the last run.
Running a Scan
Clone the target repo to a local directory Run the wrapper script: bash scripts/scan.sh /path/to/repo --force --debug Results appear in /path/to/repo/.securevibes/
Background Execution (Recommended)
For OpenClaw users, schedule scans as cron jobs: Use sessionTarget: "isolated" with payload.kind: "agentTurn" Set payload.timeoutSeconds: 2700 (45 minutes) to allow all phases to complete Use delivery.mode: "announce" to get notified when done The agentTurn message should instruct the subagent to: cd into the repo and git pull for latest code Clean previous .securevibes/ artifacts Run securevibes scan . --force via the wrapper script Read and summarize the results from .securevibes/scan_report.md
Incremental Scan (Continuous Monitoring)
The incremental scanner (ops/incremental_scan.py) tracks the last-scanned commit and only scans new commits. Designed for cron-driven continuous security monitoring.
How It Works
Tracks an anchor commit in .securevibes/incremental_state.json On each run: fetches remote, compares HEAD to anchor If new commits exist: runs securevibes pr-review on the diff Updates anchor to new HEAD after successful scan If no new commits: exits cleanly (no scan, no cost)
Setup
Step 1: Run an initial full scan (if not already done) The incremental scanner requires .securevibes/SECURITY.md and .securevibes/THREAT_MODEL.json to exist. These come from an initial full scan: securevibes scan <repo-path> --model sonnet Skip this step if the repo already has a .securevibes/ directory with these files. Step 2: Bootstrap incremental state Run the wrapper once to seed the anchor commit (no scan runs, just records current HEAD): python3 ops/incremental_scan.py --repo <repo-path> --remote origin --branch main This creates .securevibes/incremental_state.json with status: "bootstrap". Step 3: Configure the cron For OpenClaw users, create a cron job: openclaw cron create \ --name "securevibes-incremental" \ --cron "*/30 * * * *" \ --tz "America/Los_Angeles" \ --agent main \ --session isolated \ --timeout-seconds 900 \ --announce \ --message "Run incremental security scan: python3 <skill-path>/ops/incremental_scan.py --repo <repo-path> --remote origin --branch main --model sonnet --severity medium --scan-timeout-seconds 600. Read .securevibes/incremental_scan.log for results. If new findings, summarize them." Replace <skill-path> with the installed skill path and <repo-path> with the target repo. Step 4: Verify # Check state cat <repo-path>/.securevibes/incremental_state.json # After first scheduled run, check logs tail -10 <repo-path>/.securevibes/incremental_scan.log # Check findings cat <repo-path>/.securevibes/PR_VULNERABILITIES.json
Incremental Scanner Options
python3 ops/incremental_scan.py [options] OptionDescription--repoRepository path (default: .)--branchBranch to track (default: main)--remoteGit remote (default: origin)--modelClaude model: sonnet, haiku (default: sonnet)--severityMinimum severity: critical, high, medium, low--scan-timeout-secondsTimeout per scan command (default: 900)--git-timeout-secondsTimeout for git operations (default: 60)--rewrite-policyHistory rewrite handling: reset_warn, strict_fail, since_date--sinceOverride: scan commits since this date (ISO or YYYY-MM-DD)
Operational Guarantees
File lock at .securevibes/.incremental_scan.lock prevents overlapping runs Atomic state writes (fsync + os.replace) prevent corruption Structured logging at .securevibes/incremental_scan.log Run records saved to .securevibes/incremental_runs/ (one JSON per run)
Rewrite Policy
When last_seen_sha is not an ancestor of the new remote HEAD (e.g., force push): PolicyBehaviorreset_warnReset anchor to new HEAD, continuestrict_failFail and keep current anchorsince_dateRun a --since <today> scan for visibility, keep previous anchor
Scan
securevibes scan <path> [options] OptionDescription-f, --formatmarkdown (default), json, text, table-o, --outputCustom output path-s, --severityFilter: critical, high, medium, low-m, --modelClaude model (e.g., sonnet, haiku)--subagentRun one phase: assessment, threat-modeling, code-review, report-generator, dast--resume-fromResume from a specific phase onwards--dastEnable dynamic testing (requires --target-url)--target-urlURL for DAST (e.g., http://localhost:3000)--forceSkip prompts, overwrite existing artifacts--quietMinimal output--debugVerbose diagnostics
Report
securevibes report <path> โ Display a previously saved scan report.
Mapping Requests to Actions
User SaysAction"Scan this for security issues"Full scan: bash scripts/scan.sh <path> --force"Quick security check"Full scan: bash scripts/scan.sh <path> -m haiku --force"Threat model this project"bash scripts/scan.sh <path> --subagent threat-modeling --force"Just review the code"bash scripts/scan.sh <path> --subagent code-review --force"Show only critical/high findings"bash scripts/scan.sh <path> -s high --force"Full audit with DAST"bash scripts/scan.sh <path> --dast --target-url <url> --force"Set up continuous scanning"Incremental setup: Steps 1-4 above"Monitor this repo for security issues"Incremental setup: Steps 1-4 above"Show last scan results"securevibes report <path>
Subagent Pipeline
Runs sequentially. Each phase builds on the previous: assessment โ Architecture & attack surface โ .securevibes/SECURITY.md threat-modeling โ STRIDE-based analysis โ .securevibes/THREAT_MODEL.json code-review โ Vulnerability detection โ .securevibes/VULNERABILITIES.json report-generator โ Consolidated report โ .securevibes/scan_report.md dast (optional) โ Dynamic validation against running app
Presenting Results
After a scan completes: Read .securevibes/scan_report.md (or .securevibes/scan_results.json for structured data) Summarize: total findings by severity (Critical > High > Medium > Low) Highlight top 3 most critical with file locations and remediation Offer next steps: run DAST, fix specific issues, re-scan after changes
Links
Website: https://securevibes.ai PyPI: https://pypi.org/project/securevibes/ GitHub: https://github.com/anshumanbh/securevibes
Category context
Identity, auth, scanning, governance, audit, and operational guardrails.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
3 Scripts1 Docs1 Config
- SKILL.md
- ops/incremental_scan.py
- ops/incremental_scan.sh
- scripts/scan.sh
- _meta.json