{ "schemaVersion": "1.0", "item": { "slug": "securevibes-scanner", "name": "SecureVibes Scanner", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/anshumanbh/securevibes-scanner", "canonicalUrl": "https://clawhub.ai/anshumanbh/securevibes-scanner", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/securevibes-scanner", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=securevibes-scanner", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "_meta.json", "ops/incremental_scan.py", "ops/incremental_scan.sh", "scripts/scan.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/securevibes-scanner" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/securevibes-scanner", "agentPageUrl": "https://openagent3.xyz/skills/securevibes-scanner/agent", "manifestUrl": "https://openagent3.xyz/skills/securevibes-scanner/agent.json", "briefUrl": "https://openagent3.xyz/skills/securevibes-scanner/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "SecureVibes Scanner", "body": "AI-native security platform that detects vulnerabilities using Claude AI. Multi-subagent pipeline: assessment → threat modeling → code review → report generation → optional DAST. Supports incremental scanning for continuous monitoring." }, { "title": "Prerequisites", "body": "Install the CLI: pipx install securevibes (preferred) or uv tool install securevibes. Avoid pip install — it can create stale shims if you have multiple Python environments.\nAuthenticate with Anthropic (one of):\n\nMax/Pro subscription (recommended): If you're authenticated via Claude Code or Claude CLI OAuth, no API key is needed. The Claude Agent SDK picks up your OAuth session automatically. When running inside OpenClaw, leave ANTHROPIC_API_KEY unset or blank — the SDK handles auth.\nAPI key: export ANTHROPIC_API_KEY=your-key-here (from console.anthropic.com)" }, { "title": "Security Notes", "body": "Always use the scripts/scan.sh wrapper for full scans — it validates paths and rejects shell metacharacters before invoking securevibes.\nNever interpolate unsanitized user input into shell commands.\nThe wrapper uses realpath to resolve paths safely and rejects any path containing ;, |, &, $, backticks, or other metacharacters.\nScan targets must be local directories. Clone remote repos to a known safe location first, then pass the resolved path to the wrapper.\nDAST scans make network requests to the --target-url you provide. Only use against apps you own or have permission to test." }, { "title": "Execution Model", "body": "Full scans take 10-30 minutes across 4 phases. Run them as background jobs (cron or subagent), not inline.\n\nIncremental scans take 2-10 minutes — they only scan commits since the last run." }, { "title": "Running a Scan", "body": "Clone the target repo to a local directory\nRun the wrapper script: bash scripts/scan.sh /path/to/repo --force --debug\nResults appear in /path/to/repo/.securevibes/" }, { "title": "Background Execution (Recommended)", "body": "For OpenClaw users, schedule scans as cron jobs:\n\nUse sessionTarget: \"isolated\" with payload.kind: \"agentTurn\"\nSet payload.timeoutSeconds: 2700 (45 minutes) to allow all phases to complete\nUse delivery.mode: \"announce\" to get notified when done\n\nThe agentTurn message should instruct the subagent to:\n\ncd into the repo and git pull for latest code\nClean previous .securevibes/ artifacts\nRun securevibes scan . --force via the wrapper script\nRead and summarize the results from .securevibes/scan_report.md" }, { "title": "Incremental Scan (Continuous Monitoring)", "body": "The incremental scanner (ops/incremental_scan.py) tracks the last-scanned commit and only scans new commits. Designed for cron-driven continuous security monitoring." }, { "title": "How It Works", "body": "Tracks an anchor commit in .securevibes/incremental_state.json\nOn each run: fetches remote, compares HEAD to anchor\nIf new commits exist: runs securevibes pr-review on the diff\nUpdates anchor to new HEAD after successful scan\nIf no new commits: exits cleanly (no scan, no cost)" }, { "title": "Setup", "body": "Step 1: Run an initial full scan (if not already done)\n\nThe incremental scanner requires .securevibes/SECURITY.md and .securevibes/THREAT_MODEL.json to exist. These come from an initial full scan:\n\nsecurevibes scan --model sonnet\n\nSkip this step if the repo already has a .securevibes/ directory with these files.\n\nStep 2: Bootstrap incremental state\n\nRun the wrapper once to seed the anchor commit (no scan runs, just records current HEAD):\n\npython3 ops/incremental_scan.py --repo --remote origin --branch main\n\nThis creates .securevibes/incremental_state.json with status: \"bootstrap\".\n\nStep 3: Configure the cron\n\nFor OpenClaw users, create a cron job:\n\nopenclaw cron create \\\n --name \"securevibes-incremental\" \\\n --cron \"*/30 * * * *\" \\\n --tz \"America/Los_Angeles\" \\\n --agent main \\\n --session isolated \\\n --timeout-seconds 900 \\\n --announce \\\n --message \"Run incremental security scan: python3 /ops/incremental_scan.py --repo --remote origin --branch main --model sonnet --severity medium --scan-timeout-seconds 600. Read .securevibes/incremental_scan.log for results. If new findings, summarize them.\"\n\nReplace with the installed skill path and with the target repo.\n\nStep 4: Verify\n\n# Check state\ncat /.securevibes/incremental_state.json\n\n# After first scheduled run, check logs\ntail -10 /.securevibes/incremental_scan.log\n\n# Check findings\ncat /.securevibes/PR_VULNERABILITIES.json" }, { "title": "Incremental Scanner Options", "body": "python3 ops/incremental_scan.py [options]\n\nOptionDescription--repoRepository path (default: .)--branchBranch to track (default: main)--remoteGit remote (default: origin)--modelClaude model: sonnet, haiku (default: sonnet)--severityMinimum severity: critical, high, medium, low--scan-timeout-secondsTimeout per scan command (default: 900)--git-timeout-secondsTimeout for git operations (default: 60)--rewrite-policyHistory rewrite handling: reset_warn, strict_fail, since_date--sinceOverride: scan commits since this date (ISO or YYYY-MM-DD)" }, { "title": "Operational Guarantees", "body": "File lock at .securevibes/.incremental_scan.lock prevents overlapping runs\nAtomic state writes (fsync + os.replace) prevent corruption\nStructured logging at .securevibes/incremental_scan.log\nRun records saved to .securevibes/incremental_runs/ (one JSON per run)" }, { "title": "Rewrite Policy", "body": "When last_seen_sha is not an ancestor of the new remote HEAD (e.g., force push):\n\nPolicyBehaviorreset_warnReset anchor to new HEAD, continuestrict_failFail and keep current anchorsince_dateRun a --since scan for visibility, keep previous anchor" }, { "title": "Scan", "body": "securevibes scan [options]\n\nOptionDescription-f, --formatmarkdown (default), json, text, table-o, --outputCustom output path-s, --severityFilter: critical, high, medium, low-m, --modelClaude model (e.g., sonnet, haiku)--subagentRun one phase: assessment, threat-modeling, code-review, report-generator, dast--resume-fromResume from a specific phase onwards--dastEnable dynamic testing (requires --target-url)--target-urlURL for DAST (e.g., http://localhost:3000)--forceSkip prompts, overwrite existing artifacts--quietMinimal output--debugVerbose diagnostics" }, { "title": "Report", "body": "securevibes report — Display a previously saved scan report." }, { "title": "Mapping Requests to Actions", "body": "User SaysAction\"Scan this for security issues\"Full scan: bash scripts/scan.sh --force\"Quick security check\"Full scan: bash scripts/scan.sh -m haiku --force\"Threat model this project\"bash scripts/scan.sh --subagent threat-modeling --force\"Just review the code\"bash scripts/scan.sh --subagent code-review --force\"Show only critical/high findings\"bash scripts/scan.sh -s high --force\"Full audit with DAST\"bash scripts/scan.sh --dast --target-url --force\"Set up continuous scanning\"Incremental setup: Steps 1-4 above\"Monitor this repo for security issues\"Incremental setup: Steps 1-4 above\"Show last scan results\"securevibes report " }, { "title": "Subagent Pipeline", "body": "Runs sequentially. Each phase builds on the previous:\n\nassessment → Architecture & attack surface → .securevibes/SECURITY.md\nthreat-modeling → STRIDE-based analysis → .securevibes/THREAT_MODEL.json\ncode-review → Vulnerability detection → .securevibes/VULNERABILITIES.json\nreport-generator → Consolidated report → .securevibes/scan_report.md\ndast (optional) → Dynamic validation against running app" }, { "title": "Presenting Results", "body": "After a scan completes:\n\nRead .securevibes/scan_report.md (or .securevibes/scan_results.json for structured data)\nSummarize: total findings by severity (Critical > High > Medium > Low)\nHighlight top 3 most critical with file locations and remediation\nOffer next steps: run DAST, fix specific issues, re-scan after changes" }, { "title": "Links", "body": "Website: https://securevibes.ai\nPyPI: https://pypi.org/project/securevibes/\nGitHub: https://github.com/anshumanbh/securevibes" } ], "body": "SecureVibes Scanner\n\nAI-native security platform that detects vulnerabilities using Claude AI. Multi-subagent pipeline: assessment → threat modeling → code review → report generation → optional DAST. Supports incremental scanning for continuous monitoring.\n\nPrerequisites\nInstall the CLI: pipx install securevibes (preferred) or uv tool install securevibes. Avoid pip install — it can create stale shims if you have multiple Python environments.\nAuthenticate with Anthropic (one of):\nMax/Pro subscription (recommended): If you're authenticated via Claude Code or Claude CLI OAuth, no API key is needed. The Claude Agent SDK picks up your OAuth session automatically. When running inside OpenClaw, leave ANTHROPIC_API_KEY unset or blank — the SDK handles auth.\nAPI key: export ANTHROPIC_API_KEY=your-key-here (from console.anthropic.com)\nSecurity Notes\nAlways use the scripts/scan.sh wrapper for full scans — it validates paths and rejects shell metacharacters before invoking securevibes.\nNever interpolate unsanitized user input into shell commands.\nThe wrapper uses realpath to resolve paths safely and rejects any path containing ;, |, &, $, backticks, or other metacharacters.\nScan targets must be local directories. Clone remote repos to a known safe location first, then pass the resolved path to the wrapper.\nDAST scans make network requests to the --target-url you provide. Only use against apps you own or have permission to test.\nExecution Model\n\nFull scans take 10-30 minutes across 4 phases. Run them as background jobs (cron or subagent), not inline.\n\nIncremental scans take 2-10 minutes — they only scan commits since the last run.\n\nFull Scan (One-Shot)\nRunning a Scan\nClone the target repo to a local directory\nRun the wrapper script: bash scripts/scan.sh /path/to/repo --force --debug\nResults appear in /path/to/repo/.securevibes/\nBackground Execution (Recommended)\n\nFor OpenClaw users, schedule scans as cron jobs:\n\nUse sessionTarget: \"isolated\" with payload.kind: \"agentTurn\"\nSet payload.timeoutSeconds: 2700 (45 minutes) to allow all phases to complete\nUse delivery.mode: \"announce\" to get notified when done\n\nThe agentTurn message should instruct the subagent to:\n\ncd into the repo and git pull for latest code\nClean previous .securevibes/ artifacts\nRun securevibes scan . --force via the wrapper script\nRead and summarize the results from .securevibes/scan_report.md\nIncremental Scan (Continuous Monitoring)\n\nThe incremental scanner (ops/incremental_scan.py) tracks the last-scanned commit and only scans new commits. Designed for cron-driven continuous security monitoring.\n\nHow It Works\nTracks an anchor commit in .securevibes/incremental_state.json\nOn each run: fetches remote, compares HEAD to anchor\nIf new commits exist: runs securevibes pr-review on the diff\nUpdates anchor to new HEAD after successful scan\nIf no new commits: exits cleanly (no scan, no cost)\nSetup\nStep 1: Run an initial full scan (if not already done)\n\nThe incremental scanner requires .securevibes/SECURITY.md and .securevibes/THREAT_MODEL.json to exist. These come from an initial full scan:\n\nsecurevibes scan --model sonnet\n\n\nSkip this step if the repo already has a .securevibes/ directory with these files.\n\nStep 2: Bootstrap incremental state\n\nRun the wrapper once to seed the anchor commit (no scan runs, just records current HEAD):\n\npython3 ops/incremental_scan.py --repo --remote origin --branch main\n\n\nThis creates .securevibes/incremental_state.json with status: \"bootstrap\".\n\nStep 3: Configure the cron\n\nFor OpenClaw users, create a cron job:\n\nopenclaw cron create \\\n --name \"securevibes-incremental\" \\\n --cron \"*/30 * * * *\" \\\n --tz \"America/Los_Angeles\" \\\n --agent main \\\n --session isolated \\\n --timeout-seconds 900 \\\n --announce \\\n --message \"Run incremental security scan: python3 /ops/incremental_scan.py --repo --remote origin --branch main --model sonnet --severity medium --scan-timeout-seconds 600. Read .securevibes/incremental_scan.log for results. If new findings, summarize them.\"\n\n\nReplace with the installed skill path and with the target repo.\n\nStep 4: Verify\n# Check state\ncat /.securevibes/incremental_state.json\n\n# After first scheduled run, check logs\ntail -10 /.securevibes/incremental_scan.log\n\n# Check findings\ncat /.securevibes/PR_VULNERABILITIES.json\n\nIncremental Scanner Options\npython3 ops/incremental_scan.py [options]\n\nOption\tDescription\n--repo\tRepository path (default: .)\n--branch\tBranch to track (default: main)\n--remote\tGit remote (default: origin)\n--model\tClaude model: sonnet, haiku (default: sonnet)\n--severity\tMinimum severity: critical, high, medium, low\n--scan-timeout-seconds\tTimeout per scan command (default: 900)\n--git-timeout-seconds\tTimeout for git operations (default: 60)\n--rewrite-policy\tHistory rewrite handling: reset_warn, strict_fail, since_date\n--since\tOverride: scan commits since this date (ISO or YYYY-MM-DD)\nOperational Guarantees\nFile lock at .securevibes/.incremental_scan.lock prevents overlapping runs\nAtomic state writes (fsync + os.replace) prevent corruption\nStructured logging at .securevibes/incremental_scan.log\nRun records saved to .securevibes/incremental_runs/ (one JSON per run)\nRewrite Policy\n\nWhen last_seen_sha is not an ancestor of the new remote HEAD (e.g., force push):\n\nPolicy\tBehavior\nreset_warn\tReset anchor to new HEAD, continue\nstrict_fail\tFail and keep current anchor\nsince_date\tRun a --since scan for visibility, keep previous anchor\nFull Scan Commands Reference\nScan\n\nsecurevibes scan [options]\n\nOption\tDescription\n-f, --format\tmarkdown (default), json, text, table\n-o, --output\tCustom output path\n-s, --severity\tFilter: critical, high, medium, low\n-m, --model\tClaude model (e.g., sonnet, haiku)\n--subagent\tRun one phase: assessment, threat-modeling, code-review, report-generator, dast\n--resume-from\tResume from a specific phase onwards\n--dast\tEnable dynamic testing (requires --target-url)\n--target-url\tURL for DAST (e.g., http://localhost:3000)\n--force\tSkip prompts, overwrite existing artifacts\n--quiet\tMinimal output\n--debug\tVerbose diagnostics\nReport\n\nsecurevibes report — Display a previously saved scan report.\n\nMapping Requests to Actions\nUser Says\tAction\n\"Scan this for security issues\"\tFull scan: bash scripts/scan.sh --force\n\"Quick security check\"\tFull scan: bash scripts/scan.sh -m haiku --force\n\"Threat model this project\"\tbash scripts/scan.sh --subagent threat-modeling --force\n\"Just review the code\"\tbash scripts/scan.sh --subagent code-review --force\n\"Show only critical/high findings\"\tbash scripts/scan.sh -s high --force\n\"Full audit with DAST\"\tbash scripts/scan.sh --dast --target-url --force\n\"Set up continuous scanning\"\tIncremental setup: Steps 1-4 above\n\"Monitor this repo for security issues\"\tIncremental setup: Steps 1-4 above\n\"Show last scan results\"\tsecurevibes report \nSubagent Pipeline\n\nRuns sequentially. Each phase builds on the previous:\n\nassessment → Architecture & attack surface → .securevibes/SECURITY.md\nthreat-modeling → STRIDE-based analysis → .securevibes/THREAT_MODEL.json\ncode-review → Vulnerability detection → .securevibes/VULNERABILITIES.json\nreport-generator → Consolidated report → .securevibes/scan_report.md\ndast (optional) → Dynamic validation against running app\nPresenting Results\n\nAfter a scan completes:\n\nRead .securevibes/scan_report.md (or .securevibes/scan_results.json for structured data)\nSummarize: total findings by severity (Critical > High > Medium > Low)\nHighlight top 3 most critical with file locations and remediation\nOffer next steps: run DAST, fix specific issues, re-scan after changes\nLinks\nWebsite: https://securevibes.ai\nPyPI: https://pypi.org/project/securevibes/\nGitHub: https://github.com/anshumanbh/securevibes" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/anshumanbh/securevibes-scanner", "publisherUrl": "https://clawhub.ai/anshumanbh/securevibes-scanner", "owner": "anshumanbh", "version": "0.5.3", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/securevibes-scanner", "downloadUrl": "https://openagent3.xyz/downloads/securevibes-scanner", "agentUrl": "https://openagent3.xyz/skills/securevibes-scanner/agent", "manifestUrl": "https://openagent3.xyz/skills/securevibes-scanner/agent.json", "briefUrl": "https://openagent3.xyz/skills/securevibes-scanner/agent.md" } }