# Send SecureVibes Scanner to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "securevibes-scanner", "name": "SecureVibes Scanner", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/anshumanbh/securevibes-scanner", "canonicalUrl": "https://clawhub.ai/anshumanbh/securevibes-scanner", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/securevibes-scanner", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=securevibes-scanner", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md", "_meta.json", "ops/incremental_scan.py", "ops/incremental_scan.sh", "scripts/scan.sh" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "securevibes-scanner", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-29T14:05:17.138Z", "expiresAt": "2026-05-06T14:05:17.138Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=securevibes-scanner", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=securevibes-scanner", "contentDisposition": "attachment; filename=\"securevibes-scanner-0.5.3.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "securevibes-scanner" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/securevibes-scanner" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/securevibes-scanner", "downloadUrl": "https://openagent3.xyz/downloads/securevibes-scanner", "agentUrl": "https://openagent3.xyz/skills/securevibes-scanner/agent", "manifestUrl": "https://openagent3.xyz/skills/securevibes-scanner/agent.json", "briefUrl": "https://openagent3.xyz/skills/securevibes-scanner/agent.md" } } ``` ## Documentation ### SecureVibes Scanner AI-native security platform that detects vulnerabilities using Claude AI. Multi-subagent pipeline: assessment → threat modeling → code review → report generation → optional DAST. Supports incremental scanning for continuous monitoring. ### Prerequisites Install the CLI: pipx install securevibes (preferred) or uv tool install securevibes. Avoid pip install — it can create stale shims if you have multiple Python environments. Authenticate with Anthropic (one of): Max/Pro subscription (recommended): If you're authenticated via Claude Code or Claude CLI OAuth, no API key is needed. The Claude Agent SDK picks up your OAuth session automatically. When running inside OpenClaw, leave ANTHROPIC_API_KEY unset or blank — the SDK handles auth. API key: export ANTHROPIC_API_KEY=your-key-here (from console.anthropic.com) ### Security Notes Always use the scripts/scan.sh wrapper for full scans — it validates paths and rejects shell metacharacters before invoking securevibes. Never interpolate unsanitized user input into shell commands. The wrapper uses realpath to resolve paths safely and rejects any path containing ;, |, &, $, backticks, or other metacharacters. Scan targets must be local directories. Clone remote repos to a known safe location first, then pass the resolved path to the wrapper. DAST scans make network requests to the --target-url you provide. Only use against apps you own or have permission to test. ### Execution Model Full scans take 10-30 minutes across 4 phases. Run them as background jobs (cron or subagent), not inline. Incremental scans take 2-10 minutes — they only scan commits since the last run. ### Running a Scan Clone the target repo to a local directory Run the wrapper script: bash scripts/scan.sh /path/to/repo --force --debug Results appear in /path/to/repo/.securevibes/ ### Background Execution (Recommended) For OpenClaw users, schedule scans as cron jobs: Use sessionTarget: "isolated" with payload.kind: "agentTurn" Set payload.timeoutSeconds: 2700 (45 minutes) to allow all phases to complete Use delivery.mode: "announce" to get notified when done The agentTurn message should instruct the subagent to: cd into the repo and git pull for latest code Clean previous .securevibes/ artifacts Run securevibes scan . --force via the wrapper script Read and summarize the results from .securevibes/scan_report.md ### Incremental Scan (Continuous Monitoring) The incremental scanner (ops/incremental_scan.py) tracks the last-scanned commit and only scans new commits. Designed for cron-driven continuous security monitoring. ### How It Works Tracks an anchor commit in .securevibes/incremental_state.json On each run: fetches remote, compares HEAD to anchor If new commits exist: runs securevibes pr-review on the diff Updates anchor to new HEAD after successful scan If no new commits: exits cleanly (no scan, no cost) ### Setup Step 1: Run an initial full scan (if not already done) The incremental scanner requires .securevibes/SECURITY.md and .securevibes/THREAT_MODEL.json to exist. These come from an initial full scan: securevibes scan --model sonnet Skip this step if the repo already has a .securevibes/ directory with these files. Step 2: Bootstrap incremental state Run the wrapper once to seed the anchor commit (no scan runs, just records current HEAD): python3 ops/incremental_scan.py --repo --remote origin --branch main This creates .securevibes/incremental_state.json with status: "bootstrap". Step 3: Configure the cron For OpenClaw users, create a cron job: openclaw cron create \\ --name "securevibes-incremental" \\ --cron "*/30 * * * *" \\ --tz "America/Los_Angeles" \\ --agent main \\ --session isolated \\ --timeout-seconds 900 \\ --announce \\ --message "Run incremental security scan: python3 /ops/incremental_scan.py --repo --remote origin --branch main --model sonnet --severity medium --scan-timeout-seconds 600. Read .securevibes/incremental_scan.log for results. If new findings, summarize them." Replace with the installed skill path and with the target repo. Step 4: Verify # Check state cat /.securevibes/incremental_state.json # After first scheduled run, check logs tail -10 /.securevibes/incremental_scan.log # Check findings cat /.securevibes/PR_VULNERABILITIES.json ### Incremental Scanner Options python3 ops/incremental_scan.py [options] OptionDescription--repoRepository path (default: .)--branchBranch to track (default: main)--remoteGit remote (default: origin)--modelClaude model: sonnet, haiku (default: sonnet)--severityMinimum severity: critical, high, medium, low--scan-timeout-secondsTimeout per scan command (default: 900)--git-timeout-secondsTimeout for git operations (default: 60)--rewrite-policyHistory rewrite handling: reset_warn, strict_fail, since_date--sinceOverride: scan commits since this date (ISO or YYYY-MM-DD) ### Operational Guarantees File lock at .securevibes/.incremental_scan.lock prevents overlapping runs Atomic state writes (fsync + os.replace) prevent corruption Structured logging at .securevibes/incremental_scan.log Run records saved to .securevibes/incremental_runs/ (one JSON per run) ### Rewrite Policy When last_seen_sha is not an ancestor of the new remote HEAD (e.g., force push): PolicyBehaviorreset_warnReset anchor to new HEAD, continuestrict_failFail and keep current anchorsince_dateRun a --since scan for visibility, keep previous anchor ### Scan securevibes scan [options] OptionDescription-f, --formatmarkdown (default), json, text, table-o, --outputCustom output path-s, --severityFilter: critical, high, medium, low-m, --modelClaude model (e.g., sonnet, haiku)--subagentRun one phase: assessment, threat-modeling, code-review, report-generator, dast--resume-fromResume from a specific phase onwards--dastEnable dynamic testing (requires --target-url)--target-urlURL for DAST (e.g., http://localhost:3000)--forceSkip prompts, overwrite existing artifacts--quietMinimal output--debugVerbose diagnostics ### Report securevibes report — Display a previously saved scan report. ### Mapping Requests to Actions User SaysAction"Scan this for security issues"Full scan: bash scripts/scan.sh --force"Quick security check"Full scan: bash scripts/scan.sh -m haiku --force"Threat model this project"bash scripts/scan.sh --subagent threat-modeling --force"Just review the code"bash scripts/scan.sh --subagent code-review --force"Show only critical/high findings"bash scripts/scan.sh -s high --force"Full audit with DAST"bash scripts/scan.sh --dast --target-url --force"Set up continuous scanning"Incremental setup: Steps 1-4 above"Monitor this repo for security issues"Incremental setup: Steps 1-4 above"Show last scan results"securevibes report ### Subagent Pipeline Runs sequentially. Each phase builds on the previous: assessment → Architecture & attack surface → .securevibes/SECURITY.md threat-modeling → STRIDE-based analysis → .securevibes/THREAT_MODEL.json code-review → Vulnerability detection → .securevibes/VULNERABILITIES.json report-generator → Consolidated report → .securevibes/scan_report.md dast (optional) → Dynamic validation against running app ### Presenting Results After a scan completes: Read .securevibes/scan_report.md (or .securevibes/scan_results.json for structured data) Summarize: total findings by severity (Critical > High > Medium > Low) Highlight top 3 most critical with file locations and remediation Offer next steps: run DAST, fix specific issues, re-scan after changes ### Links Website: https://securevibes.ai PyPI: https://pypi.org/project/securevibes/ GitHub: https://github.com/anshumanbh/securevibes ## Trust - Source: tencent - Verification: Indexed source record - Publisher: anshumanbh - Version: 0.5.3 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-04-29T14:05:17.138Z - Expires at: 2026-05-06T14:05:17.138Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/securevibes-scanner) - [Send to Agent page](https://openagent3.xyz/skills/securevibes-scanner/agent) - [JSON manifest](https://openagent3.xyz/skills/securevibes-scanner/agent.json) - [Markdown brief](https://openagent3.xyz/skills/securevibes-scanner/agent.md) - [Download page](https://openagent3.xyz/downloads/securevibes-scanner)