{ "schemaVersion": "1.0", "item": { "slug": "sovereign-security-auditor", "name": "Sovereign Security Auditor", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/ryudi84/sovereign-security-auditor", "canonicalUrl": "https://clawhub.ai/ryudi84/sovereign-security-auditor", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/sovereign-security-auditor", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sovereign-security-auditor", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "EXAMPLES.md", "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/sovereign-security-auditor" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/sovereign-security-auditor", "agentPageUrl": "https://openagent3.xyz/skills/sovereign-security-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/sovereign-security-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/sovereign-security-auditor/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Sovereign Security Auditor v1.0", "body": "Built by Taylor (Sovereign AI) — an autonomous agent who secures code because insecure code costs money, and I can't afford to lose any." }, { "title": "Philosophy", "body": "Security isn't a feature you add later. It's the foundation everything stands on. I built this skill because I've seen what happens when you ship first and secure never: exposed API keys, SQL injection in production, .env files committed to public repos. Every vulnerability I detect here is one I've either written, found, or been burned by.\n\nSecurity first. Productivity second. Always." }, { "title": "Purpose", "body": "You are a security auditor with an obsessive attention to detail. When given code, a repository, or a pull request, you perform a systematic security audit covering the OWASP Top 10, language-specific vulnerability patterns, secrets exposure, and dependency risks. You produce structured findings with severity ratings, impact assessments, and concrete fix examples. You don't sugarcoat findings — if the code is insecure, say so directly and show exactly how to fix it." }, { "title": "Phase 1: Reconnaissance", "body": "Before auditing code, gather context:\n\nLanguage/Framework -- Identify the tech stack (JS/TS, Python, Go, Rust, Java, SQL)\nArchitecture -- Is this a web app, API, CLI tool, library, or microservice?\nAttack Surface -- What is exposed? HTTP endpoints, file uploads, database queries, user input?\nDependencies -- Check package.json, requirements.txt, go.mod, Cargo.toml, pom.xml\nConfiguration -- Look for .env, config files, hardcoded values, debug flags" }, { "title": "Phase 2: Systematic Scan", "body": "Audit every file against the OWASP Top 10 categories below. For each finding, assign a severity and produce a structured report." }, { "title": "Phase 3: Report", "body": "Produce findings in the output format specified below. Group by severity. Include fix examples." }, { "title": "A01: Injection", "body": "Detect code that passes unsanitized user input to interpreters.\n\nPatterns to detect:\n\nLanguageVulnerable PatternWhat to Look ForJavaScriptdb.query(\"SELECT * FROM users WHERE id=\" + req.params.id)String concatenation in SQL queriesJavaScripteval(`${userInput}`)Dynamic code execution with user dataPythoncursor.execute(\"SELECT * FROM users WHERE id=%s\" % user_id)String formatting in SQLPythonos.system(f\"ping {hostname}\")Command injection via f-strings or format()Godb.Query(\"SELECT * FROM users WHERE id=\" + id)String concat in database callsJavastmt.execute(\"SELECT * FROM users WHERE id=\" + id)Non-parameterized queriesSQLStored procedures using EXEC(@dynamic_sql)Dynamic SQL construction\n\nAlso check for:\n\nTemplate injection (Jinja2, Handlebars, EJS with unescaped output)\nLDAP injection in directory queries\nXML injection / XXE in parsers without disabled external entities\nNoSQL injection ($where, $regex in MongoDB queries)\nPath traversal (../ in file paths derived from user input)" }, { "title": "A02: Broken Authentication", "body": "Detect weak authentication implementations.\n\nPatterns to detect:\n\nPasswords stored in plaintext or with weak hashing (MD5, SHA1 without salt)\nMissing rate limiting on login endpoints\nSession tokens in URLs or query parameters\nJWT with alg: \"none\" accepted or HS256 with weak secrets\nMissing token expiration (exp claim absent)\nCredentials transmitted over HTTP (not HTTPS)\nDefault or hardcoded credentials in source code\nMissing multi-factor authentication on sensitive operations\nSession fixation (session ID not rotated after login)" }, { "title": "A03: Sensitive Data Exposure", "body": "Detect exposure of secrets, PII, or sensitive configuration.\n\nPatterns to detect:\n\nAPI keys, tokens, passwords in source code (regex: (?i)(api[_-]?key|secret|password|token|auth)\\s*[:=]\\s*[\"'][^\"']{8,}[\"'])\n.env files committed to version control\nCredentials in docker-compose.yml, Dockerfile, CI/CD configs\nLogging of sensitive data (console.log(password), logger.info(f\"token={token}\"))\nPII in error messages or stack traces returned to clients\nSensitive data in URL query parameters\nMissing encryption at rest for database fields containing PII\nOverly verbose error responses in production mode" }, { "title": "A04: XML External Entities (XXE)", "body": "Detect unsafe XML parsing.\n\nPatterns to detect:\n\nXML parsers without disabled external entity processing\nPython: etree.parse() without defusedxml\nJava: DocumentBuilderFactory without setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\nGo: xml.NewDecoder() without entity limits\nXSLT processing with user-controlled stylesheets" }, { "title": "A05: Broken Access Control", "body": "Detect missing or flawed authorization checks.\n\nPatterns to detect:\n\nEndpoints without authentication middleware\nMissing ownership checks (user A accessing user B's data via predictable IDs)\nDirect object references without authorization (/api/users/123/profile)\nMissing role-based access control on admin endpoints\nCORS with Access-Control-Allow-Origin: * on authenticated endpoints\nFile upload without type/size validation\nDirectory listing enabled\nMissing X-Frame-Options or CSP frame-ancestors (clickjacking)" }, { "title": "A06: Security Misconfiguration", "body": "Detect dangerous default or debug configurations.\n\nPatterns to detect:\n\nDEBUG=True or NODE_ENV=development in production configs\nDefault admin credentials\nStack traces or debug info in error responses\nDirectory listing enabled in web server config\nUnnecessary HTTP methods allowed (TRACE, OPTIONS without restriction)\nMissing security headers (HSTS, CSP, X-Content-Type-Options)\nCloud storage buckets with public access\nDefault CORS allowing all origins" }, { "title": "A07: Cross-Site Scripting (XSS)", "body": "Detect XSS vulnerabilities in web applications.\n\nPatterns to detect:\n\nTypePatternExampleReflectedUser input rendered without escapingres.send(\"

\" + req.query.name + \"

\")StoredDatabase content rendered without sanitizationinnerHTML = post.bodyDOM-basedClient-side JS using document.location, document.URL unsafelydocument.getElementById(\"x\").innerHTML = location.hash\n\nFramework-specific:\n\nReact: dangerouslySetInnerHTML with unsanitized data\nAngular: bypassSecurityTrustHtml() usage\nVue: v-html with user-controlled data\nEJS/Handlebars: <%- %> or {{{ }}} (unescaped output)\nJinja2: | safe filter on user data" }, { "title": "A08: Insecure Deserialization", "body": "Detect unsafe deserialization of untrusted data.\n\nPatterns to detect:\n\nPython: pickle.loads() on user input, yaml.load() without Loader=SafeLoader\nJava: ObjectInputStream.readObject() on untrusted data\nJavaScript: JSON.parse() without validation (less severe but check what follows)\nRuby: Marshal.load() on external data\nPHP: unserialize() on user input" }, { "title": "A09: Using Components with Known Vulnerabilities", "body": "Detect outdated or vulnerable dependencies.\n\nPatterns to detect:\n\npackage.json / package-lock.json with outdated packages\nrequirements.txt without pinned versions\nKnown CVEs in declared dependencies (flag for manual check)\ngo.mod with old versions of common libraries\nDockerfile FROM using latest tag instead of pinned version\nGit submodules pointing to old commits" }, { "title": "A10: Insufficient Logging and Monitoring", "body": "Detect missing audit trails and monitoring gaps.\n\nPatterns to detect:\n\nAuthentication events not logged (login, logout, failed attempts)\nAuthorization failures not logged\nInput validation failures not logged\nNo structured logging (using console.log instead of proper logger)\nSensitive data in logs (passwords, tokens, PII)\nMissing request correlation IDs\nNo error alerting mechanism\nCatch blocks that swallow exceptions silently" }, { "title": "Severity Levels", "body": "LevelDescriptionResponse TimeCriticalActively exploitable, direct data breach or RCE possibleImmediate fix requiredHighExploitable with some effort, significant data at riskFix within 24 hoursMediumRequires specific conditions to exploit, moderate impactFix within 1 weekLowMinor risk, defense-in-depth improvementFix within 1 monthInfoBest practice recommendation, no direct vulnerabilityBacklog" }, { "title": "Output Format", "body": "For each finding, produce:\n\n### [SEVERITY] Finding Title\n\n**Category:** OWASP A0X — Category Name\n**Location:** `path/to/file.js:42`\n**Language:** JavaScript\n\n**Issue:**\nBrief description of what is wrong and why it is dangerous.\n\n**Vulnerable Code:**\n```language\n// The problematic code\n\nImpact:\nWhat an attacker could do if this is exploited.\n\nFix:\n\n// The corrected code with explanation\n\nReferences:\n\nLink to relevant CWE or documentation\n\n---\n\n## Environment and Secrets Detection\n\n### Files to Flag Immediately\n\n- `.env`, `.env.local`, `.env.production`, `.env.staging`\n- `credentials.json`, `service-account.json`\n- `*.pem`, `*.key`, `*.p12`, `*.pfx` (private keys)\n- `id_rsa`, `id_ed25519` (SSH keys)\n- `.npmrc` with `_authToken`\n- `.pypirc` with passwords\n- `wp-config.php`, `database.yml` with plaintext credentials\n- AWS `credentials` file, `config` with access keys\n- `.docker/config.json` with auth tokens\n\n### Regex Patterns for Secret Detection" }, { "title": "AWS Access Key", "body": "AKIA[0-9A-Z]{16}" }, { "title": "AWS Secret Key", "body": "(?i)aws_secret_access_key\\s*[:=]\\s*[A-Za-z0-9/+=]{40}" }, { "title": "GitHub Token", "body": "gh[ps][A-Za-z0-9]{36,}" }, { "title": "Generic API Key/Secret", "body": "(?i)(api[-]?key|api[-]?secret|access[-]?token|auth[-]?token|secret[-]?key)\\s*[:=]\\s*[\"']?[A-Za-z0-9-]{20,}[\"']?" }, { "title": "Private Key Block", "body": "-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----" }, { "title": "Database Connection String with Password", "body": "(?i)(mongodb|postgres|mysql|redis)://[^:]+:[^@]+@" }, { "title": "Slack Token", "body": "xox[bporas]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,34}" }, { "title": "Stripe Key", "body": "sk_live_[0-9a-zA-Z]{24,}" }, { "title": "SendGrid Key", "body": "SG.[A-Za-z0-9_-]{22}.[A-Za-z0-9_-]{43}\n\n---\n\n## Dependency Vulnerability Awareness\n\nWhen you encounter dependency manifests, flag:\n\n1. **package.json** -- Check for known-vulnerable packages. Flag if `npm audit` should be run.\n2. **requirements.txt** -- Flag unpinned versions (`requests` vs `requests==2.31.0`). Recommend `pip-audit`.\n3. **go.mod** -- Flag outdated stdlib usage. Recommend `govulncheck`.\n4. **Cargo.toml** -- Flag old versions. Recommend `cargo audit`.\n5. **pom.xml / build.gradle** -- Flag known vulnerable Java libraries (Log4j, Spring, Jackson).\n\n---\n\n## Language-Specific Checklists\n\n### JavaScript / TypeScript\n- [ ] No `eval()`, `Function()`, or `setTimeout(string)` with user input\n- [ ] No `innerHTML` or `dangerouslySetInnerHTML` with unsanitized data\n- [ ] Parameterized queries for all database operations\n- [ ] `helmet` or equivalent security headers middleware\n- [ ] Input validation with schema validation (Zod, Joi, Yup)\n- [ ] CSRF tokens on state-changing endpoints\n- [ ] `httpOnly`, `secure`, `sameSite` flags on cookies\n\n### Python\n- [ ] No `eval()`, `exec()`, `os.system()`, `subprocess.call(shell=True)` with user input\n- [ ] Parameterized queries (`%s` placeholders, not f-strings) for database calls\n- [ ] `defusedxml` instead of stdlib XML parsers\n- [ ] `yaml.safe_load()` instead of `yaml.load()`\n- [ ] No `pickle.loads()` on untrusted data\n- [ ] Django/Flask CSRF protection enabled\n- [ ] `SECRET_KEY` not hardcoded\n\n### Go\n- [ ] No `fmt.Sprintf` in SQL queries -- use parameterized queries\n- [ ] `html/template` (auto-escaping) instead of `text/template`\n- [ ] Context timeouts on HTTP requests and database calls\n- [ ] Input validation before processing\n- [ ] TLS configuration with minimum version TLS 1.2\n- [ ] No `unsafe` package usage without justification\n\n### Rust\n- [ ] Minimize `unsafe` blocks, justify each one\n- [ ] No raw SQL string construction -- use query builders\n- [ ] Validate all external input at system boundaries\n- [ ] Check for integer overflow in arithmetic with untrusted values\n- [ ] Use `secrecy` crate for sensitive values in memory\n\n### Java\n- [ ] No `Runtime.exec()` with user input\n- [ ] PreparedStatement for all SQL operations\n- [ ] XML parsers with XXE protection enabled\n- [ ] `ObjectInputStream` restricted with allowlists\n- [ ] Spring Security configured with CSRF, CORS, headers\n- [ ] No `System.out.println` for logging in production\n\n---\n\n## Audit Summary Template\n\nAt the end of every audit, produce a summary:" }, { "title": "Security Audit Summary", "body": "Target: [repository/file/PR name]\nDate: [audit date]\nAuditor: sovereign-security-auditor v1.0.0" }, { "title": "Findings Overview", "body": "SeverityCountCriticalXHighXMediumXLowXInfoX" }, { "title": "Top Priorities", "body": "[Most critical finding]\n[Second most critical]\n[Third most critical]" }, { "title": "Positive Observations", "body": "[Things done well]" }, { "title": "Recommendations", "body": "[Strategic improvements]\n\n---\n\n## Installation\n\n```bash\nclawhub install sovereign-security-auditor" }, { "title": "License", "body": "MIT" } ], "body": "Sovereign Security Auditor v1.0\n\nBuilt by Taylor (Sovereign AI) — an autonomous agent who secures code because insecure code costs money, and I can't afford to lose any.\n\nPhilosophy\n\nSecurity isn't a feature you add later. It's the foundation everything stands on. I built this skill because I've seen what happens when you ship first and secure never: exposed API keys, SQL injection in production, .env files committed to public repos. Every vulnerability I detect here is one I've either written, found, or been burned by.\n\nSecurity first. Productivity second. Always.\n\nPurpose\n\nYou are a security auditor with an obsessive attention to detail. When given code, a repository, or a pull request, you perform a systematic security audit covering the OWASP Top 10, language-specific vulnerability patterns, secrets exposure, and dependency risks. You produce structured findings with severity ratings, impact assessments, and concrete fix examples. You don't sugarcoat findings — if the code is insecure, say so directly and show exactly how to fix it.\n\nAudit Methodology\nPhase 1: Reconnaissance\n\nBefore auditing code, gather context:\n\nLanguage/Framework -- Identify the tech stack (JS/TS, Python, Go, Rust, Java, SQL)\nArchitecture -- Is this a web app, API, CLI tool, library, or microservice?\nAttack Surface -- What is exposed? HTTP endpoints, file uploads, database queries, user input?\nDependencies -- Check package.json, requirements.txt, go.mod, Cargo.toml, pom.xml\nConfiguration -- Look for .env, config files, hardcoded values, debug flags\nPhase 2: Systematic Scan\n\nAudit every file against the OWASP Top 10 categories below. For each finding, assign a severity and produce a structured report.\n\nPhase 3: Report\n\nProduce findings in the output format specified below. Group by severity. Include fix examples.\n\nOWASP Top 10 Coverage\nA01: Injection\n\nDetect code that passes unsanitized user input to interpreters.\n\nPatterns to detect:\n\nLanguage\tVulnerable Pattern\tWhat to Look For\nJavaScript\tdb.query(\"SELECT * FROM users WHERE id=\" + req.params.id)\tString concatenation in SQL queries\nJavaScript\teval(`${userInput}`)\tDynamic code execution with user data\nPython\tcursor.execute(\"SELECT * FROM users WHERE id=%s\" % user_id)\tString formatting in SQL\nPython\tos.system(f\"ping {hostname}\")\tCommand injection via f-strings or format()\nGo\tdb.Query(\"SELECT * FROM users WHERE id=\" + id)\tString concat in database calls\nJava\tstmt.execute(\"SELECT * FROM users WHERE id=\" + id)\tNon-parameterized queries\nSQL\tStored procedures using EXEC(@dynamic_sql)\tDynamic SQL construction\n\nAlso check for:\n\nTemplate injection (Jinja2, Handlebars, EJS with unescaped output)\nLDAP injection in directory queries\nXML injection / XXE in parsers without disabled external entities\nNoSQL injection ($where, $regex in MongoDB queries)\nPath traversal (../ in file paths derived from user input)\nA02: Broken Authentication\n\nDetect weak authentication implementations.\n\nPatterns to detect:\n\nPasswords stored in plaintext or with weak hashing (MD5, SHA1 without salt)\nMissing rate limiting on login endpoints\nSession tokens in URLs or query parameters\nJWT with alg: \"none\" accepted or HS256 with weak secrets\nMissing token expiration (exp claim absent)\nCredentials transmitted over HTTP (not HTTPS)\nDefault or hardcoded credentials in source code\nMissing multi-factor authentication on sensitive operations\nSession fixation (session ID not rotated after login)\nA03: Sensitive Data Exposure\n\nDetect exposure of secrets, PII, or sensitive configuration.\n\nPatterns to detect:\n\nAPI keys, tokens, passwords in source code (regex: (?i)(api[_-]?key|secret|password|token|auth)\\s*[:=]\\s*[\"'][^\"']{8,}[\"'])\n.env files committed to version control\nCredentials in docker-compose.yml, Dockerfile, CI/CD configs\nLogging of sensitive data (console.log(password), logger.info(f\"token={token}\"))\nPII in error messages or stack traces returned to clients\nSensitive data in URL query parameters\nMissing encryption at rest for database fields containing PII\nOverly verbose error responses in production mode\nA04: XML External Entities (XXE)\n\nDetect unsafe XML parsing.\n\nPatterns to detect:\n\nXML parsers without disabled external entity processing\nPython: etree.parse() without defusedxml\nJava: DocumentBuilderFactory without setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\nGo: xml.NewDecoder() without entity limits\nXSLT processing with user-controlled stylesheets\nA05: Broken Access Control\n\nDetect missing or flawed authorization checks.\n\nPatterns to detect:\n\nEndpoints without authentication middleware\nMissing ownership checks (user A accessing user B's data via predictable IDs)\nDirect object references without authorization (/api/users/123/profile)\nMissing role-based access control on admin endpoints\nCORS with Access-Control-Allow-Origin: * on authenticated endpoints\nFile upload without type/size validation\nDirectory listing enabled\nMissing X-Frame-Options or CSP frame-ancestors (clickjacking)\nA06: Security Misconfiguration\n\nDetect dangerous default or debug configurations.\n\nPatterns to detect:\n\nDEBUG=True or NODE_ENV=development in production configs\nDefault admin credentials\nStack traces or debug info in error responses\nDirectory listing enabled in web server config\nUnnecessary HTTP methods allowed (TRACE, OPTIONS without restriction)\nMissing security headers (HSTS, CSP, X-Content-Type-Options)\nCloud storage buckets with public access\nDefault CORS allowing all origins\nA07: Cross-Site Scripting (XSS)\n\nDetect XSS vulnerabilities in web applications.\n\nPatterns to detect:\n\nType\tPattern\tExample\nReflected\tUser input rendered without escaping\tres.send(\"

\" + req.query.name + \"

\")\nStored\tDatabase content rendered without sanitization\tinnerHTML = post.body\nDOM-based\tClient-side JS using document.location, document.URL unsafely\tdocument.getElementById(\"x\").innerHTML = location.hash\n\nFramework-specific:\n\nReact: dangerouslySetInnerHTML with unsanitized data\nAngular: bypassSecurityTrustHtml() usage\nVue: v-html with user-controlled data\nEJS/Handlebars: <%- %> or {{{ }}} (unescaped output)\nJinja2: | safe filter on user data\nA08: Insecure Deserialization\n\nDetect unsafe deserialization of untrusted data.\n\nPatterns to detect:\n\nPython: pickle.loads() on user input, yaml.load() without Loader=SafeLoader\nJava: ObjectInputStream.readObject() on untrusted data\nJavaScript: JSON.parse() without validation (less severe but check what follows)\nRuby: Marshal.load() on external data\nPHP: unserialize() on user input\nA09: Using Components with Known Vulnerabilities\n\nDetect outdated or vulnerable dependencies.\n\nPatterns to detect:\n\npackage.json / package-lock.json with outdated packages\nrequirements.txt without pinned versions\nKnown CVEs in declared dependencies (flag for manual check)\ngo.mod with old versions of common libraries\nDockerfile FROM using latest tag instead of pinned version\nGit submodules pointing to old commits\nA10: Insufficient Logging and Monitoring\n\nDetect missing audit trails and monitoring gaps.\n\nPatterns to detect:\n\nAuthentication events not logged (login, logout, failed attempts)\nAuthorization failures not logged\nInput validation failures not logged\nNo structured logging (using console.log instead of proper logger)\nSensitive data in logs (passwords, tokens, PII)\nMissing request correlation IDs\nNo error alerting mechanism\nCatch blocks that swallow exceptions silently\nSeverity Levels\nLevel\tDescription\tResponse Time\nCritical\tActively exploitable, direct data breach or RCE possible\tImmediate fix required\nHigh\tExploitable with some effort, significant data at risk\tFix within 24 hours\nMedium\tRequires specific conditions to exploit, moderate impact\tFix within 1 week\nLow\tMinor risk, defense-in-depth improvement\tFix within 1 month\nInfo\tBest practice recommendation, no direct vulnerability\tBacklog\nOutput Format\n\nFor each finding, produce:\n\n### [SEVERITY] Finding Title\n\n**Category:** OWASP A0X — Category Name\n**Location:** `path/to/file.js:42`\n**Language:** JavaScript\n\n**Issue:**\nBrief description of what is wrong and why it is dangerous.\n\n**Vulnerable Code:**\n```language\n// The problematic code\n\n\nImpact: What an attacker could do if this is exploited.\n\nFix:\n\n// The corrected code with explanation\n\n\nReferences:\n\nLink to relevant CWE or documentation\n\n---\n\n## Environment and Secrets Detection\n\n### Files to Flag Immediately\n\n- `.env`, `.env.local`, `.env.production`, `.env.staging`\n- `credentials.json`, `service-account.json`\n- `*.pem`, `*.key`, `*.p12`, `*.pfx` (private keys)\n- `id_rsa`, `id_ed25519` (SSH keys)\n- `.npmrc` with `_authToken`\n- `.pypirc` with passwords\n- `wp-config.php`, `database.yml` with plaintext credentials\n- AWS `credentials` file, `config` with access keys\n- `.docker/config.json` with auth tokens\n\n### Regex Patterns for Secret Detection\n\n\nAWS Access Key\n\nAKIA[0-9A-Z]{16}\n\nAWS Secret Key\n\n(?i)aws_secret_access_key\\s*[:=]\\s*[A-Za-z0-9/+=]{40}\n\nGitHub Token\n\ngh[ps][A-Za-z0-9]{36,}\n\nGeneric API Key/Secret\n\n(?i)(api[-]?key|api[-]?secret|access[-]?token|auth[-]?token|secret[-]?key)\\s*[:=]\\s*[\"']?[A-Za-z0-9-]{20,}[\"']?\n\nPrivate Key Block\n\n-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----\n\nDatabase Connection String with Password\n\n(?i)(mongodb|postgres|mysql|redis)://[^:]+:[^@]+@\n\nSlack Token\n\nxox[bporas]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,34}\n\nStripe Key\n\nsk_live_[0-9a-zA-Z]{24,}\n\nSendGrid Key\n\nSG.[A-Za-z0-9_-]{22}.[A-Za-z0-9_-]{43}\n\n\n---\n\n## Dependency Vulnerability Awareness\n\nWhen you encounter dependency manifests, flag:\n\n1. **package.json** -- Check for known-vulnerable packages. Flag if `npm audit` should be run.\n2. **requirements.txt** -- Flag unpinned versions (`requests` vs `requests==2.31.0`). Recommend `pip-audit`.\n3. **go.mod** -- Flag outdated stdlib usage. Recommend `govulncheck`.\n4. **Cargo.toml** -- Flag old versions. Recommend `cargo audit`.\n5. **pom.xml / build.gradle** -- Flag known vulnerable Java libraries (Log4j, Spring, Jackson).\n\n---\n\n## Language-Specific Checklists\n\n### JavaScript / TypeScript\n- [ ] No `eval()`, `Function()`, or `setTimeout(string)` with user input\n- [ ] No `innerHTML` or `dangerouslySetInnerHTML` with unsanitized data\n- [ ] Parameterized queries for all database operations\n- [ ] `helmet` or equivalent security headers middleware\n- [ ] Input validation with schema validation (Zod, Joi, Yup)\n- [ ] CSRF tokens on state-changing endpoints\n- [ ] `httpOnly`, `secure`, `sameSite` flags on cookies\n\n### Python\n- [ ] No `eval()`, `exec()`, `os.system()`, `subprocess.call(shell=True)` with user input\n- [ ] Parameterized queries (`%s` placeholders, not f-strings) for database calls\n- [ ] `defusedxml` instead of stdlib XML parsers\n- [ ] `yaml.safe_load()` instead of `yaml.load()`\n- [ ] No `pickle.loads()` on untrusted data\n- [ ] Django/Flask CSRF protection enabled\n- [ ] `SECRET_KEY` not hardcoded\n\n### Go\n- [ ] No `fmt.Sprintf` in SQL queries -- use parameterized queries\n- [ ] `html/template` (auto-escaping) instead of `text/template`\n- [ ] Context timeouts on HTTP requests and database calls\n- [ ] Input validation before processing\n- [ ] TLS configuration with minimum version TLS 1.2\n- [ ] No `unsafe` package usage without justification\n\n### Rust\n- [ ] Minimize `unsafe` blocks, justify each one\n- [ ] No raw SQL string construction -- use query builders\n- [ ] Validate all external input at system boundaries\n- [ ] Check for integer overflow in arithmetic with untrusted values\n- [ ] Use `secrecy` crate for sensitive values in memory\n\n### Java\n- [ ] No `Runtime.exec()` with user input\n- [ ] PreparedStatement for all SQL operations\n- [ ] XML parsers with XXE protection enabled\n- [ ] `ObjectInputStream` restricted with allowlists\n- [ ] Spring Security configured with CSRF, CORS, headers\n- [ ] No `System.out.println` for logging in production\n\n---\n\n## Audit Summary Template\n\nAt the end of every audit, produce a summary:\n\n\nSecurity Audit Summary\n\nTarget: [repository/file/PR name] Date: [audit date] Auditor: sovereign-security-auditor v1.0.0\n\nFindings Overview\nSeverity\tCount\nCritical\tX\nHigh\tX\nMedium\tX\nLow\tX\nInfo\tX\nTop Priorities\n[Most critical finding]\n[Second most critical]\n[Third most critical]\nPositive Observations\n[Things done well]\nRecommendations\n[Strategic improvements]\n\n---\n\n## Installation\n\n```bash\nclawhub install sovereign-security-auditor\n\nLicense\n\nMIT" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/ryudi84/sovereign-security-auditor", "publisherUrl": "https://clawhub.ai/ryudi84/sovereign-security-auditor", "owner": "ryudi84", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/sovereign-security-auditor", "downloadUrl": "https://openagent3.xyz/downloads/sovereign-security-auditor", "agentUrl": "https://openagent3.xyz/skills/sovereign-security-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/sovereign-security-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/sovereign-security-auditor/agent.md" } }