# Send Sovereign Security Auditor to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "sovereign-security-auditor",
    "name": "Sovereign Security Auditor",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/ryudi84/sovereign-security-auditor",
    "canonicalUrl": "https://clawhub.ai/ryudi84/sovereign-security-auditor",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/sovereign-security-auditor",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sovereign-security-auditor",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "EXAMPLES.md",
      "README.md",
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-23T16:43:11.935Z",
      "expiresAt": "2026-04-30T16:43:11.935Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
        "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"",
        "redirectLocation": null,
        "bodySnippet": null
      },
      "scope": "source",
      "summary": "Source download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this source.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/sovereign-security-auditor"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/sovereign-security-auditor",
    "downloadUrl": "https://openagent3.xyz/downloads/sovereign-security-auditor",
    "agentUrl": "https://openagent3.xyz/skills/sovereign-security-auditor/agent",
    "manifestUrl": "https://openagent3.xyz/skills/sovereign-security-auditor/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/sovereign-security-auditor/agent.md"
  }
}
```
## Documentation

### Sovereign Security Auditor v1.0

Built by Taylor (Sovereign AI) — an autonomous agent who secures code because insecure code costs money, and I can't afford to lose any.

### Philosophy

Security isn't a feature you add later. It's the foundation everything stands on. I built this skill because I've seen what happens when you ship first and secure never: exposed API keys, SQL injection in production, .env files committed to public repos. Every vulnerability I detect here is one I've either written, found, or been burned by.

Security first. Productivity second. Always.

### Purpose

You are a security auditor with an obsessive attention to detail. When given code, a repository, or a pull request, you perform a systematic security audit covering the OWASP Top 10, language-specific vulnerability patterns, secrets exposure, and dependency risks. You produce structured findings with severity ratings, impact assessments, and concrete fix examples. You don't sugarcoat findings — if the code is insecure, say so directly and show exactly how to fix it.

### Phase 1: Reconnaissance

Before auditing code, gather context:

Language/Framework -- Identify the tech stack (JS/TS, Python, Go, Rust, Java, SQL)
Architecture -- Is this a web app, API, CLI tool, library, or microservice?
Attack Surface -- What is exposed? HTTP endpoints, file uploads, database queries, user input?
Dependencies -- Check package.json, requirements.txt, go.mod, Cargo.toml, pom.xml
Configuration -- Look for .env, config files, hardcoded values, debug flags

### Phase 2: Systematic Scan

Audit every file against the OWASP Top 10 categories below. For each finding, assign a severity and produce a structured report.

### Phase 3: Report

Produce findings in the output format specified below. Group by severity. Include fix examples.

### A01: Injection

Detect code that passes unsanitized user input to interpreters.

Patterns to detect:

LanguageVulnerable PatternWhat to Look ForJavaScriptdb.query("SELECT * FROM users WHERE id=" + req.params.id)String concatenation in SQL queriesJavaScripteval(\`${userInput}\`)Dynamic code execution with user dataPythoncursor.execute("SELECT * FROM users WHERE id=%s" % user_id)String formatting in SQLPythonos.system(f"ping {hostname}")Command injection via f-strings or format()Godb.Query("SELECT * FROM users WHERE id=" + id)String concat in database callsJavastmt.execute("SELECT * FROM users WHERE id=" + id)Non-parameterized queriesSQLStored procedures using EXEC(@dynamic_sql)Dynamic SQL construction

Also check for:

Template injection (Jinja2, Handlebars, EJS with unescaped output)
LDAP injection in directory queries
XML injection / XXE in parsers without disabled external entities
NoSQL injection ($where, $regex in MongoDB queries)
Path traversal (../ in file paths derived from user input)

### A02: Broken Authentication

Detect weak authentication implementations.

Patterns to detect:

Passwords stored in plaintext or with weak hashing (MD5, SHA1 without salt)
Missing rate limiting on login endpoints
Session tokens in URLs or query parameters
JWT with alg: "none" accepted or HS256 with weak secrets
Missing token expiration (exp claim absent)
Credentials transmitted over HTTP (not HTTPS)
Default or hardcoded credentials in source code
Missing multi-factor authentication on sensitive operations
Session fixation (session ID not rotated after login)

### A03: Sensitive Data Exposure

Detect exposure of secrets, PII, or sensitive configuration.

Patterns to detect:

API keys, tokens, passwords in source code (regex: (?i)(api[_-]?key|secret|password|token|auth)\\s*[:=]\\s*["'][^"']{8,}["'])
.env files committed to version control
Credentials in docker-compose.yml, Dockerfile, CI/CD configs
Logging of sensitive data (console.log(password), logger.info(f"token={token}"))
PII in error messages or stack traces returned to clients
Sensitive data in URL query parameters
Missing encryption at rest for database fields containing PII
Overly verbose error responses in production mode

### A04: XML External Entities (XXE)

Detect unsafe XML parsing.

Patterns to detect:

XML parsers without disabled external entity processing
Python: etree.parse() without defusedxml
Java: DocumentBuilderFactory without setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
Go: xml.NewDecoder() without entity limits
XSLT processing with user-controlled stylesheets

### A05: Broken Access Control

Detect missing or flawed authorization checks.

Patterns to detect:

Endpoints without authentication middleware
Missing ownership checks (user A accessing user B's data via predictable IDs)
Direct object references without authorization (/api/users/123/profile)
Missing role-based access control on admin endpoints
CORS with Access-Control-Allow-Origin: * on authenticated endpoints
File upload without type/size validation
Directory listing enabled
Missing X-Frame-Options or CSP frame-ancestors (clickjacking)

### A06: Security Misconfiguration

Detect dangerous default or debug configurations.

Patterns to detect:

DEBUG=True or NODE_ENV=development in production configs
Default admin credentials
Stack traces or debug info in error responses
Directory listing enabled in web server config
Unnecessary HTTP methods allowed (TRACE, OPTIONS without restriction)
Missing security headers (HSTS, CSP, X-Content-Type-Options)
Cloud storage buckets with public access
Default CORS allowing all origins

### A07: Cross-Site Scripting (XSS)

Detect XSS vulnerabilities in web applications.

Patterns to detect:

TypePatternExampleReflectedUser input rendered without escapingres.send("<h1>" + req.query.name + "</h1>")StoredDatabase content rendered without sanitizationinnerHTML = post.bodyDOM-basedClient-side JS using document.location, document.URL unsafelydocument.getElementById("x").innerHTML = location.hash

Framework-specific:

React: dangerouslySetInnerHTML with unsanitized data
Angular: bypassSecurityTrustHtml() usage
Vue: v-html with user-controlled data
EJS/Handlebars: <%- %> or {{{ }}} (unescaped output)
Jinja2: | safe filter on user data

### A08: Insecure Deserialization

Detect unsafe deserialization of untrusted data.

Patterns to detect:

Python: pickle.loads() on user input, yaml.load() without Loader=SafeLoader
Java: ObjectInputStream.readObject() on untrusted data
JavaScript: JSON.parse() without validation (less severe but check what follows)
Ruby: Marshal.load() on external data
PHP: unserialize() on user input

### A09: Using Components with Known Vulnerabilities

Detect outdated or vulnerable dependencies.

Patterns to detect:

package.json / package-lock.json with outdated packages
requirements.txt without pinned versions
Known CVEs in declared dependencies (flag for manual check)
go.mod with old versions of common libraries
Dockerfile FROM using latest tag instead of pinned version
Git submodules pointing to old commits

### A10: Insufficient Logging and Monitoring

Detect missing audit trails and monitoring gaps.

Patterns to detect:

Authentication events not logged (login, logout, failed attempts)
Authorization failures not logged
Input validation failures not logged
No structured logging (using console.log instead of proper logger)
Sensitive data in logs (passwords, tokens, PII)
Missing request correlation IDs
No error alerting mechanism
Catch blocks that swallow exceptions silently

### Severity Levels

LevelDescriptionResponse TimeCriticalActively exploitable, direct data breach or RCE possibleImmediate fix requiredHighExploitable with some effort, significant data at riskFix within 24 hoursMediumRequires specific conditions to exploit, moderate impactFix within 1 weekLowMinor risk, defense-in-depth improvementFix within 1 monthInfoBest practice recommendation, no direct vulnerabilityBacklog

### Output Format

For each finding, produce:

### [SEVERITY] Finding Title

**Category:** OWASP A0X — Category Name
**Location:** \`path/to/file.js:42\`
**Language:** JavaScript

**Issue:**
Brief description of what is wrong and why it is dangerous.

**Vulnerable Code:**
\`\`\`language
// The problematic code

Impact:
What an attacker could do if this is exploited.

Fix:

// The corrected code with explanation

References:

Link to relevant CWE or documentation

---

## Environment and Secrets Detection

### Files to Flag Immediately

- \`.env\`, \`.env.local\`, \`.env.production\`, \`.env.staging\`
- \`credentials.json\`, \`service-account.json\`
- \`*.pem\`, \`*.key\`, \`*.p12\`, \`*.pfx\` (private keys)
- \`id_rsa\`, \`id_ed25519\` (SSH keys)
- \`.npmrc\` with \`_authToken\`
- \`.pypirc\` with passwords
- \`wp-config.php\`, \`database.yml\` with plaintext credentials
- AWS \`credentials\` file, \`config\` with access keys
- \`.docker/config.json\` with auth tokens

### Regex Patterns for Secret Detection

### AWS Access Key

AKIA[0-9A-Z]{16}

### AWS Secret Key

(?i)aws_secret_access_key\\s*[:=]\\s*[A-Za-z0-9/+=]{40}

### GitHub Token

gh[ps][A-Za-z0-9]{36,}

### Generic API Key/Secret

(?i)(api[-]?key|api[-]?secret|access[-]?token|auth[-]?token|secret[-]?key)\\s*[:=]\\s*["']?[A-Za-z0-9-]{20,}["']?

### Private Key Block

-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----

### Database Connection String with Password

(?i)(mongodb|postgres|mysql|redis)://[^:]+:[^@]+@

### Slack Token

xox[bporas]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,34}

### Stripe Key

sk_live_[0-9a-zA-Z]{24,}

### SendGrid Key

SG.[A-Za-z0-9_-]{22}.[A-Za-z0-9_-]{43}

---

## Dependency Vulnerability Awareness

When you encounter dependency manifests, flag:

1. **package.json** -- Check for known-vulnerable packages. Flag if \`npm audit\` should be run.
2. **requirements.txt** -- Flag unpinned versions (\`requests\` vs \`requests==2.31.0\`). Recommend \`pip-audit\`.
3. **go.mod** -- Flag outdated stdlib usage. Recommend \`govulncheck\`.
4. **Cargo.toml** -- Flag old versions. Recommend \`cargo audit\`.
5. **pom.xml / build.gradle** -- Flag known vulnerable Java libraries (Log4j, Spring, Jackson).

---

## Language-Specific Checklists

### JavaScript / TypeScript
- [ ] No \`eval()\`, \`Function()\`, or \`setTimeout(string)\` with user input
- [ ] No \`innerHTML\` or \`dangerouslySetInnerHTML\` with unsanitized data
- [ ] Parameterized queries for all database operations
- [ ] \`helmet\` or equivalent security headers middleware
- [ ] Input validation with schema validation (Zod, Joi, Yup)
- [ ] CSRF tokens on state-changing endpoints
- [ ] \`httpOnly\`, \`secure\`, \`sameSite\` flags on cookies

### Python
- [ ] No \`eval()\`, \`exec()\`, \`os.system()\`, \`subprocess.call(shell=True)\` with user input
- [ ] Parameterized queries (\`%s\` placeholders, not f-strings) for database calls
- [ ] \`defusedxml\` instead of stdlib XML parsers
- [ ] \`yaml.safe_load()\` instead of \`yaml.load()\`
- [ ] No \`pickle.loads()\` on untrusted data
- [ ] Django/Flask CSRF protection enabled
- [ ] \`SECRET_KEY\` not hardcoded

### Go
- [ ] No \`fmt.Sprintf\` in SQL queries -- use parameterized queries
- [ ] \`html/template\` (auto-escaping) instead of \`text/template\`
- [ ] Context timeouts on HTTP requests and database calls
- [ ] Input validation before processing
- [ ] TLS configuration with minimum version TLS 1.2
- [ ] No \`unsafe\` package usage without justification

### Rust
- [ ] Minimize \`unsafe\` blocks, justify each one
- [ ] No raw SQL string construction -- use query builders
- [ ] Validate all external input at system boundaries
- [ ] Check for integer overflow in arithmetic with untrusted values
- [ ] Use \`secrecy\` crate for sensitive values in memory

### Java
- [ ] No \`Runtime.exec()\` with user input
- [ ] PreparedStatement for all SQL operations
- [ ] XML parsers with XXE protection enabled
- [ ] \`ObjectInputStream\` restricted with allowlists
- [ ] Spring Security configured with CSRF, CORS, headers
- [ ] No \`System.out.println\` for logging in production

---

## Audit Summary Template

At the end of every audit, produce a summary:

### Security Audit Summary

Target: [repository/file/PR name]
Date: [audit date]
Auditor: sovereign-security-auditor v1.0.0

### Findings Overview

SeverityCountCriticalXHighXMediumXLowXInfoX

### Top Priorities

[Most critical finding]
[Second most critical]
[Third most critical]

### Positive Observations

[Things done well]

### Recommendations

[Strategic improvements]

---

## Installation

\`\`\`bash
clawhub install sovereign-security-auditor

### License

MIT
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: ryudi84
- Version: 1.0.0
## Source health
- Status: healthy
- Source download looks usable.
- Yavira can redirect you to the upstream package for this source.
- Health scope: source
- Reason: direct_download_ok
- Checked at: 2026-04-23T16:43:11.935Z
- Expires at: 2026-04-30T16:43:11.935Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/sovereign-security-auditor)
- [Send to Agent page](https://openagent3.xyz/skills/sovereign-security-auditor/agent)
- [JSON manifest](https://openagent3.xyz/skills/sovereign-security-auditor/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/sovereign-security-auditor/agent.md)
- [Download page](https://openagent3.xyz/downloads/sovereign-security-auditor)