Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub ยท Other
Vulnerability Scanner
Performs static analysis for OWASP 2025 risks, supply chain threats, secrets detection, code patterns, and prioritizes vulnerabilities by exploitability and...
skill openclawclawhub Free
Performs static analysis for OWASP 2025 risks, supply chain threats, secrets detection, code patterns, and prioritizes vulnerabilities by exploitability and...
โฌ 0 downloads โ
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md, checklists.md, scripts/security_scan.py
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 1.0.0
Provenance
- Publisher
- brandonwise
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
Vulnerability Scanner
Advanced vulnerability analysis for OWASP 2025, supply chain security, attack surface mapping, and risk prioritization.
Description
USE WHEN: Auditing code for security vulnerabilities Reviewing dependencies for supply chain risks Scanning for hardcoded secrets or credentials Identifying dangerous code patterns (injection, XSS, deserialization) Preparing for security audits or penetration tests Prioritizing vulnerability remediation by risk DON'T USE WHEN: Need runtime dynamic analysis (use actual pentest tools) Scanning compiled binaries (this is source-code focused) Need compliance-specific audits (PCI-DSS, HIPAA have dedicated tools)
Scripts
ScriptPurposeUsagescripts/security_scan.pyFull security scanpython scripts/security_scan.py <path> [--scan-type all|deps|secrets|patterns|config]
Quick Start
# Full scan python scripts/security_scan.py /path/to/project # Just check for secrets python scripts/security_scan.py /path/to/project --scan-type secrets # Summary output python scripts/security_scan.py /path/to/project --output summary
Reference Files
FilePurposechecklists.mdOWASP Top 10, Auth, API, Data protection checklists
Core Principles
PrincipleApplicationAssume BreachDesign as if attacker already insideZero TrustNever trust, always verifyDefense in DepthMultiple layers, no single pointLeast PrivilegeMinimum required access onlyFail SecureOn error, deny access
Threat Modeling Questions
Before scanning, ask: What are we protecting? (Assets) Who would attack? (Threat actors) How would they attack? (Attack vectors) What's the impact? (Business risk)
Risk Categories
RankCategoryThink AboutA01Broken Access ControlWho can access what? IDOR, SSRFA02Security MisconfigurationDefaults, headers, exposed servicesA03Software Supply Chain ๐Dependencies, CI/CD, build integrityA04Cryptographic FailuresWeak crypto, exposed secretsA05InjectionUser input โ system commandsA06Insecure DesignFlawed architectureA07Authentication FailuresSession, credential managementA08Integrity FailuresUnsigned updates, tampered dataA09Logging & AlertingBlind spots, no monitoringA10Exceptional Conditions ๐Error handling, fail-open states
2025 Key Changes
2021 โ 2025 Shifts: โโโ SSRF merged into A01 (Access Control) โโโ A02 elevated (Cloud/Container configs) โโโ A03 NEW: Supply Chain (major focus) โโโ A10 NEW: Exceptional Conditions โโโ Focus shift: Root causes > Symptoms
Attack Surface
VectorRiskQuestion to AskDependenciesMalicious packagesDo we audit new deps?Lock filesIntegrity attacksAre they committed?Build pipelineCI/CD compromiseWho can modify?RegistryTyposquattingVerified sources?
Defense Principles
Verify package integrity (checksums) Pin versions, audit updates Use private registries for critical deps Sign and verify artifacts
What to Map
CategoryElementsEntry PointsAPIs, forms, file uploadsData FlowsInput โ Process โ OutputTrust BoundariesWhere auth/authz checkedAssetsSecrets, PII, business data
Prioritization Matrix
Risk = Likelihood ร Impact High Impact + High Likelihood โ CRITICAL High Impact + Low Likelihood โ HIGH Low Impact + High Likelihood โ MEDIUM Low Impact + Low Likelihood โ LOW
CVSS + Context
FactorWeightQuestionCVSS ScoreBase severityHow severe is the vuln?EPSS ScoreExploit likelihoodIs it being exploited?Asset ValueBusiness contextWhat's at risk?ExposureAttack surfaceInternet-facing?
Prioritization Decision Tree
Is it actively exploited (EPSS >0.5)? โโโ YES โ CRITICAL: Immediate action โโโ NO โ Check CVSS โโโ CVSS โฅ9.0 โ HIGH โโโ CVSS 7.0-8.9 โ Consider asset value โโโ CVSS <7.0 โ Schedule for later
Fail-Open vs Fail-Closed
ScenarioFail-Open (BAD)Fail-Closed (GOOD)Auth errorAllow accessDeny accessParsing failsAccept inputReject inputTimeoutRetry foreverLimit + abort
What to Check
Exception handlers that catch-all and ignore Missing error handling on security operations Race conditions in auth/authz Resource exhaustion scenarios
Phase-Based Approach
1. RECONNAISSANCE โโโ Understand the target โโโ Technology stack โโโ Entry points โโโ Data flows 2. DISCOVERY โโโ Identify potential issues โโโ Configuration review โโโ Dependency analysis โโโ Code pattern search 3. ANALYSIS โโโ Validate and prioritize โโโ False positive elimination โโโ Risk scoring โโโ Attack chain mapping 4. REPORTING โโโ Actionable findings โโโ Clear reproduction steps โโโ Business impact โโโ Remediation guidance
High-Risk Patterns
PatternRiskLook ForString concat in queriesInjection"SELECT * FROM " + user_inputDynamic code executionRCEeval(), exec(), Function()Unsafe deserializationRCEpickle.loads(), unserialize()Path manipulationTraversalUser input in file pathsDisabled securityVariousverify=False, --insecure
Secret Patterns
TypeIndicatorsAPI Keysapi_key, apikey, high entropyTokenstoken, bearer, jwtCredentialspassword, secret, keyCloudAWS_, AZURE_, GCP_ prefixes
Shared Responsibility
LayerYou OwnProvider OwnsDataโ โApplicationโ โOS/RuntimeDependsDependsInfrastructureโโ
Cloud-Specific Checks
IAM: Least privilege applied? Storage: Public buckets? Network: Security groups tightened? Secrets: Using secrets manager?
10. Anti-Patterns
โ Don'tโ DoScan without understandingMap attack surface firstAlert on every CVEPrioritize by exploitability + assetIgnore false positivesMaintain verified baselineFix symptoms onlyAddress root causesScan once before deployContinuous scanningTrust third-party deps blindlyVerify integrity, audit code
Finding Structure
Each finding should answer: What? - Clear vulnerability description Where? - Exact location (file, line, endpoint) Why? - Root cause explanation Impact? - Business consequence How to fix? - Specific remediation
Severity Classification
SeverityCriteriaCriticalRCE, auth bypass, mass data exposureHighData exposure, privilege escalationMediumLimited scope, requires conditionsLowInformational, best practice Remember: Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"
Category context
Long-tail utilities that do not fit the current primary taxonomy cleanly.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
2 Docs1 Scripts
- SKILL.md
- checklists.md
- scripts/security_scan.py