← All skills

Tencent SkillHub · AI

xfire Security PR Review

Multi-agent adversarial security review — 3 AI agents debate every finding, only real vulnerabilities survive

skill openclawclawhub Free

0 Downloads

0 Stars

0 Installs

0 Score

High Signal

Multi-agent adversarial security review — 3 AI agents debate every finding, only real vulnerabilities survive

⬇ 0 downloads ★ 0 stars Unverified but indexed

Install for OpenClaw

Quick setup

Download the package from Yavira.
Extract the archive and review SKILL.md first.
Import or place the package into your OpenClaw setup.

Requirements

Target platform: OpenClaw
Install method: Manual import
Extraction: Extract archive
Prerequisites: OpenClaw
Primary doc: SKILL.md

Package facts

Download mode: Yavira redirect
Package format: ZIP package
Source platform: Tencent SkillHub
What's included: skill.md

Validation

Use the Yavira download entry.
Review SKILL.md after the package is downloaded.
Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

Download the package from Yavira.
Extract it into a folder your agent can access.
Paste one of the prompts below and point your agent at the extracted folder.

New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source: Tencent SkillHub
Verification: Indexed source record
Version: 0.1.2

Provenance

Publisher: Har1sh-k
Source page: View original listing
Canonical URL: Open canonical page

Documentation

ClawHub primary doc Primary doc: SKILL.md 14 sections Open source page

xfire — Multi-Agent Adversarial Security Review

Multiple agents. One verdict. Zero blind spots. xfire sends your code to 3 AI agents (Claude, Codex, Gemini) independently, then runs an adversarial debate where they cross-examine each other's findings. Only vulnerabilities that survive prosecution, defense, and a judge's ruling make the final report.

When to Use

Invoke xfire when a user asks for any of these: "security review this PR" "find vulnerabilities in this code" "audit this repo for security issues" "run a security scan" "analyze this diff for security problems" "check this pull request for vulnerabilities" "code review for security" "pentest this codebase" "threat model this change" Do NOT use xfire for: General code quality / style reviews (use a linter) Performance profiling Dependency license auditing Non-security functional testing

Prerequisites

Python 3.11+ Install: pip install xfire At least one AI agent CLI or API key configured: AgentCLI toolAPI key env varClaudeclaudeANTHROPIC_API_KEYCodexcodexOPENAI_API_KEYGeminigeminiGOOGLE_API_KEY

Setup

# Initialize config in current repo xfire init # Test agent connectivity xfire test-llm # Set up agent credentials xfire auth login --provider claude xfire auth login --provider codex xfire auth login --provider gemini

Core Analysis

analyze-pr — Analyze a GitHub pull request xfire analyze-pr --repo owner/repo --pr 123 FlagTypeDefaultEnv varDescription--repostrrequired—GitHub repo in owner/repo format--printrequired—PR number--github-tokenstrNoneGITHUB_TOKENGitHub token--agentsstrNone—Comma-separated agent list (claude,codex,gemini)--skip-debateboolFalse—Skip adversarial debate phase--context-depthstrNone—Context depth: shallow|medium|deep--outputstrNone—Output file path--formatstrmarkdown—Output format: markdown|json|sarif--post-commentboolFalse—Post review as GitHub PR comment--cache-dirstrNoneXFIRE_CACHE_DIRCache directory for context/intent persistence--verboseboolFalse—Enable verbose logging--dry-runboolFalse—Show what would be analyzed without calling agents--debateboolFalse—Show adversarial debate transcript after the report--debugboolFalse—Write full debug trace to xfire-debug-TIMESTAMP.md--silentboolFalse—Suppress all output — exit code only (for git hooks) analyze-diff — Analyze a local diff or staged changes xfire analyze-diff --staged --repo-dir . xfire analyze-diff --patch changes.patch --repo-dir . xfire analyze-diff --commit f1877d3 --repo-dir /path/to/repo xfire analyze-diff --base main --head feature-branch xfire analyze-diff --commit f1877d3 --thinking --repo-dir /path/to/repo FlagTypeDefaultEnv varDescription--patchstrNone—Path to a diff/patch file--commitstrNone—Commit SHA to analyze (auto-generates patch via git show)--repo-dirstr.—Path to the repository root--stagedboolFalse—Analyze staged changes in the repo--basestrNone—Base branch/commit for comparison--headstrNone—Head branch/commit for comparison--agentsstrNone—Comma-separated agent list--skip-debateboolFalse—Skip adversarial debate phase--context-depthstrNone—Context depth: shallow|medium|deep--outputstrNone—Output file path--formatstrmarkdown—Output format: markdown|json|sarif--cache-dirstrNoneXFIRE_CACHE_DIRCache directory for context/intent persistence--thinkingboolFalse—Enable extended thinking/reasoning for all agents--verboseboolFalse—Enable verbose logging--dry-runboolFalse—Show what would be analyzed without calling agents--debateboolFalse—Show adversarial debate transcript after the report--debugboolFalse—Write full debug trace to xfire-debug-TIMESTAMP.md--silentboolFalse—Suppress all output — exit code only (for git hooks) code-review — Full codebase security audit xfire code-review /path/to/repo FlagTypeDefaultDescriptionrepo_dir (argument)str.Path to the repository root--agentsstrNoneComma-separated: claude,codex,gemini--skip-debateboolFalseSkip adversarial debate phase--max-filesint150Maximum number of source files to scan--thinkingboolFalseEnable extended thinking/reasoning for all agents--formatstrmarkdownOutput format: markdown|json|sarif--outputstrNoneOutput file path--verboseboolFalseEnable verbose logging--dry-runboolFalseShow what would be analyzed without calling agents--debateboolFalseShow adversarial debate transcript after the report--debugboolFalseWrite full debug trace to xfire-debug-TIMESTAMP.md--silentboolFalseSuppress all output — exit code only (for git hooks) scan — Baseline-aware incremental scan xfire scan . --base main --head feature-branch xfire scan . --since-last-scan xfire scan . --last 5 xfire scan . --range abc123~1..abc123 xfire scan . --since 2026-01-01 xfire scan . --diff changes.patch FlagTypeDefaultDescriptionrepo_dir (argument)str.Path to the repository root--basestrNoneBase branch/commit (use with --head)--headstrNoneHead branch/commit (use with --base)--rangestrNoneCommit range e.g. abc123~1..abc123--diffstrNonePath to a .patch file--since-last-scanboolFalseScan all commits since last scan--sincestrNoneAll commits since date (YYYY-MM-DD)--lastintNoneLast N commits--agentsstrNoneComma-separated: claude,codex,gemini--skip-debateboolFalseSkip adversarial debate phase--context-depthstrNoneContext depth: shallow|medium|deep--formatstrmarkdownOutput format: markdown|json|sarif--outputstrNoneOutput file path--verboseboolFalseEnable verbose logging--dry-runboolFalseShow what would be analyzed without calling agents baseline — Build persistent repo baseline context xfire baseline /path/to/repo xfire baseline . --force FlagTypeDefaultDescriptionrepo_dir (argument)str.Path to the repository root--forceboolFalseRebuild baseline even if one already exists--verboseboolFalseEnable verbose logging

Output

report — Re-generate a report from saved JSON results xfire report --input xfire-results.json --format sarif FlagTypeDefaultDescription--inputstrrequiredPath to an xfire JSON results file--formatstrmarkdownOutput format: markdown|json|sarif--outputstrNoneOutput file path debates — Replay adversarial debate transcripts xfire debates --input xfire-results.json FlagTypeDefaultDescription--inputstrrequiredPath to an xfire JSON results file

Setup & Diagnostics

init — Initialize xfire configuration xfire init Creates .xfire/config.yaml in the current directory. No flags. config-check — Validate configuration xfire config-check --repo-dir . FlagTypeDefaultDescription--repo-dirstr.Path to the repository root test-llm — Test agent connectivity xfire test-llm xfire test-llm --agents claude --mode api xfire test-llm --thinking --prompt "What is 2+2?" FlagTypeDefaultDescription--repo-dirstr.Path to the repository root--agentsstrNoneComma-separated agent list to test (default: all enabled)--timeoutint30Timeout in seconds per agent--modestrNoneOverride mode for all agents: cli or api--promptstrNoneCustom test prompt to send to each agent--thinkingboolFalseEnable extended thinking/reasoning for the test auth login — Set up agent credentials xfire auth login --provider claude xfire auth login --provider codex xfire auth login --provider gemini FlagTypeDefaultDescription--provider / -pstrrequiredProvider to authenticate: codex|gemini|claude--tokenstrNoneClaude setup-token value (--provider claude only) auth status — Show credential status xfire auth status No flags. Displays a table of all provider credential statuses.

Demo

demo — Run fixture or UI demo scenarios xfire demo --ui xfire demo --ui --scenario both_accept xfire demo --fixture auth_bypass_regression FlagTypeDefaultDescription--fixturestr""Fixture name (e.g., auth_bypass_regression)--uiboolFalseRun synthetic UI demo scenarios (no LLM calls)--scenariostr""Run one UI scenario: both_accept|judge_questions|defender_wins--formatstrmarkdownOutput format: markdown|json|sarif--verboseboolFalseEnable verbose logging

Configuration

xfire looks for .xfire/config.yaml in the repo root (override with XFIRE_CONFIG_PATH). Priority: CLI flags > environment variables > config.yaml > defaults. repo: purpose: "" # describe what your app does intended_capabilities: [] # expected capabilities sensitive_paths: # paths that get extra scrutiny - auth/ - payments/ - migrations/ analysis: context_depth: deep # shallow | medium | deep max_related_files: 20 include_test_files: true agents: claude: enabled: true mode: cli # cli | api cli_command: claude model: claude-sonnet-4-20250514 api_key_env: ANTHROPIC_API_KEY timeout: 600 codex: enabled: true mode: cli cli_command: codex model: o3-mini api_key_env: OPENAI_API_KEY timeout: 300 gemini: enabled: true mode: cli cli_command: gemini model: gemini-2.5-pro api_key_env: GOOGLE_API_KEY timeout: 300 debate: role_assignment: evidence # evidence | rotate | fixed fixed_roles: prosecutor: claude defense: codex judge: gemini defense_preference: [codex, claude, gemini] judge_preference: [codex, gemini, claude] max_rounds: 2 require_evidence_citations: true min_agents_for_debate: 2 skills: code_navigation: true data_flow_tracing: true git_archeology: true config_analysis: true dependency_analysis: true test_coverage_check: true severity_gate: fail_on: high # minimum severity to fail CI min_confidence: 0.7 require_debate: true suppressions: [] fast_model: provider: claude model: claude-haiku-4-5-20251001 api_key_env: ANTHROPIC_API_KEY cli_command: claude cli_args: [--output-format, json] timeout: 60

Output Formats

FormatFlagDescriptionMarkdown--format markdownHuman-readable report (default)JSON--format jsonMachine-readable structured dataSARIF--format sarifStatic Analysis Results Interchange Format for CI tooling

GitHub Actions

name: xfire Security Review on: pull_request: types: [opened, synchronize] jobs: security-review: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.11" - run: pip install xfire - name: Run xfire security review env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }} run: | xfire analyze-pr \ --repo ${{ github.repository }} \ --pr ${{ github.event.pull_request.number }} \ --format sarif \ --output results.sarif \ --silent - name: Upload SARIF if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif

How It Works

Context Building — parses the diff/PR/repo and collects related files, git history, configs, and dependency data Intent Inference — uses a fast model (Haiku) to understand the repo's purpose, trust boundaries, and security controls Independent Review — sends the context to each enabled agent (Claude, Codex, Gemini) in parallel Finding Extraction — normalizes all agent responses into structured findings with severity, confidence, and CWE tags Adversarial Debate — each finding goes through a prosecution → defense → judge pipeline where agents argue for/against its validity Verdict & Deduplication — the judge issues a final ruling; findings are deduplicated and merged across agents Report Generation — produces the final report in markdown, JSON, or SARIF format with severity gating for CI

Environment Variables

VariableRequiredDescriptionANTHROPIC_API_KEYYes (for Claude API mode)Anthropic API key for ClaudeOPENAI_API_KEYFor Codex API modeOpenAI API key for CodexGOOGLE_API_KEYFor Gemini API modeGoogle API key for GeminiGITHUB_TOKENFor analyze-prGitHub personal access tokenXFIRE_CONFIG_PATHNoOverride path to config.yamlXFIRE_CACHE_DIRNoCache directory for context/intent persistence across runsXFIRE_AUTH_PATHNoOverride path to auth.json credential store

Limitations

Requires at least one AI agent (Claude, Codex, or Gemini) to be configured and reachable CLI mode requires the agent CLI tools to be installed and on PATH Does not replace manual penetration testing or formal security audits Findings depend on AI model capabilities and may include false positives or miss subtle vulnerabilities Large repositories may hit agent context limits; use --max-files to constrain scope Does not scan binary files, compiled artifacts, or container images Debate quality improves with more agents — single-agent mode skips the adversarial phase

Category context

Agent frameworks, memory systems, reasoning layers, and model-native orchestration.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package

1 Docs

skill.md Docs