{ "schemaVersion": "1.0", "item": { "slug": "xfire-security-review", "name": "xfire Security PR Review", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/Har1sh-k/xfire-security-review", "canonicalUrl": "https://clawhub.ai/Har1sh-k/xfire-security-review", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/xfire-security-review", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=xfire-security-review", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "skill.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/xfire-security-review" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/xfire-security-review", "agentPageUrl": "https://openagent3.xyz/skills/xfire-security-review/agent", "manifestUrl": "https://openagent3.xyz/skills/xfire-security-review/agent.json", "briefUrl": "https://openagent3.xyz/skills/xfire-security-review/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "xfire — Multi-Agent Adversarial Security Review", "body": "Multiple agents. One verdict. Zero blind spots.\n\nxfire sends your code to 3 AI agents (Claude, Codex, Gemini) independently, then runs an adversarial debate where they cross-examine each other's findings. Only vulnerabilities that survive prosecution, defense, and a judge's ruling make the final report." }, { "title": "When to Use", "body": "Invoke xfire when a user asks for any of these:\n\n\"security review this PR\"\n\"find vulnerabilities in this code\"\n\"audit this repo for security issues\"\n\"run a security scan\"\n\"analyze this diff for security problems\"\n\"check this pull request for vulnerabilities\"\n\"code review for security\"\n\"pentest this codebase\"\n\"threat model this change\"\n\nDo NOT use xfire for:\n\nGeneral code quality / style reviews (use a linter)\nPerformance profiling\nDependency license auditing\nNon-security functional testing" }, { "title": "Prerequisites", "body": "Python 3.11+\nInstall: pip install xfire\nAt least one AI agent CLI or API key configured:\n\nAgentCLI toolAPI key env varClaudeclaudeANTHROPIC_API_KEYCodexcodexOPENAI_API_KEYGeminigeminiGOOGLE_API_KEY" }, { "title": "Setup", "body": "# Initialize config in current repo\nxfire init\n\n# Test agent connectivity\nxfire test-llm\n\n# Set up agent credentials\nxfire auth login --provider claude\nxfire auth login --provider codex\nxfire auth login --provider gemini" }, { "title": "Core Analysis", "body": "analyze-pr — Analyze a GitHub pull request\n\nxfire analyze-pr --repo owner/repo --pr 123\n\nFlagTypeDefaultEnv varDescription--repostrrequired—GitHub repo in owner/repo format--printrequired—PR number--github-tokenstrNoneGITHUB_TOKENGitHub token--agentsstrNone—Comma-separated agent list (claude,codex,gemini)--skip-debateboolFalse—Skip adversarial debate phase--context-depthstrNone—Context depth: shallow|medium|deep--outputstrNone—Output file path--formatstrmarkdown—Output format: markdown|json|sarif--post-commentboolFalse—Post review as GitHub PR comment--cache-dirstrNoneXFIRE_CACHE_DIRCache directory for context/intent persistence--verboseboolFalse—Enable verbose logging--dry-runboolFalse—Show what would be analyzed without calling agents--debateboolFalse—Show adversarial debate transcript after the report--debugboolFalse—Write full debug trace to xfire-debug-TIMESTAMP.md--silentboolFalse—Suppress all output — exit code only (for git hooks)\n\nanalyze-diff — Analyze a local diff or staged changes\n\nxfire analyze-diff --staged --repo-dir .\nxfire analyze-diff --patch changes.patch --repo-dir .\nxfire analyze-diff --commit f1877d3 --repo-dir /path/to/repo\nxfire analyze-diff --base main --head feature-branch\nxfire analyze-diff --commit f1877d3 --thinking --repo-dir /path/to/repo\n\nFlagTypeDefaultEnv varDescription--patchstrNone—Path to a diff/patch file--commitstrNone—Commit SHA to analyze (auto-generates patch via git show)--repo-dirstr.—Path to the repository root--stagedboolFalse—Analyze staged changes in the repo--basestrNone—Base branch/commit for comparison--headstrNone—Head branch/commit for comparison--agentsstrNone—Comma-separated agent list--skip-debateboolFalse—Skip adversarial debate phase--context-depthstrNone—Context depth: shallow|medium|deep--outputstrNone—Output file path--formatstrmarkdown—Output format: markdown|json|sarif--cache-dirstrNoneXFIRE_CACHE_DIRCache directory for context/intent persistence--thinkingboolFalse—Enable extended thinking/reasoning for all agents--verboseboolFalse—Enable verbose logging--dry-runboolFalse—Show what would be analyzed without calling agents--debateboolFalse—Show adversarial debate transcript after the report--debugboolFalse—Write full debug trace to xfire-debug-TIMESTAMP.md--silentboolFalse—Suppress all output — exit code only (for git hooks)\n\ncode-review — Full codebase security audit\n\nxfire code-review /path/to/repo\n\nFlagTypeDefaultDescriptionrepo_dir (argument)str.Path to the repository root--agentsstrNoneComma-separated: claude,codex,gemini--skip-debateboolFalseSkip adversarial debate phase--max-filesint150Maximum number of source files to scan--thinkingboolFalseEnable extended thinking/reasoning for all agents--formatstrmarkdownOutput format: markdown|json|sarif--outputstrNoneOutput file path--verboseboolFalseEnable verbose logging--dry-runboolFalseShow what would be analyzed without calling agents--debateboolFalseShow adversarial debate transcript after the report--debugboolFalseWrite full debug trace to xfire-debug-TIMESTAMP.md--silentboolFalseSuppress all output — exit code only (for git hooks)\n\nscan — Baseline-aware incremental scan\n\nxfire scan . --base main --head feature-branch\nxfire scan . --since-last-scan\nxfire scan . --last 5\nxfire scan . --range abc123~1..abc123\nxfire scan . --since 2026-01-01\nxfire scan . --diff changes.patch\n\nFlagTypeDefaultDescriptionrepo_dir (argument)str.Path to the repository root--basestrNoneBase branch/commit (use with --head)--headstrNoneHead branch/commit (use with --base)--rangestrNoneCommit range e.g. abc123~1..abc123--diffstrNonePath to a .patch file--since-last-scanboolFalseScan all commits since last scan--sincestrNoneAll commits since date (YYYY-MM-DD)--lastintNoneLast N commits--agentsstrNoneComma-separated: claude,codex,gemini--skip-debateboolFalseSkip adversarial debate phase--context-depthstrNoneContext depth: shallow|medium|deep--formatstrmarkdownOutput format: markdown|json|sarif--outputstrNoneOutput file path--verboseboolFalseEnable verbose logging--dry-runboolFalseShow what would be analyzed without calling agents\n\nbaseline — Build persistent repo baseline context\n\nxfire baseline /path/to/repo\nxfire baseline . --force\n\nFlagTypeDefaultDescriptionrepo_dir (argument)str.Path to the repository root--forceboolFalseRebuild baseline even if one already exists--verboseboolFalseEnable verbose logging" }, { "title": "Output", "body": "report — Re-generate a report from saved JSON results\n\nxfire report --input xfire-results.json --format sarif\n\nFlagTypeDefaultDescription--inputstrrequiredPath to an xfire JSON results file--formatstrmarkdownOutput format: markdown|json|sarif--outputstrNoneOutput file path\n\ndebates — Replay adversarial debate transcripts\n\nxfire debates --input xfire-results.json\n\nFlagTypeDefaultDescription--inputstrrequiredPath to an xfire JSON results file" }, { "title": "Setup & Diagnostics", "body": "init — Initialize xfire configuration\n\nxfire init\n\nCreates .xfire/config.yaml in the current directory. No flags.\n\nconfig-check — Validate configuration\n\nxfire config-check --repo-dir .\n\nFlagTypeDefaultDescription--repo-dirstr.Path to the repository root\n\ntest-llm — Test agent connectivity\n\nxfire test-llm\nxfire test-llm --agents claude --mode api\nxfire test-llm --thinking --prompt \"What is 2+2?\"\n\nFlagTypeDefaultDescription--repo-dirstr.Path to the repository root--agentsstrNoneComma-separated agent list to test (default: all enabled)--timeoutint30Timeout in seconds per agent--modestrNoneOverride mode for all agents: cli or api--promptstrNoneCustom test prompt to send to each agent--thinkingboolFalseEnable extended thinking/reasoning for the test\n\nauth login — Set up agent credentials\n\nxfire auth login --provider claude\nxfire auth login --provider codex\nxfire auth login --provider gemini\n\nFlagTypeDefaultDescription--provider / -pstrrequiredProvider to authenticate: codex|gemini|claude--tokenstrNoneClaude setup-token value (--provider claude only)\n\nauth status — Show credential status\n\nxfire auth status\n\nNo flags. Displays a table of all provider credential statuses." }, { "title": "Demo", "body": "demo — Run fixture or UI demo scenarios\n\nxfire demo --ui\nxfire demo --ui --scenario both_accept\nxfire demo --fixture auth_bypass_regression\n\nFlagTypeDefaultDescription--fixturestr\"\"Fixture name (e.g., auth_bypass_regression)--uiboolFalseRun synthetic UI demo scenarios (no LLM calls)--scenariostr\"\"Run one UI scenario: both_accept|judge_questions|defender_wins--formatstrmarkdownOutput format: markdown|json|sarif--verboseboolFalseEnable verbose logging" }, { "title": "Configuration", "body": "xfire looks for .xfire/config.yaml in the repo root (override with XFIRE_CONFIG_PATH).\n\nPriority: CLI flags > environment variables > config.yaml > defaults.\n\nrepo:\n purpose: \"\" # describe what your app does\n intended_capabilities: [] # expected capabilities\n sensitive_paths: # paths that get extra scrutiny\n - auth/\n - payments/\n - migrations/\n\nanalysis:\n context_depth: deep # shallow | medium | deep\n max_related_files: 20\n include_test_files: true\n\nagents:\n claude:\n enabled: true\n mode: cli # cli | api\n cli_command: claude\n model: claude-sonnet-4-20250514\n api_key_env: ANTHROPIC_API_KEY\n timeout: 600\n codex:\n enabled: true\n mode: cli\n cli_command: codex\n model: o3-mini\n api_key_env: OPENAI_API_KEY\n timeout: 300\n gemini:\n enabled: true\n mode: cli\n cli_command: gemini\n model: gemini-2.5-pro\n api_key_env: GOOGLE_API_KEY\n timeout: 300\n\n debate:\n role_assignment: evidence # evidence | rotate | fixed\n fixed_roles:\n prosecutor: claude\n defense: codex\n judge: gemini\n defense_preference: [codex, claude, gemini]\n judge_preference: [codex, gemini, claude]\n max_rounds: 2\n require_evidence_citations: true\n min_agents_for_debate: 2\n\n skills:\n code_navigation: true\n data_flow_tracing: true\n git_archeology: true\n config_analysis: true\n dependency_analysis: true\n test_coverage_check: true\n\nseverity_gate:\n fail_on: high # minimum severity to fail CI\n min_confidence: 0.7\n require_debate: true\n\nsuppressions: []\n\nfast_model:\n provider: claude\n model: claude-haiku-4-5-20251001\n api_key_env: ANTHROPIC_API_KEY\n cli_command: claude\n cli_args: [--output-format, json]\n timeout: 60" }, { "title": "Output Formats", "body": "FormatFlagDescriptionMarkdown--format markdownHuman-readable report (default)JSON--format jsonMachine-readable structured dataSARIF--format sarifStatic Analysis Results Interchange Format for CI tooling" }, { "title": "GitHub Actions", "body": "name: xfire Security Review\non:\n pull_request:\n types: [opened, synchronize]\n\njobs:\n security-review:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - uses: actions/setup-python@v5\n with:\n python-version: \"3.11\"\n\n - run: pip install xfire\n\n - name: Run xfire security review\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}\n GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}\n run: |\n xfire analyze-pr \\\n --repo ${{ github.repository }} \\\n --pr ${{ github.event.pull_request.number }} \\\n --format sarif \\\n --output results.sarif \\\n --silent\n\n - name: Upload SARIF\n if: always()\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif" }, { "title": "How It Works", "body": "Context Building — parses the diff/PR/repo and collects related files, git history, configs, and dependency data\nIntent Inference — uses a fast model (Haiku) to understand the repo's purpose, trust boundaries, and security controls\nIndependent Review — sends the context to each enabled agent (Claude, Codex, Gemini) in parallel\nFinding Extraction — normalizes all agent responses into structured findings with severity, confidence, and CWE tags\nAdversarial Debate — each finding goes through a prosecution → defense → judge pipeline where agents argue for/against its validity\nVerdict & Deduplication — the judge issues a final ruling; findings are deduplicated and merged across agents\nReport Generation — produces the final report in markdown, JSON, or SARIF format with severity gating for CI" }, { "title": "Environment Variables", "body": "VariableRequiredDescriptionANTHROPIC_API_KEYYes (for Claude API mode)Anthropic API key for ClaudeOPENAI_API_KEYFor Codex API modeOpenAI API key for CodexGOOGLE_API_KEYFor Gemini API modeGoogle API key for GeminiGITHUB_TOKENFor analyze-prGitHub personal access tokenXFIRE_CONFIG_PATHNoOverride path to config.yamlXFIRE_CACHE_DIRNoCache directory for context/intent persistence across runsXFIRE_AUTH_PATHNoOverride path to auth.json credential store" }, { "title": "Limitations", "body": "Requires at least one AI agent (Claude, Codex, or Gemini) to be configured and reachable\nCLI mode requires the agent CLI tools to be installed and on PATH\nDoes not replace manual penetration testing or formal security audits\nFindings depend on AI model capabilities and may include false positives or miss subtle vulnerabilities\nLarge repositories may hit agent context limits; use --max-files to constrain scope\nDoes not scan binary files, compiled artifacts, or container images\nDebate quality improves with more agents — single-agent mode skips the adversarial phase" } ], "body": "xfire — Multi-Agent Adversarial Security Review\n\nMultiple agents. One verdict. Zero blind spots.\n\nxfire sends your code to 3 AI agents (Claude, Codex, Gemini) independently, then runs an adversarial debate where they cross-examine each other's findings. Only vulnerabilities that survive prosecution, defense, and a judge's ruling make the final report.\n\nWhen to Use\n\nInvoke xfire when a user asks for any of these:\n\n\"security review this PR\"\n\"find vulnerabilities in this code\"\n\"audit this repo for security issues\"\n\"run a security scan\"\n\"analyze this diff for security problems\"\n\"check this pull request for vulnerabilities\"\n\"code review for security\"\n\"pentest this codebase\"\n\"threat model this change\"\n\nDo NOT use xfire for:\n\nGeneral code quality / style reviews (use a linter)\nPerformance profiling\nDependency license auditing\nNon-security functional testing\nPrerequisites\nPython 3.11+\nInstall: pip install xfire\nAt least one AI agent CLI or API key configured:\nAgent\tCLI tool\tAPI key env var\nClaude\tclaude\tANTHROPIC_API_KEY\nCodex\tcodex\tOPENAI_API_KEY\nGemini\tgemini\tGOOGLE_API_KEY\nSetup\n# Initialize config in current repo\nxfire init\n\n# Test agent connectivity\nxfire test-llm\n\n# Set up agent credentials\nxfire auth login --provider claude\nxfire auth login --provider codex\nxfire auth login --provider gemini\n\nCommands\nCore Analysis\nanalyze-pr — Analyze a GitHub pull request\nxfire analyze-pr --repo owner/repo --pr 123\n\nFlag\tType\tDefault\tEnv var\tDescription\n--repo\tstr\trequired\t—\tGitHub repo in owner/repo format\n--pr\tint\trequired\t—\tPR number\n--github-token\tstr\tNone\tGITHUB_TOKEN\tGitHub token\n--agents\tstr\tNone\t—\tComma-separated agent list (claude,codex,gemini)\n--skip-debate\tbool\tFalse\t—\tSkip adversarial debate phase\n--context-depth\tstr\tNone\t—\tContext depth: shallow|medium|deep\n--output\tstr\tNone\t—\tOutput file path\n--format\tstr\tmarkdown\t—\tOutput format: markdown|json|sarif\n--post-comment\tbool\tFalse\t—\tPost review as GitHub PR comment\n--cache-dir\tstr\tNone\tXFIRE_CACHE_DIR\tCache directory for context/intent persistence\n--verbose\tbool\tFalse\t—\tEnable verbose logging\n--dry-run\tbool\tFalse\t—\tShow what would be analyzed without calling agents\n--debate\tbool\tFalse\t—\tShow adversarial debate transcript after the report\n--debug\tbool\tFalse\t—\tWrite full debug trace to xfire-debug-TIMESTAMP.md\n--silent\tbool\tFalse\t—\tSuppress all output — exit code only (for git hooks)\nanalyze-diff — Analyze a local diff or staged changes\nxfire analyze-diff --staged --repo-dir .\nxfire analyze-diff --patch changes.patch --repo-dir .\nxfire analyze-diff --commit f1877d3 --repo-dir /path/to/repo\nxfire analyze-diff --base main --head feature-branch\nxfire analyze-diff --commit f1877d3 --thinking --repo-dir /path/to/repo\n\nFlag\tType\tDefault\tEnv var\tDescription\n--patch\tstr\tNone\t—\tPath to a diff/patch file\n--commit\tstr\tNone\t—\tCommit SHA to analyze (auto-generates patch via git show)\n--repo-dir\tstr\t.\t—\tPath to the repository root\n--staged\tbool\tFalse\t—\tAnalyze staged changes in the repo\n--base\tstr\tNone\t—\tBase branch/commit for comparison\n--head\tstr\tNone\t—\tHead branch/commit for comparison\n--agents\tstr\tNone\t—\tComma-separated agent list\n--skip-debate\tbool\tFalse\t—\tSkip adversarial debate phase\n--context-depth\tstr\tNone\t—\tContext depth: shallow|medium|deep\n--output\tstr\tNone\t—\tOutput file path\n--format\tstr\tmarkdown\t—\tOutput format: markdown|json|sarif\n--cache-dir\tstr\tNone\tXFIRE_CACHE_DIR\tCache directory for context/intent persistence\n--thinking\tbool\tFalse\t—\tEnable extended thinking/reasoning for all agents\n--verbose\tbool\tFalse\t—\tEnable verbose logging\n--dry-run\tbool\tFalse\t—\tShow what would be analyzed without calling agents\n--debate\tbool\tFalse\t—\tShow adversarial debate transcript after the report\n--debug\tbool\tFalse\t—\tWrite full debug trace to xfire-debug-TIMESTAMP.md\n--silent\tbool\tFalse\t—\tSuppress all output — exit code only (for git hooks)\ncode-review — Full codebase security audit\nxfire code-review /path/to/repo\n\nFlag\tType\tDefault\tDescription\nrepo_dir (argument)\tstr\t.\tPath to the repository root\n--agents\tstr\tNone\tComma-separated: claude,codex,gemini\n--skip-debate\tbool\tFalse\tSkip adversarial debate phase\n--max-files\tint\t150\tMaximum number of source files to scan\n--thinking\tbool\tFalse\tEnable extended thinking/reasoning for all agents\n--format\tstr\tmarkdown\tOutput format: markdown|json|sarif\n--output\tstr\tNone\tOutput file path\n--verbose\tbool\tFalse\tEnable verbose logging\n--dry-run\tbool\tFalse\tShow what would be analyzed without calling agents\n--debate\tbool\tFalse\tShow adversarial debate transcript after the report\n--debug\tbool\tFalse\tWrite full debug trace to xfire-debug-TIMESTAMP.md\n--silent\tbool\tFalse\tSuppress all output — exit code only (for git hooks)\nscan — Baseline-aware incremental scan\nxfire scan . --base main --head feature-branch\nxfire scan . --since-last-scan\nxfire scan . --last 5\nxfire scan . --range abc123~1..abc123\nxfire scan . --since 2026-01-01\nxfire scan . --diff changes.patch\n\nFlag\tType\tDefault\tDescription\nrepo_dir (argument)\tstr\t.\tPath to the repository root\n--base\tstr\tNone\tBase branch/commit (use with --head)\n--head\tstr\tNone\tHead branch/commit (use with --base)\n--range\tstr\tNone\tCommit range e.g. abc123~1..abc123\n--diff\tstr\tNone\tPath to a .patch file\n--since-last-scan\tbool\tFalse\tScan all commits since last scan\n--since\tstr\tNone\tAll commits since date (YYYY-MM-DD)\n--last\tint\tNone\tLast N commits\n--agents\tstr\tNone\tComma-separated: claude,codex,gemini\n--skip-debate\tbool\tFalse\tSkip adversarial debate phase\n--context-depth\tstr\tNone\tContext depth: shallow|medium|deep\n--format\tstr\tmarkdown\tOutput format: markdown|json|sarif\n--output\tstr\tNone\tOutput file path\n--verbose\tbool\tFalse\tEnable verbose logging\n--dry-run\tbool\tFalse\tShow what would be analyzed without calling agents\nbaseline — Build persistent repo baseline context\nxfire baseline /path/to/repo\nxfire baseline . --force\n\nFlag\tType\tDefault\tDescription\nrepo_dir (argument)\tstr\t.\tPath to the repository root\n--force\tbool\tFalse\tRebuild baseline even if one already exists\n--verbose\tbool\tFalse\tEnable verbose logging\nOutput\nreport — Re-generate a report from saved JSON results\nxfire report --input xfire-results.json --format sarif\n\nFlag\tType\tDefault\tDescription\n--input\tstr\trequired\tPath to an xfire JSON results file\n--format\tstr\tmarkdown\tOutput format: markdown|json|sarif\n--output\tstr\tNone\tOutput file path\ndebates — Replay adversarial debate transcripts\nxfire debates --input xfire-results.json\n\nFlag\tType\tDefault\tDescription\n--input\tstr\trequired\tPath to an xfire JSON results file\nSetup & Diagnostics\ninit — Initialize xfire configuration\nxfire init\n\n\nCreates .xfire/config.yaml in the current directory. No flags.\n\nconfig-check — Validate configuration\nxfire config-check --repo-dir .\n\nFlag\tType\tDefault\tDescription\n--repo-dir\tstr\t.\tPath to the repository root\ntest-llm — Test agent connectivity\nxfire test-llm\nxfire test-llm --agents claude --mode api\nxfire test-llm --thinking --prompt \"What is 2+2?\"\n\nFlag\tType\tDefault\tDescription\n--repo-dir\tstr\t.\tPath to the repository root\n--agents\tstr\tNone\tComma-separated agent list to test (default: all enabled)\n--timeout\tint\t30\tTimeout in seconds per agent\n--mode\tstr\tNone\tOverride mode for all agents: cli or api\n--prompt\tstr\tNone\tCustom test prompt to send to each agent\n--thinking\tbool\tFalse\tEnable extended thinking/reasoning for the test\nauth login — Set up agent credentials\nxfire auth login --provider claude\nxfire auth login --provider codex\nxfire auth login --provider gemini\n\nFlag\tType\tDefault\tDescription\n--provider / -p\tstr\trequired\tProvider to authenticate: codex|gemini|claude\n--token\tstr\tNone\tClaude setup-token value (--provider claude only)\nauth status — Show credential status\nxfire auth status\n\n\nNo flags. Displays a table of all provider credential statuses.\n\nDemo\ndemo — Run fixture or UI demo scenarios\nxfire demo --ui\nxfire demo --ui --scenario both_accept\nxfire demo --fixture auth_bypass_regression\n\nFlag\tType\tDefault\tDescription\n--fixture\tstr\t\"\"\tFixture name (e.g., auth_bypass_regression)\n--ui\tbool\tFalse\tRun synthetic UI demo scenarios (no LLM calls)\n--scenario\tstr\t\"\"\tRun one UI scenario: both_accept|judge_questions|defender_wins\n--format\tstr\tmarkdown\tOutput format: markdown|json|sarif\n--verbose\tbool\tFalse\tEnable verbose logging\nConfiguration\n\nxfire looks for .xfire/config.yaml in the repo root (override with XFIRE_CONFIG_PATH).\n\nPriority: CLI flags > environment variables > config.yaml > defaults.\n\nrepo:\n purpose: \"\" # describe what your app does\n intended_capabilities: [] # expected capabilities\n sensitive_paths: # paths that get extra scrutiny\n - auth/\n - payments/\n - migrations/\n\nanalysis:\n context_depth: deep # shallow | medium | deep\n max_related_files: 20\n include_test_files: true\n\nagents:\n claude:\n enabled: true\n mode: cli # cli | api\n cli_command: claude\n model: claude-sonnet-4-20250514\n api_key_env: ANTHROPIC_API_KEY\n timeout: 600\n codex:\n enabled: true\n mode: cli\n cli_command: codex\n model: o3-mini\n api_key_env: OPENAI_API_KEY\n timeout: 300\n gemini:\n enabled: true\n mode: cli\n cli_command: gemini\n model: gemini-2.5-pro\n api_key_env: GOOGLE_API_KEY\n timeout: 300\n\n debate:\n role_assignment: evidence # evidence | rotate | fixed\n fixed_roles:\n prosecutor: claude\n defense: codex\n judge: gemini\n defense_preference: [codex, claude, gemini]\n judge_preference: [codex, gemini, claude]\n max_rounds: 2\n require_evidence_citations: true\n min_agents_for_debate: 2\n\n skills:\n code_navigation: true\n data_flow_tracing: true\n git_archeology: true\n config_analysis: true\n dependency_analysis: true\n test_coverage_check: true\n\nseverity_gate:\n fail_on: high # minimum severity to fail CI\n min_confidence: 0.7\n require_debate: true\n\nsuppressions: []\n\nfast_model:\n provider: claude\n model: claude-haiku-4-5-20251001\n api_key_env: ANTHROPIC_API_KEY\n cli_command: claude\n cli_args: [--output-format, json]\n timeout: 60\n\nOutput Formats\nFormat\tFlag\tDescription\nMarkdown\t--format markdown\tHuman-readable report (default)\nJSON\t--format json\tMachine-readable structured data\nSARIF\t--format sarif\tStatic Analysis Results Interchange Format for CI tooling\nCI/CD Integration\nGitHub Actions\nname: xfire Security Review\non:\n pull_request:\n types: [opened, synchronize]\n\njobs:\n security-review:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - uses: actions/setup-python@v5\n with:\n python-version: \"3.11\"\n\n - run: pip install xfire\n\n - name: Run xfire security review\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}\n GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}\n run: |\n xfire analyze-pr \\\n --repo ${{ github.repository }} \\\n --pr ${{ github.event.pull_request.number }} \\\n --format sarif \\\n --output results.sarif \\\n --silent\n\n - name: Upload SARIF\n if: always()\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\nHow It Works\nContext Building — parses the diff/PR/repo and collects related files, git history, configs, and dependency data\nIntent Inference — uses a fast model (Haiku) to understand the repo's purpose, trust boundaries, and security controls\nIndependent Review — sends the context to each enabled agent (Claude, Codex, Gemini) in parallel\nFinding Extraction — normalizes all agent responses into structured findings with severity, confidence, and CWE tags\nAdversarial Debate — each finding goes through a prosecution → defense → judge pipeline where agents argue for/against its validity\nVerdict & Deduplication — the judge issues a final ruling; findings are deduplicated and merged across agents\nReport Generation — produces the final report in markdown, JSON, or SARIF format with severity gating for CI\nEnvironment Variables\nVariable\tRequired\tDescription\nANTHROPIC_API_KEY\tYes (for Claude API mode)\tAnthropic API key for Claude\nOPENAI_API_KEY\tFor Codex API mode\tOpenAI API key for Codex\nGOOGLE_API_KEY\tFor Gemini API mode\tGoogle API key for Gemini\nGITHUB_TOKEN\tFor analyze-pr\tGitHub personal access token\nXFIRE_CONFIG_PATH\tNo\tOverride path to config.yaml\nXFIRE_CACHE_DIR\tNo\tCache directory for context/intent persistence across runs\nXFIRE_AUTH_PATH\tNo\tOverride path to auth.json credential store\nLimitations\nRequires at least one AI agent (Claude, Codex, or Gemini) to be configured and reachable\nCLI mode requires the agent CLI tools to be installed and on PATH\nDoes not replace manual penetration testing or formal security audits\nFindings depend on AI model capabilities and may include false positives or miss subtle vulnerabilities\nLarge repositories may hit agent context limits; use --max-files to constrain scope\nDoes not scan binary files, compiled artifacts, or container images\nDebate quality improves with more agents — single-agent mode skips the adversarial phase" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/Har1sh-k/xfire-security-review", "publisherUrl": "https://clawhub.ai/Har1sh-k/xfire-security-review", "owner": "Har1sh-k", "version": "0.1.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/xfire-security-review", "downloadUrl": "https://openagent3.xyz/downloads/xfire-security-review", "agentUrl": "https://openagent3.xyz/skills/xfire-security-review/agent", "manifestUrl": "https://openagent3.xyz/skills/xfire-security-review/agent.json", "briefUrl": "https://openagent3.xyz/skills/xfire-security-review/agent.md" } }