# Send xfire Security PR Review to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "xfire-security-review", "name": "xfire Security PR Review", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/Har1sh-k/xfire-security-review", "canonicalUrl": "https://clawhub.ai/Har1sh-k/xfire-security-review", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/xfire-security-review", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=xfire-security-review", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "skill.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/xfire-security-review" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/xfire-security-review", "downloadUrl": "https://openagent3.xyz/downloads/xfire-security-review", "agentUrl": "https://openagent3.xyz/skills/xfire-security-review/agent", "manifestUrl": "https://openagent3.xyz/skills/xfire-security-review/agent.json", "briefUrl": "https://openagent3.xyz/skills/xfire-security-review/agent.md" } } ``` ## Documentation ### xfire — Multi-Agent Adversarial Security Review Multiple agents. One verdict. Zero blind spots. xfire sends your code to 3 AI agents (Claude, Codex, Gemini) independently, then runs an adversarial debate where they cross-examine each other's findings. Only vulnerabilities that survive prosecution, defense, and a judge's ruling make the final report. ### When to Use Invoke xfire when a user asks for any of these: "security review this PR" "find vulnerabilities in this code" "audit this repo for security issues" "run a security scan" "analyze this diff for security problems" "check this pull request for vulnerabilities" "code review for security" "pentest this codebase" "threat model this change" Do NOT use xfire for: General code quality / style reviews (use a linter) Performance profiling Dependency license auditing Non-security functional testing ### Prerequisites Python 3.11+ Install: pip install xfire At least one AI agent CLI or API key configured: AgentCLI toolAPI key env varClaudeclaudeANTHROPIC_API_KEYCodexcodexOPENAI_API_KEYGeminigeminiGOOGLE_API_KEY ### Setup # Initialize config in current repo xfire init # Test agent connectivity xfire test-llm # Set up agent credentials xfire auth login --provider claude xfire auth login --provider codex xfire auth login --provider gemini ### Core Analysis analyze-pr — Analyze a GitHub pull request xfire analyze-pr --repo owner/repo --pr 123 FlagTypeDefaultEnv varDescription--repostrrequired—GitHub repo in owner/repo format--printrequired—PR number--github-tokenstrNoneGITHUB_TOKENGitHub token--agentsstrNone—Comma-separated agent list (claude,codex,gemini)--skip-debateboolFalse—Skip adversarial debate phase--context-depthstrNone—Context depth: shallow|medium|deep--outputstrNone—Output file path--formatstrmarkdown—Output format: markdown|json|sarif--post-commentboolFalse—Post review as GitHub PR comment--cache-dirstrNoneXFIRE_CACHE_DIRCache directory for context/intent persistence--verboseboolFalse—Enable verbose logging--dry-runboolFalse—Show what would be analyzed without calling agents--debateboolFalse—Show adversarial debate transcript after the report--debugboolFalse—Write full debug trace to xfire-debug-TIMESTAMP.md--silentboolFalse—Suppress all output — exit code only (for git hooks) analyze-diff — Analyze a local diff or staged changes xfire analyze-diff --staged --repo-dir . xfire analyze-diff --patch changes.patch --repo-dir . xfire analyze-diff --commit f1877d3 --repo-dir /path/to/repo xfire analyze-diff --base main --head feature-branch xfire analyze-diff --commit f1877d3 --thinking --repo-dir /path/to/repo FlagTypeDefaultEnv varDescription--patchstrNone—Path to a diff/patch file--commitstrNone—Commit SHA to analyze (auto-generates patch via git show)--repo-dirstr.—Path to the repository root--stagedboolFalse—Analyze staged changes in the repo--basestrNone—Base branch/commit for comparison--headstrNone—Head branch/commit for comparison--agentsstrNone—Comma-separated agent list--skip-debateboolFalse—Skip adversarial debate phase--context-depthstrNone—Context depth: shallow|medium|deep--outputstrNone—Output file path--formatstrmarkdown—Output format: markdown|json|sarif--cache-dirstrNoneXFIRE_CACHE_DIRCache directory for context/intent persistence--thinkingboolFalse—Enable extended thinking/reasoning for all agents--verboseboolFalse—Enable verbose logging--dry-runboolFalse—Show what would be analyzed without calling agents--debateboolFalse—Show adversarial debate transcript after the report--debugboolFalse—Write full debug trace to xfire-debug-TIMESTAMP.md--silentboolFalse—Suppress all output — exit code only (for git hooks) code-review — Full codebase security audit xfire code-review /path/to/repo FlagTypeDefaultDescriptionrepo_dir (argument)str.Path to the repository root--agentsstrNoneComma-separated: claude,codex,gemini--skip-debateboolFalseSkip adversarial debate phase--max-filesint150Maximum number of source files to scan--thinkingboolFalseEnable extended thinking/reasoning for all agents--formatstrmarkdownOutput format: markdown|json|sarif--outputstrNoneOutput file path--verboseboolFalseEnable verbose logging--dry-runboolFalseShow what would be analyzed without calling agents--debateboolFalseShow adversarial debate transcript after the report--debugboolFalseWrite full debug trace to xfire-debug-TIMESTAMP.md--silentboolFalseSuppress all output — exit code only (for git hooks) scan — Baseline-aware incremental scan xfire scan . --base main --head feature-branch xfire scan . --since-last-scan xfire scan . --last 5 xfire scan . --range abc123~1..abc123 xfire scan . --since 2026-01-01 xfire scan . --diff changes.patch FlagTypeDefaultDescriptionrepo_dir (argument)str.Path to the repository root--basestrNoneBase branch/commit (use with --head)--headstrNoneHead branch/commit (use with --base)--rangestrNoneCommit range e.g. abc123~1..abc123--diffstrNonePath to a .patch file--since-last-scanboolFalseScan all commits since last scan--sincestrNoneAll commits since date (YYYY-MM-DD)--lastintNoneLast N commits--agentsstrNoneComma-separated: claude,codex,gemini--skip-debateboolFalseSkip adversarial debate phase--context-depthstrNoneContext depth: shallow|medium|deep--formatstrmarkdownOutput format: markdown|json|sarif--outputstrNoneOutput file path--verboseboolFalseEnable verbose logging--dry-runboolFalseShow what would be analyzed without calling agents baseline — Build persistent repo baseline context xfire baseline /path/to/repo xfire baseline . --force FlagTypeDefaultDescriptionrepo_dir (argument)str.Path to the repository root--forceboolFalseRebuild baseline even if one already exists--verboseboolFalseEnable verbose logging ### Output report — Re-generate a report from saved JSON results xfire report --input xfire-results.json --format sarif FlagTypeDefaultDescription--inputstrrequiredPath to an xfire JSON results file--formatstrmarkdownOutput format: markdown|json|sarif--outputstrNoneOutput file path debates — Replay adversarial debate transcripts xfire debates --input xfire-results.json FlagTypeDefaultDescription--inputstrrequiredPath to an xfire JSON results file ### Setup & Diagnostics init — Initialize xfire configuration xfire init Creates .xfire/config.yaml in the current directory. No flags. config-check — Validate configuration xfire config-check --repo-dir . FlagTypeDefaultDescription--repo-dirstr.Path to the repository root test-llm — Test agent connectivity xfire test-llm xfire test-llm --agents claude --mode api xfire test-llm --thinking --prompt "What is 2+2?" FlagTypeDefaultDescription--repo-dirstr.Path to the repository root--agentsstrNoneComma-separated agent list to test (default: all enabled)--timeoutint30Timeout in seconds per agent--modestrNoneOverride mode for all agents: cli or api--promptstrNoneCustom test prompt to send to each agent--thinkingboolFalseEnable extended thinking/reasoning for the test auth login — Set up agent credentials xfire auth login --provider claude xfire auth login --provider codex xfire auth login --provider gemini FlagTypeDefaultDescription--provider / -pstrrequiredProvider to authenticate: codex|gemini|claude--tokenstrNoneClaude setup-token value (--provider claude only) auth status — Show credential status xfire auth status No flags. Displays a table of all provider credential statuses. ### Demo demo — Run fixture or UI demo scenarios xfire demo --ui xfire demo --ui --scenario both_accept xfire demo --fixture auth_bypass_regression FlagTypeDefaultDescription--fixturestr""Fixture name (e.g., auth_bypass_regression)--uiboolFalseRun synthetic UI demo scenarios (no LLM calls)--scenariostr""Run one UI scenario: both_accept|judge_questions|defender_wins--formatstrmarkdownOutput format: markdown|json|sarif--verboseboolFalseEnable verbose logging ### Configuration xfire looks for .xfire/config.yaml in the repo root (override with XFIRE_CONFIG_PATH). Priority: CLI flags > environment variables > config.yaml > defaults. repo: purpose: "" # describe what your app does intended_capabilities: [] # expected capabilities sensitive_paths: # paths that get extra scrutiny - auth/ - payments/ - migrations/ analysis: context_depth: deep # shallow | medium | deep max_related_files: 20 include_test_files: true agents: claude: enabled: true mode: cli # cli | api cli_command: claude model: claude-sonnet-4-20250514 api_key_env: ANTHROPIC_API_KEY timeout: 600 codex: enabled: true mode: cli cli_command: codex model: o3-mini api_key_env: OPENAI_API_KEY timeout: 300 gemini: enabled: true mode: cli cli_command: gemini model: gemini-2.5-pro api_key_env: GOOGLE_API_KEY timeout: 300 debate: role_assignment: evidence # evidence | rotate | fixed fixed_roles: prosecutor: claude defense: codex judge: gemini defense_preference: [codex, claude, gemini] judge_preference: [codex, gemini, claude] max_rounds: 2 require_evidence_citations: true min_agents_for_debate: 2 skills: code_navigation: true data_flow_tracing: true git_archeology: true config_analysis: true dependency_analysis: true test_coverage_check: true severity_gate: fail_on: high # minimum severity to fail CI min_confidence: 0.7 require_debate: true suppressions: [] fast_model: provider: claude model: claude-haiku-4-5-20251001 api_key_env: ANTHROPIC_API_KEY cli_command: claude cli_args: [--output-format, json] timeout: 60 ### Output Formats FormatFlagDescriptionMarkdown--format markdownHuman-readable report (default)JSON--format jsonMachine-readable structured dataSARIF--format sarifStatic Analysis Results Interchange Format for CI tooling ### GitHub Actions name: xfire Security Review on: pull_request: types: [opened, synchronize] jobs: security-review: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.11" - run: pip install xfire - name: Run xfire security review env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }} run: | xfire analyze-pr \\ --repo ${{ github.repository }} \\ --pr ${{ github.event.pull_request.number }} \\ --format sarif \\ --output results.sarif \\ --silent - name: Upload SARIF if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif ### How It Works Context Building — parses the diff/PR/repo and collects related files, git history, configs, and dependency data Intent Inference — uses a fast model (Haiku) to understand the repo's purpose, trust boundaries, and security controls Independent Review — sends the context to each enabled agent (Claude, Codex, Gemini) in parallel Finding Extraction — normalizes all agent responses into structured findings with severity, confidence, and CWE tags Adversarial Debate — each finding goes through a prosecution → defense → judge pipeline where agents argue for/against its validity Verdict & Deduplication — the judge issues a final ruling; findings are deduplicated and merged across agents Report Generation — produces the final report in markdown, JSON, or SARIF format with severity gating for CI ### Environment Variables VariableRequiredDescriptionANTHROPIC_API_KEYYes (for Claude API mode)Anthropic API key for ClaudeOPENAI_API_KEYFor Codex API modeOpenAI API key for CodexGOOGLE_API_KEYFor Gemini API modeGoogle API key for GeminiGITHUB_TOKENFor analyze-prGitHub personal access tokenXFIRE_CONFIG_PATHNoOverride path to config.yamlXFIRE_CACHE_DIRNoCache directory for context/intent persistence across runsXFIRE_AUTH_PATHNoOverride path to auth.json credential store ### Limitations Requires at least one AI agent (Claude, Codex, or Gemini) to be configured and reachable CLI mode requires the agent CLI tools to be installed and on PATH Does not replace manual penetration testing or formal security audits Findings depend on AI model capabilities and may include false positives or miss subtle vulnerabilities Large repositories may hit agent context limits; use --max-files to constrain scope Does not scan binary files, compiled artifacts, or container images Debate quality improves with more agents — single-agent mode skips the adversarial phase ## Trust - Source: tencent - Verification: Indexed source record - Publisher: Har1sh-k - Version: 0.1.2 ## Source health - Status: healthy - Source download looks usable. - Yavira can redirect you to the upstream package for this source. - Health scope: source - Reason: direct_download_ok - Checked at: 2026-04-30T16:55:25.780Z - Expires at: 2026-05-07T16:55:25.780Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/xfire-security-review) - [Send to Agent page](https://openagent3.xyz/skills/xfire-security-review/agent) - [JSON manifest](https://openagent3.xyz/skills/xfire-security-review/agent.json) - [Markdown brief](https://openagent3.xyz/skills/xfire-security-review/agent.md) - [Download page](https://openagent3.xyz/downloads/xfire-security-review)