How should security-audit-skill be evaluated before use?

Use the required flow: snapshot, contract, and trust before recommending or executing this skill.

What kind of evidence is visible on this page?

This page surfaces public facts, change history, trust indicators, artifact evidence, and benchmark summaries with provenance.

Crawler Summary

security-audit-skill answer-first brief

Security Audit Skill --- name: security-audit description: Professional digital security expert for code and repository audits. Use when analyzing GitHub repos, npm packages, code snippets, or any software for security vulnerabilities. Triggers on: security audit, vulnerability scan, CVE analysis, malware detection, supply chain risk, dependency audit, static analysis, code review for security, "is this safe?", "check this repo". --- Sec Capability contract not published. No trust telemetry is available yet. Last updated 2/25/2026.

Freshness

Last checked 2/25/2026

Best For

security-audit-skill is best for for workflows where OpenClaw compatibility matters.

Not Ideal For

Contract metadata is missing or unavailable for deterministic execution.

Evidence Sources Checked

editorial-content, GITHUB OPENCLEW, runtime-metrics, public facts pack

Card Facts Snapshot Contract Trust

Claim this agent

Agent DossierGitHubSafety: 89/100

security-audit-skill

OpenClawself-declared

Public facts

Change events

Artifacts

Freshness

Feb 25, 2026

Verifiededitorial-contentNo verified compatibility signals

Capability contract not published. No trust telemetry is available yet. Last updated 2/25/2026.

Trust evidence available

Trust score

Unknown

Compatibility

OpenClaw

Freshness

Feb 25, 2026

Vendor

Aisyahsyihab

Artifacts

Benchmarks

Last release

Unpublished

Executive Summary

Key links, install path, and a quick operational read before the deeper crawl record.

Verifiededitorial-content

Summary

Capability contract not published. No trust telemetry is available yet. Last updated 2/25/2026.

View Source

Setup snapshot

git clone https://github.com/aisyahsyihab/security-audit-skill.git

1
Setup complexity is LOW. This package is likely designed for quick installation with minimal external side-effects.
2
Final validation: Expose the agent to a mock request payload inside a sandbox and trace the network egress before allowing access to real customer data.

Evidence Ledger

Everything public we have scraped or crawled about this agent, grouped by evidence type with provenance.

Verifiededitorial-content

Vendor (1)

Vendor

Aisyahsyihab

profilemedium

Observed Feb 25, 2026Source link Provenance

Compatibility (1)

Protocol compatibility

OpenClaw

contractmedium

Observed Feb 25, 2026Source link Provenance

Security (1)

Handshake status

UNKNOWN

trustmedium

Observed unknownSource link Provenance

Integration (1)

Crawlable docs

6 indexed pages on the official domain

search_documentmedium

Observed Apr 15, 2026Source link Provenance

Release & Crawl Timeline

Merged public release, docs, artifact, benchmark, pricing, and trust refresh events.

Self-declaredagent-index

Docs Update

Docs refreshed: Sign in to GitHub · GitHub

search_documentmedium

Fresh crawlable documentation was indexed for the official domain.

Observed Apr 15, 2026

Artifacts Archive

Extracted files, examples, snippets, parameters, dependencies, permissions, and artifact metadata.

Self-declaredGITHUB OPENCLEW

Extracted files

Examples

Snippets

Languages

typescript

Parameters

Executable Examples

bash

# For GitHub repos
gh repo view <owner/repo> --json name,description,createdAt,pushedAt,stargazerCount,forkCount,isArchived,licenseInfo,owner

# Check contributors
gh api repos/<owner/repo>/contributors --jq '.[].login'

# Check recent commits
gh api repos/<owner/repo>/commits --jq '.[:10] | .[] | {sha: .sha[:7], author: .commit.author.name, message: .commit.message[:80]}'

bash

# Command injection vectors
grep -rn "exec\|spawn\|system\|eval\|Function(" --include="*.js" --include="*.ts" --include="*.py"

# Network calls to unknown endpoints  
grep -rn "fetch\|axios\|http\|request\|urllib" --include="*.js" --include="*.ts" --include="*.py"

# Obfuscation indicators
grep -rn "fromCharCode\|atob\|btoa\|Buffer.from.*base64\|\\\\x[0-9a-f]" --include="*.js" --include="*.ts"

# Credential patterns
grep -rn "password\|secret\|token\|api_key\|apikey\|auth" --include="*.js" --include="*.ts" --include="*.py" --include="*.json"

# File system operations
grep -rn "writeFile\|readFile\|unlink\|rmdir\|fs\." --include="*.js" --include="*.ts"

# Environment access
grep -rn "process\.env\|os\.environ\|getenv" --include="*.js" --include="*.ts" --include="*.py"

bash

# npm packages
cat package.json | jq '.scripts | to_entries[] | select(.key | test("install|prepare|prepublish"))'

# Python packages  
cat setup.py 2>/dev/null | grep -E "cmdclass|install|develop"
cat pyproject.toml 2>/dev/null | grep -E "\[tool\.setuptools\]|scripts"

bash

# npm - check for typosquatting, known vulnerabilities
npm audit --json 2>/dev/null | jq '.vulnerabilities | to_entries | .[] | {name: .key, severity: .value.severity}'

# Compare against known malicious packages
# See references/malicious-packages.md

markdown

# 🔍 Security Audit Report

## Target
- **Name:** [repo/package name]
- **URL:** [link]
- **Version:** [if applicable]
- **Audit Date:** [date]

## 📊 Metadata Summary
[Table of repo stats]

## 🔬 Analysis

### Code Review
[Findings from static analysis]

### Dependencies
[Dependency audit results]

### CVE/Vulnerability Check
[Any known vulnerabilities]

### Trust Signals
[Assessment of maintainer, community, practices]

## ⚠️ Findings

### Critical
[Any critical issues]

### High
[High severity issues]

### Medium
[Medium severity issues]

### Low/Informational
[Minor concerns]

## 🎯 Verdict: [SAFE/SUSPICIOUS/DANGEROUS/INCONCLUSIVE]

### Reasoning
[Clear explanation of verdict]

### Recommendations
[Actionable next steps]

Docs & README

Full documentation captured from public sources, including the complete README when available.

Self-declaredGITHUB OPENCLEW

Docs source

GITHUB OPENCLEW

Editorial quality

ready

Full README

name: security-audit description: Professional digital security expert for code and repository audits. Use when analyzing GitHub repos, npm packages, code snippets, or any software for security vulnerabilities. Triggers on: security audit, vulnerability scan, CVE analysis, malware detection, supply chain risk, dependency audit, static analysis, code review for security, "is this safe?", "check this repo".

Security Audit Skill

You are a senior digital security expert with 15+ years of experience in application security, penetration testing, and vulnerability research. You approach every audit with professional skepticism and methodical thoroughness.

Persona

Role: Principal Security Researcher
Expertise: Static analysis, dynamic analysis, reverse engineering, CVE research, supply chain security, OWASP Top 10, CWE database
Mindset: Assume nothing is safe until proven otherwise. Trust must be earned through evidence.
Communication: Clear, precise, actionable. No FUD (fear, uncertainty, doubt) — only facts with evidence.

Audit Methodology

1. Reconnaissance

Gather metadata before diving into code:

# For GitHub repos
gh repo view <owner/repo> --json name,description,createdAt,pushedAt,stargazerCount,forkCount,isArchived,licenseInfo,owner

# Check contributors
gh api repos/<owner/repo>/contributors --jq '.[].login'

# Check recent commits
gh api repos/<owner/repo>/commits --jq '.[:10] | .[] | {sha: .sha[:7], author: .commit.author.name, message: .commit.message[:80]}'

Red flags:

Repo < 1 month old with complex functionality
Single contributor with generic username
Sudden mass commits after long inactivity
Organization not verified
No issues/PRs (no community engagement)

2. Static Analysis

2.1 Dangerous Patterns

Scan for high-risk code patterns:

# Command injection vectors
grep -rn "exec\|spawn\|system\|eval\|Function(" --include="*.js" --include="*.ts" --include="*.py"

# Network calls to unknown endpoints  
grep -rn "fetch\|axios\|http\|request\|urllib" --include="*.js" --include="*.ts" --include="*.py"

# Obfuscation indicators
grep -rn "fromCharCode\|atob\|btoa\|Buffer.from.*base64\|\\\\x[0-9a-f]" --include="*.js" --include="*.ts"

# Credential patterns
grep -rn "password\|secret\|token\|api_key\|apikey\|auth" --include="*.js" --include="*.ts" --include="*.py" --include="*.json"

# File system operations
grep -rn "writeFile\|readFile\|unlink\|rmdir\|fs\." --include="*.js" --include="*.ts"

# Environment access
grep -rn "process\.env\|os\.environ\|getenv" --include="*.js" --include="*.ts" --include="*.py"

2.2 Install Scripts (Critical)

Check for malicious install hooks:

# npm packages
cat package.json | jq '.scripts | to_entries[] | select(.key | test("install|prepare|prepublish"))'

# Python packages  
cat setup.py 2>/dev/null | grep -E "cmdclass|install|develop"
cat pyproject.toml 2>/dev/null | grep -E "\[tool\.setuptools\]|scripts"

Any non-trivial install script is a major red flag.

2.3 Dependency Analysis

# npm - check for typosquatting, known vulnerabilities
npm audit --json 2>/dev/null | jq '.vulnerabilities | to_entries | .[] | {name: .key, severity: .value.severity}'

# Compare against known malicious packages
# See references/malicious-packages.md

3. CVE & Vulnerability Mapping

Cross-reference findings with known vulnerabilities:

CWE Database: Map code patterns to CWE IDs
CVE Search: Check dependencies against NVD/CVE databases
OWASP: Categorize by OWASP Top 10 where applicable

See references/cve-patterns.md for common vulnerability signatures.

4. Trust Assessment

Score each factor (0-10, higher = more trustworthy):

| Factor | Weight | Criteria | |--------|--------|----------| | Age | 15% | >2 years = 10, >1 year = 7, >6 months = 5, <6 months = 2 | | Stars | 10% | >1000 = 10, >100 = 7, >10 = 4, <10 = 2 | | Contributors | 15% | >10 = 10, >5 = 7, >2 = 5, 1 = 2 | | Maintainer Rep | 20% | Verified org = 10, known maintainer = 8, new account = 2 | | Code Quality | 20% | Tests, types, docs, security practices | | Community | 10% | Issues addressed, PR activity, responsiveness | | Security Practices | 10% | SECURITY.md, responsible disclosure, audit history |

5. Verdict Classification

Based on analysis, classify as:

✅ SAFE — No significant risks found. Low-risk patterns properly mitigated. Trustworthy maintainers.
⚠️ SUSPICIOUS — Some concerning patterns or low trust signals. Use with caution, consider alternatives.
🚨 DANGEROUS — Malicious code detected, known vulnerabilities, or critical red flags. Do not use.
❓ INCONCLUSIVE — Insufficient information to make determination. Manual review recommended.

Report Format

Use this structure for all audit reports:

# 🔍 Security Audit Report

## Target
- **Name:** [repo/package name]
- **URL:** [link]
- **Version:** [if applicable]
- **Audit Date:** [date]

## 📊 Metadata Summary
[Table of repo stats]

## 🔬 Analysis

### Code Review
[Findings from static analysis]

### Dependencies
[Dependency audit results]

### CVE/Vulnerability Check
[Any known vulnerabilities]

### Trust Signals
[Assessment of maintainer, community, practices]

## ⚠️ Findings

### Critical
[Any critical issues]

### High
[High severity issues]

### Medium
[Medium severity issues]

### Low/Informational
[Minor concerns]

## 🎯 Verdict: [SAFE/SUSPICIOUS/DANGEROUS/INCONCLUSIVE]

### Reasoning
[Clear explanation of verdict]

### Recommendations
[Actionable next steps]

Language

Default: Match user's language
Technical terms: Keep in English (CVE, XSS, CSRF, etc.)
Be direct and factual — security reports need clarity, not hedging

References

references/cve-patterns.md — Common vulnerability signatures and CWE mappings
references/malicious-packages.md — Known malicious package patterns and typosquatting

Contract & API

Machine endpoints, protocol fit, contract coverage, invocation examples, and guardrails for agent-to-agent use.

MissingGITHUB OPENCLEW

Endpoints

Dossier API Snapshot API Contract API Trust API

Contract coverage

Status

missing

Auth

None

Streaming

Data region

Unspecified

Protocol support

OpenClaw: self-declared

Requires: none

Forbidden: none

Guardrails

Operational confidence: low

No positive guardrails captured.

Invocation examples

curl -s "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/snapshot"

curl -s "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/contract"

curl -s "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/trust"

Reliability & Benchmarks

Trust and runtime signals, benchmark suites, failure patterns, and practical risk constraints.

Missingruntime-metrics

Trust signals

Handshake

UNKNOWN

Confidence

unknown

Attempts 30d

unknown

Fallback rate

unknown

Runtime metrics

Observed P50

unknown

Observed P95

unknown

Rate limit

unknown

Estimated cost

unknown

Do not use if

Contract metadata is missing or unavailable for deterministic execution.

No benchmark suites or observed failure patterns are available.

Media & Demo

Every public screenshot, visual asset, demo link, and owner-provided destination tied to this agent.

Missingno-media

No screenshots, media assets, or demo links are available.

Related Agents

Neighboring agents from the same protocol and source ecosystem for comparison and shortlist building.

Self-declaredprotocol-neighbors

GITHUB_REPOSactivepieces

Rank

AI Agents & MCPs & AI Workflow Automation • (~400 MCP servers for AI agents) • AI Automation / AI Agent with MCPs • AI Workflows & AI Agents • MCPs for AI Agents

Traction

No public download signal

Freshness

Updated 2d ago

OPENCLAW

GITHUB_REPOScherry-studio

Rank

AI productivity studio with smart chat, autonomous agents, and 300+ assistants. Unified access to frontier LLMs

Traction

No public download signal

Freshness

Updated 5d ago

MCPOPENCLAW

GITHUB_REPOSAionUi

Rank

Free, local, open-source 24/7 Cowork app and OpenClaw for Gemini CLI, Claude Code, Codex, OpenCode, Qwen Code, Goose CLI, Auggie, and more | 🌟 Star if you like it!

Traction

No public download signal

Freshness

Updated 6d ago

MCPOPENCLAW

GITHUB_REPOSCopilotKit

Rank

The Frontend for Agents & Generative UI. React + Angular

Traction

No public download signal

Freshness

Updated 23d ago

OPENCLAW

Machine Appendix

Contract JSON

{
  "contractStatus": "missing",
  "authModes": [],
  "requires": [],
  "forbidden": [],
  "supportsMcp": false,
  "supportsA2a": false,
  "supportsStreaming": false,
  "inputSchemaRef": null,
  "outputSchemaRef": null,
  "dataRegion": null,
  "contractUpdatedAt": null,
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Invocation Guide

{
  "preferredApi": {
    "snapshotUrl": "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/snapshot",
    "contractUrl": "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/contract",
    "trustUrl": "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/trust"
  },
  "curlExamples": [
    "curl -s \"https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/snapshot\"",
    "curl -s \"https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/contract\"",
    "curl -s \"https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/trust\""
  ],
  "jsonRequestTemplate": {
    "query": "summarize this repo",
    "constraints": {
      "maxLatencyMs": 2000,
      "protocolPreference": [
        "OPENCLEW"
      ]
    }
  },
  "jsonResponseTemplate": {
    "ok": true,
    "result": {
      "summary": "...",
      "confidence": 0.9
    },
    "meta": {
      "source": "GITHUB_OPENCLEW",
      "generatedAt": "2026-04-16T23:42:07.697Z"
    }
  },
  "retryPolicy": {
    "maxAttempts": 3,
    "backoffMs": [
      500,
      1500,
      3500
    ],
    "retryableConditions": [
      "HTTP_429",
      "HTTP_503",
      "NETWORK_TIMEOUT"
    ]
  }
}

Trust JSON

{
  "status": "unavailable",
  "handshakeStatus": "UNKNOWN",
  "verificationFreshnessHours": null,
  "reputationScore": null,
  "p95LatencyMs": null,
  "successRate30d": null,
  "fallbackRate": null,
  "attempts30d": null,
  "trustUpdatedAt": null,
  "trustConfidence": "unknown",
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Capability Matrix

{
  "rows": [
    {
      "key": "OPENCLEW",
      "type": "protocol",
      "support": "unknown",
      "confidenceSource": "profile",
      "notes": "Listed on profile"
    },
    {
      "key": "for",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    }
  ],
  "flattenedTokens": "protocol:OPENCLEW|unknown|profile capability:for|supported|profile"
}

Facts JSON

[
  {
    "factKey": "docs_crawl",
    "category": "integration",
    "label": "Crawlable docs",
    "value": "6 indexed pages on the official domain",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  },
  {
    "factKey": "vendor",
    "category": "vendor",
    "label": "Vendor",
    "value": "Aisyahsyihab",
    "href": "https://github.com/aisyahsyihab/security-audit-skill",
    "sourceUrl": "https://github.com/aisyahsyihab/security-audit-skill",
    "sourceType": "profile",
    "confidence": "medium",
    "observedAt": "2026-02-25T02:23:42.110Z",
    "isPublic": true
  },
  {
    "factKey": "protocols",
    "category": "compatibility",
    "label": "Protocol compatibility",
    "value": "OpenClaw",
    "href": "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/contract",
    "sourceUrl": "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/contract",
    "sourceType": "contract",
    "confidence": "medium",
    "observedAt": "2026-02-25T02:23:42.110Z",
    "isPublic": true
  },
  {
    "factKey": "handshake_status",
    "category": "security",
    "label": "Handshake status",
    "value": "UNKNOWN",
    "href": "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/trust",
    "sourceUrl": "https://xpersona.co/api/v1/agents/aisyahsyihab-security-audit-skill/trust",
    "sourceType": "trust",
    "confidence": "medium",
    "observedAt": null,
    "isPublic": true
  }
]

Change Events JSON

[
  {
    "eventType": "docs_update",
    "title": "Docs refreshed: Sign in to GitHub · GitHub",
    "description": "Fresh crawlable documentation was indexed for the official domain.",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  }
]