How should security-stance-analyzer be evaluated before use?

Use the required flow: snapshot, contract, and trust before recommending or executing this skill.

What kind of evidence is visible on this page?

This page surfaces public facts, change history, trust indicators, artifact evidence, and benchmark summaries with provenance.

Crawler Summary

security-stance-analyzer answer-first brief

Analyzes the security posture of systems, codebases, and infrastructure. Examines authentication, authorization, data protection, network security, dependency vulnerabilities, secrets management, and compliance. Use when assessing security risks, performing security audits, or evaluating defensive measures. --- name: security-stance-analyzer description: Analyzes the security posture of systems, codebases, and infrastructure. Examines authentication, authorization, data protection, network security, dependency vulnerabilities, secrets management, and compliance. Use when assessing security risks, performing security audits, or evaluating defensive measures. license: Apache-2.0 compatibility: May require git, grep, find, Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.

Freshness

Last checked 4/15/2026

Best For

security-stance-analyzer is best for code, for workflows where OpenClaw compatibility matters.

Not Ideal For

Contract metadata is missing or unavailable for deterministic execution.

Evidence Sources Checked

editorial-content, GITHUB OPENCLEW, runtime-metrics, public facts pack

Card Facts Snapshot Contract Trust

Claim this agent

Agent DossierGitHubSafety: 58/100

security-stance-analyzer

OpenClawself-declared

Public facts

Change events

Artifacts

Freshness

Apr 15, 2026

Verifiededitorial-contentNo verified compatibility signals

Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.

Trust evidence available

Trust score

Unknown

Compatibility

OpenClaw

Freshness

Apr 15, 2026

Vendor

Gurdiga

Artifacts

Benchmarks

Last release

Unpublished

Executive Summary

Key links, install path, and a quick operational read before the deeper crawl record.

Verifiededitorial-content

Summary

Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.

View Source

Setup snapshot

git clone https://github.com/gurdiga/security-stance-analyzer.git

1
Setup complexity is LOW. This package is likely designed for quick installation with minimal external side-effects.
2
Final validation: Expose the agent to a mock request payload inside a sandbox and trace the network egress before allowing access to real customer data.

Evidence Ledger

Everything public we have scraped or crawled about this agent, grouped by evidence type with provenance.

Verifiededitorial-content

Vendor (1)

Vendor

Gurdiga

profilemedium

Observed Apr 15, 2026Source link Provenance

Compatibility (1)

Protocol compatibility

OpenClaw

contractmedium

Observed Apr 15, 2026Source link Provenance

Security (1)

Handshake status

UNKNOWN

trustmedium

Observed unknownSource link Provenance

Integration (1)

Crawlable docs

6 indexed pages on the official domain

search_documentmedium

Observed Apr 15, 2026Source link Provenance

Release & Crawl Timeline

Merged public release, docs, artifact, benchmark, pricing, and trust refresh events.

Self-declaredagent-index

Docs Update

Docs refreshed: Sign in to GitHub · GitHub

search_documentmedium

Fresh crawlable documentation was indexed for the official domain.

Observed Apr 15, 2026

Artifacts Archive

Extracted files, examples, snippets, parameters, dependencies, permissions, and artifact metadata.

Self-declaredGITHUB OPENCLEW

Extracted files

Examples

Snippets

Languages

typescript

Parameters

Executable Examples

text

password.*=.*['"]\w+['"]
api[_-]?key.*=.*['"]\w+['"]
secret.*=.*['"]\w+['"]
token.*=.*['"]\w+['"]
AWS_ACCESS_KEY
PRIVATE_KEY

python

# Python
eval(), exec(), pickle.loads()

# JavaScript
eval(), Function(), innerHTML

# PHP
eval(), system(), exec()

# Ruby
eval(), system()

markdown

# Security Stance Analysis Report

## Executive Summary
[Overall security posture: Strong/Adequate/Weak/Critical]
[Summary of key findings]

## Scope
- **Target**: [System/Application name]
- **Technology Stack**: [Languages, frameworks, infrastructure]
- **Analysis Date**: [Date]

## Findings

### Critical Severity
1. **[Finding Title]**
   - **Category**: [e.g., Authentication, Injection]
   - **Location**: [File path or system component]
   - **Description**: [What was found]
   - **Impact**: [What could happen]
   - **Remediation**: [How to fix]

### High Severity
[Same structure]

### Medium Severity
[Same structure]

### Low Severity
[Same structure]

### Informational
[Same structure]

## Security Strengths
- [What's being done well]

## Risk Summary
| Severity | Count |
|----------|-------|
| Critical | X     |
| High     | X     |
| Medium   | X     |
| Low      | X     |

## Recommendations
1. [Prioritized action items]

## Compliance Gaps
[If applicable]

## Conclusion
[Overall assessment and next steps]

bash

# Search for potential secrets in code
grep -r -E "(password|passwd|pwd|api[_-]?key|secret|token).*=.*['\"]" .

# Search git history for secrets
git log -p | grep -E "(password|api[_-]?key|secret)"

# Use dedicated tools
trufflehog git file://. --only-verified
gitleaks detect --source .

bash

# Node.js
npm audit
npm audit --production

# Python
pip-audit
safety check

# Ruby
bundle audit

# Go
go list -m all | nancy sleuth

bash

# Find world-writable files
find . -type f -perm -002

# Find files with sensitive extensions
find . -name "*.env" -o -name "*.pem" -o -name "*.key"

# Check for debug mode
grep -r "DEBUG.*=.*true" .
grep -r "development" config/

Docs & README

Full documentation captured from public sources, including the complete README when available.

Self-declaredGITHUB OPENCLEW

Docs source

GITHUB OPENCLEW

Editorial quality

ready

Full README

name: security-stance-analyzer description: Analyzes the security posture of systems, codebases, and infrastructure. Examines authentication, authorization, data protection, network security, dependency vulnerabilities, secrets management, and compliance. Use when assessing security risks, performing security audits, or evaluating defensive measures. license: Apache-2.0 compatibility: May require git, grep, find, network tools (curl, nmap), and dependency scanners (npm audit, pip-audit, etc.) metadata: author: security-tools version: "1.0" category: security

Security Stance Analyzer

This skill performs comprehensive security posture analysis of systems, applications, and infrastructure.

When to Use

Activate this skill when:

User requests a security audit or security assessment
Evaluating security risks in a codebase or system
Checking for common vulnerabilities and misconfigurations
Assessing compliance with security best practices
Investigating potential security weaknesses
Performing pre-deployment security review

Analysis Categories

1. Authentication & Authorization

What to check:

Authentication mechanisms (passwords, tokens, OAuth, SSO)
Session management implementation
Password storage (hashing algorithms, salts)
Multi-factor authentication availability
Authorization logic and access controls
Role-based access control (RBAC) implementation
JWT token validation and expiration

Questions to answer:

Are credentials stored securely?
Is session hijacking possible?
Are there broken access controls?
Is authentication bypass possible?

2. Secrets & Credentials Management

What to check:

Hardcoded secrets, API keys, passwords in code
Environment variable usage
Secrets in version control history
Configuration files with sensitive data
Database connection strings
Third-party service credentials

Common patterns to search for:

password.*=.*['"]\w+['"]
api[_-]?key.*=.*['"]\w+['"]
secret.*=.*['"]\w+['"]
token.*=.*['"]\w+['"]
AWS_ACCESS_KEY
PRIVATE_KEY

3. Input Validation & Injection Vulnerabilities

What to check:

SQL injection vulnerabilities
Command injection risks
Cross-site scripting (XSS) vulnerabilities
Path traversal vulnerabilities
XML/XXE injection
LDAP injection
Template injection

Key areas:

User input handling
Database query construction
System command execution
File path operations
API parameter processing

4. Data Protection

What to check:

Encryption at rest
Encryption in transit (TLS/SSL configuration)
Sensitive data exposure
Data retention policies
PII handling
Logging sensitive information
Error messages revealing system info

Questions to answer:

Is sensitive data encrypted?
Are cryptographic libraries up to date?
Is weak encryption being used?
Are there insecure direct object references?

5. Dependency & Supply Chain Security

What to check:

Outdated dependencies with known vulnerabilities
Dependency confusion risks
Package integrity verification
Transitive dependency vulnerabilities
License compliance issues

Tools to use:

npm audit for Node.js
pip-audit or safety for Python
bundle audit for Ruby
go list -m all for Go
GitHub Dependabot alerts
Snyk, OWASP Dependency-Check

6. Network Security

What to check:

Open ports and services
Firewall rules
CORS configuration
Content Security Policy (CSP)
SSL/TLS configuration
Certificate validity
Rate limiting implementation
DDoS protection

7. Code Security Patterns

What to check:

Use of unsafe functions (eval, exec, system)
Deserialization of untrusted data
Insecure randomness
Race conditions
Memory safety issues
Error handling and information disclosure
Security headers

Unsafe patterns:

# Python
eval(), exec(), pickle.loads()

# JavaScript
eval(), Function(), innerHTML

# PHP
eval(), system(), exec()

# Ruby
eval(), system()

8. Infrastructure & Configuration

What to check:

Default credentials
Unnecessary services running
Debug mode in production
Directory listing enabled
Backup files accessible
Admin panels exposed
Cloud storage permissions
Container security

9. Logging & Monitoring

What to check:

Security event logging
Audit trails
Log injection vulnerabilities
Sensitive data in logs
Monitoring and alerting systems
Incident response capabilities

10. Compliance & Standards

Frameworks to reference:

OWASP Top 10
CWE Top 25
NIST Cybersecurity Framework
SOC 2 requirements
GDPR/CCPA (for PII)
PCI DSS (for payment data)
HIPAA (for healthcare data)

Analysis Workflow

Step 1: Reconnaissance

Identify the technology stack
Map the attack surface
List all entry points (APIs, forms, file uploads)
Identify authentication boundaries
Document data flows

Step 2: Static Analysis

Scan code for hardcoded secrets
Check for vulnerable dependencies
Search for unsafe code patterns
Review authentication/authorization logic
Examine input validation
Check cryptographic implementation

Step 3: Configuration Review

Review server/application configuration
Check environment variables
Examine access controls
Review logging configuration
Check security headers

Step 4: Risk Assessment

For each finding:

Severity: Critical, High, Medium, Low, Informational
Impact: What could an attacker do?
Likelihood: How easy is it to exploit?
Affected Assets: What systems/data are at risk?
Remediation: How to fix it?

Step 5: Report Generation

Structure the report:

Executive Summary: High-level overview of security posture
Methodology: What was analyzed and how
Findings: Detailed list of vulnerabilities
Risk Matrix: Prioritized list by severity
Recommendations: Actionable remediation steps
Conclusion: Overall security stance rating

Output Format

# Security Stance Analysis Report

## Executive Summary
[Overall security posture: Strong/Adequate/Weak/Critical]
[Summary of key findings]

## Scope
- **Target**: [System/Application name]
- **Technology Stack**: [Languages, frameworks, infrastructure]
- **Analysis Date**: [Date]

## Findings

### Critical Severity
1. **[Finding Title]**
   - **Category**: [e.g., Authentication, Injection]
   - **Location**: [File path or system component]
   - **Description**: [What was found]
   - **Impact**: [What could happen]
   - **Remediation**: [How to fix]

### High Severity
[Same structure]

### Medium Severity
[Same structure]

### Low Severity
[Same structure]

### Informational
[Same structure]

## Security Strengths
- [What's being done well]

## Risk Summary
| Severity | Count |
|----------|-------|
| Critical | X     |
| High     | X     |
| Medium   | X     |
| Low      | X     |

## Recommendations
1. [Prioritized action items]

## Compliance Gaps
[If applicable]

## Conclusion
[Overall assessment and next steps]

Tools and Commands

Search for secrets

# Search for potential secrets in code
grep -r -E "(password|passwd|pwd|api[_-]?key|secret|token).*=.*['\"]" .

# Search git history for secrets
git log -p | grep -E "(password|api[_-]?key|secret)"

# Use dedicated tools
trufflehog git file://. --only-verified
gitleaks detect --source .

Check dependencies

# Node.js
npm audit
npm audit --production

# Python
pip-audit
safety check

# Ruby
bundle audit

# Go
go list -m all | nancy sleuth

Check for common misconfigurations

# Find world-writable files
find . -type f -perm -002

# Find files with sensitive extensions
find . -name "*.env" -o -name "*.pem" -o -name "*.key"

# Check for debug mode
grep -r "DEBUG.*=.*true" .
grep -r "development" config/

Network scanning (use with authorization)

# Port scanning
nmap -sV -A target-host

# SSL/TLS testing
nmap --script ssl-enum-ciphers -p 443 target-host
testssl.sh target-host

Best Practices

Always get authorization before scanning systems you don't own
Document everything: Track what was checked and when
Prioritize by risk: Focus on critical/high severity first
Provide actionable remediation: Don't just identify problems
Retest after fixes: Verify remediation was effective
Consider false positives: Validate findings before reporting
Maintain confidentiality: Handle security findings responsibly

Common False Positives

Test files with mock credentials
Example/documentation code
Base64 encoded data mistaken for secrets
Comments containing the word "password"
Dependency vulnerabilities in dev-only packages

Limitations

This skill provides security analysis guidance but:

Cannot replace professional penetration testing
May not catch all vulnerabilities
Requires proper authorization for thorough testing
Should be combined with automated security tools
Results depend on the depth of access provided

Related Resources

Example Usage

User: "Analyze the security stance of this web application"

Agent response:

Identify technology stack (Node.js, Express, PostgreSQL)
Scan for hardcoded secrets in the codebase
Run npm audit to check dependencies
Review authentication implementation
Check for SQL injection vulnerabilities
Examine session management
Review CORS and CSP configuration
Generate comprehensive security report with findings

Contract & API

Machine endpoints, protocol fit, contract coverage, invocation examples, and guardrails for agent-to-agent use.

MissingGITHUB OPENCLEW

Endpoints

Dossier API Snapshot API Contract API Trust API

Contract coverage

Status

missing

Auth

None

Streaming

Data region

Unspecified

Protocol support

OpenClaw: self-declared

Requires: none

Forbidden: none

Guardrails

Operational confidence: low

No positive guardrails captured.

Invocation examples

curl -s "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/snapshot"

curl -s "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/contract"

curl -s "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/trust"

Reliability & Benchmarks

Trust and runtime signals, benchmark suites, failure patterns, and practical risk constraints.

Missingruntime-metrics

Trust signals

Handshake

UNKNOWN

Confidence

unknown

Attempts 30d

unknown

Fallback rate

unknown

Runtime metrics

Observed P50

unknown

Observed P95

unknown

Rate limit

unknown

Estimated cost

unknown

Do not use if

Contract metadata is missing or unavailable for deterministic execution.

No benchmark suites or observed failure patterns are available.

Media & Demo

Every public screenshot, visual asset, demo link, and owner-provided destination tied to this agent.

Missingno-media

No screenshots, media assets, or demo links are available.

Related Agents

Neighboring agents from the same protocol and source ecosystem for comparison and shortlist building.

Self-declaredprotocol-neighbors

GITHUB_REPOSactivepieces

Rank

AI Agents & MCPs & AI Workflow Automation • (~400 MCP servers for AI agents) • AI Automation / AI Agent with MCPs • AI Workflows & AI Agents • MCPs for AI Agents

Traction

No public download signal

Freshness

Updated 2d ago

OPENCLAW

GITHUB_REPOScherry-studio

Rank

AI productivity studio with smart chat, autonomous agents, and 300+ assistants. Unified access to frontier LLMs

Traction

No public download signal

Freshness

Updated 5d ago

MCPOPENCLAW

GITHUB_REPOSAionUi

Rank

Free, local, open-source 24/7 Cowork app and OpenClaw for Gemini CLI, Claude Code, Codex, OpenCode, Qwen Code, Goose CLI, Auggie, and more | 🌟 Star if you like it!

Traction

No public download signal

Freshness

Updated 6d ago

MCPOPENCLAW

GITHUB_REPOSCopilotKit

Rank

The Frontend for Agents & Generative UI. React + Angular

Traction

No public download signal

Freshness

Updated 23d ago

OPENCLAW

Machine Appendix

Contract JSON

{
  "contractStatus": "missing",
  "authModes": [],
  "requires": [],
  "forbidden": [],
  "supportsMcp": false,
  "supportsA2a": false,
  "supportsStreaming": false,
  "inputSchemaRef": null,
  "outputSchemaRef": null,
  "dataRegion": null,
  "contractUpdatedAt": null,
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Invocation Guide

{
  "preferredApi": {
    "snapshotUrl": "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/snapshot",
    "contractUrl": "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/contract",
    "trustUrl": "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/trust"
  },
  "curlExamples": [
    "curl -s \"https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/snapshot\"",
    "curl -s \"https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/contract\"",
    "curl -s \"https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/trust\""
  ],
  "jsonRequestTemplate": {
    "query": "summarize this repo",
    "constraints": {
      "maxLatencyMs": 2000,
      "protocolPreference": [
        "OPENCLEW"
      ]
    }
  },
  "jsonResponseTemplate": {
    "ok": true,
    "result": {
      "summary": "...",
      "confidence": 0.9
    },
    "meta": {
      "source": "GITHUB_OPENCLEW",
      "generatedAt": "2026-04-17T00:48:46.235Z"
    }
  },
  "retryPolicy": {
    "maxAttempts": 3,
    "backoffMs": [
      500,
      1500,
      3500
    ],
    "retryableConditions": [
      "HTTP_429",
      "HTTP_503",
      "NETWORK_TIMEOUT"
    ]
  }
}

Trust JSON

{
  "status": "unavailable",
  "handshakeStatus": "UNKNOWN",
  "verificationFreshnessHours": null,
  "reputationScore": null,
  "p95LatencyMs": null,
  "successRate30d": null,
  "fallbackRate": null,
  "attempts30d": null,
  "trustUpdatedAt": null,
  "trustConfidence": "unknown",
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Capability Matrix

{
  "rows": [
    {
      "key": "OPENCLEW",
      "type": "protocol",
      "support": "unknown",
      "confidenceSource": "profile",
      "notes": "Listed on profile"
    },
    {
      "key": "code",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    },
    {
      "key": "for",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    }
  ],
  "flattenedTokens": "protocol:OPENCLEW|unknown|profile capability:code|supported|profile capability:for|supported|profile"
}

Facts JSON

[
  {
    "factKey": "docs_crawl",
    "category": "integration",
    "label": "Crawlable docs",
    "value": "6 indexed pages on the official domain",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  },
  {
    "factKey": "vendor",
    "category": "vendor",
    "label": "Vendor",
    "value": "Gurdiga",
    "href": "https://github.com/gurdiga/security-stance-analyzer",
    "sourceUrl": "https://github.com/gurdiga/security-stance-analyzer",
    "sourceType": "profile",
    "confidence": "medium",
    "observedAt": "2026-04-15T03:16:40.189Z",
    "isPublic": true
  },
  {
    "factKey": "protocols",
    "category": "compatibility",
    "label": "Protocol compatibility",
    "value": "OpenClaw",
    "href": "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/contract",
    "sourceUrl": "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/contract",
    "sourceType": "contract",
    "confidence": "medium",
    "observedAt": "2026-04-15T03:16:40.189Z",
    "isPublic": true
  },
  {
    "factKey": "handshake_status",
    "category": "security",
    "label": "Handshake status",
    "value": "UNKNOWN",
    "href": "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/trust",
    "sourceUrl": "https://xpersona.co/api/v1/agents/gurdiga-security-stance-analyzer/trust",
    "sourceType": "trust",
    "confidence": "medium",
    "observedAt": null,
    "isPublic": true
  }
]

Change Events JSON

[
  {
    "eventType": "docs_update",
    "title": "Docs refreshed: Sign in to GitHub · GitHub",
    "description": "Fresh crawlable documentation was indexed for the official domain.",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  }
]