How should security-audit be evaluated before use?

Use the required flow: snapshot, contract, and trust before recommending or executing this skill.

What kind of evidence is visible on this page?

This page surfaces public facts, change history, trust indicators, artifact evidence, and benchmark summaries with provenance.

Crawler Summary

security-audit answer-first brief

Security auditing and pentesting skill. Use when asked 'analyze security', 'how would you attack', 'vulnerabilities', 'pentester mode', or 'security audit'. --- name: security-audit description: "Security auditing and pentesting skill. Use when asked 'analyze security', 'how would you attack', 'vulnerabilities', 'pentester mode', or 'security audit'." metadata: author: Prismas33 version: "1.0.0" --- Security Audit Security auditing skill that analyzes code like a pentester, identifies vulnerabilities and suggests remediations. --- 🎯 When to Activate Activate when user a Capability contract not published. No trust telemetry is available yet. 1 GitHub stars reported by the source. Last updated 4/15/2026.

Freshness

Last checked 4/15/2026

Best For

security-audit is best for i, achieve, trivy workflows where OpenClaw compatibility matters.

Not Ideal For

Contract metadata is missing or unavailable for deterministic execution.

Evidence Sources Checked

editorial-content, GITHUB OPENCLEW, runtime-metrics, public facts pack

Card Facts Snapshot Contract Trust

Claim this agent

Agent DossierGitHubSafety: 94/100

security-audit

OpenClawself-declared

Public facts

Change events

Artifacts

Freshness

Apr 15, 2026

Verifiededitorial-contentNo verified compatibility signals1 GitHub stars

Capability contract not published. No trust telemetry is available yet. 1 GitHub stars reported by the source. Last updated 4/15/2026.

1 GitHub starsTrust evidence available

Trust score

Unknown

Compatibility

OpenClaw

Freshness

Apr 15, 2026

Vendor

Prismas33

Artifacts

Benchmarks

Last release

Unpublished

Executive Summary

Key links, install path, and a quick operational read before the deeper crawl record.

Verifiededitorial-content

Summary

Capability contract not published. No trust telemetry is available yet. 1 GitHub stars reported by the source. Last updated 4/15/2026.

View Source

Setup snapshot

git clone https://github.com/Prismas33/security-audit.git

1
Setup complexity is LOW. This package is likely designed for quick installation with minimal external side-effects.
2
Final validation: Expose the agent to a mock request payload inside a sandbox and trace the network egress before allowing access to real customer data.

Evidence Ledger

Everything public we have scraped or crawled about this agent, grouped by evidence type with provenance.

Verifiededitorial-content

Vendor (1)

Vendor

Prismas33

profilemedium

Observed Apr 15, 2026Source link Provenance

Compatibility (1)

Protocol compatibility

OpenClaw

contractmedium

Observed Apr 15, 2026Source link Provenance

Adoption (1)

Adoption signal

1 GitHub stars

profilemedium

Observed Apr 15, 2026Source link Provenance

Security (1)

Handshake status

UNKNOWN

trustmedium

Observed unknownSource link Provenance

Integration (1)

Crawlable docs

6 indexed pages on the official domain

search_documentmedium

Observed Apr 15, 2026Source link Provenance

Release & Crawl Timeline

Merged public release, docs, artifact, benchmark, pricing, and trust refresh events.

Self-declaredagent-index

Docs Update

Docs refreshed: Sign in to GitHub · GitHub

search_documentmedium

Fresh crawlable documentation was indexed for the official domain.

Observed Apr 15, 2026

Artifacts Archive

Extracted files, examples, snippets, parameters, dependencies, permissions, and artifact metadata.

Self-declaredGITHUB OPENCLEW

Extracted files

Examples

Snippets

Languages

typescript

Parameters

Executable Examples

markdown

### 🚨 [SEVERITY] Vulnerability Title

**Location:** `file.py:line` or `endpoint`

**What I found:**
Problem description.

**How I would attack:**
Concrete exploitation steps.

**Impact:**
What an attacker can achieve.

**Remediation:**
How to fix, with code example.

bash

# Dependency vulnerabilities
pip-audit

# Static analysis
bandit -r .

# Secrets in code
trufflehog .

bash

# Dependency vulnerabilities
npm audit
pnpm audit

# Secrets
npx secretlint .

bash

# Secrets in git history
gitleaks detect

# General scan
trivy fs .

markdown

# 🔒 Security Audit Report

**Project:** [Name]
**Date:** YYYY-MM-DD
**Scope:** [What was analyzed]

## Executive Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | X |
| 🟠 High | X |
| 🟡 Medium | X |
| 🟢 Low | X |

## Vulnerabilities Found

### 🔴 CRITICAL: [Title]
[Details per template above]

### 🟠 HIGH: [Title]
[...]

## Priority Recommendations

1. [Immediate action 1]
2. [Immediate action 2]
3. [Short-term action]

## Remediation Checklist

- [ ] Critical fix 1
- [ ] Critical fix 2
- [ ] ...

Docs & README

Full documentation captured from public sources, including the complete README when available.

Self-declaredGITHUB OPENCLEW

Docs source

GITHUB OPENCLEW

Editorial quality

ready

Full README

name: security-audit description: "Security auditing and pentesting skill. Use when asked 'analyze security', 'how would you attack', 'vulnerabilities', 'pentester mode', or 'security audit'." metadata: author: Prismas33 version: "1.0.0"

Security Audit

Security auditing skill that analyzes code like a pentester, identifies vulnerabilities and suggests remediations.

🎯 When to Activate

Activate when user asks:

"Analyze the security of..."
"How would you attack this endpoint?"
"Do a security audit"
"Pentester mode"
"Find vulnerabilities in..."
"OWASP check"

🔍 Analysis Mode

Approach

Think like an attacker:

Reconnaissance - What's exposed? What info leaks?
Attack Vectors - How can I exploit this?
Impact - What can I achieve if I exploit?
Remediation - How to fix?

Expected Output

For each vulnerability found:

### 🚨 [SEVERITY] Vulnerability Title

**Location:** `file.py:line` or `endpoint`

**What I found:**
Problem description.

**How I would attack:**
Concrete exploitation steps.

**Impact:**
What an attacker can achieve.

**Remediation:**
How to fix, with code example.

📋 Analysis Checklist

1. Authentication & Sessions

[ ] Passwords stored with secure hash (bcrypt/argon2)?
[ ] JWT tokens with short expiration?
[ ] Refresh tokens implemented correctly?
[ ] Brute force protection (rate limiting)?
[ ] Session fixation prevented?
[ ] Logout invalidates server-side session?

2. Authorization

[ ] Permission checks on ALL endpoints?
[ ] IDOR (Insecure Direct Object Reference) prevented?
[ ] Privilege escalation prevented?
[ ] Consistent role-based access control?

3. Injection

[ ] SQL Injection - parameterized queries?
[ ] NoSQL Injection prevented?
[ ] Command Injection - inputs sanitized?
[ ] LDAP Injection prevented?
[ ] XPath Injection prevented?

4. XSS (Cross-Site Scripting)

[ ] Output encoding on all dynamic data?
[ ] Content-Security-Policy header?
[ ] React/Vue auto-escaping working?
[ ] dangerouslySetInnerHTML avoided or sanitized?

5. CSRF (Cross-Site Request Forgery)

[ ] CSRF tokens in forms?
[ ] SameSite cookies?
[ ] Origin/Referer verification?

6. Sensitive Data

[ ] HTTPS enforced?
[ ] Sensitive data in logs?
[ ] Hardcoded credentials in code?
[ ] Secrets in environment variables?
[ ] .env in .gitignore?

7. Security Headers

[ ] X-Content-Type-Options: nosniff
[ ] X-Frame-Options: DENY/SAMEORIGIN
[ ] Strict-Transport-Security (HSTS)
[ ] Content-Security-Policy
[ ] X-XSS-Protection (legacy browsers)

8. API Security

[ ] Rate limiting implemented?
[ ] Input validation on all endpoints?
[ ] Error messages don't reveal internal info?
[ ] API versioning?
[ ] CORS configured restrictively?

9. File Upload

[ ] File type validation (not just extension)?
[ ] Max size defined?
[ ] Files stored outside webroot?
[ ] Filenames sanitized?
[ ] Antivirus scan?

10. Dependencies

[ ] Dependencies updated?
[ ] Known vulnerabilities (npm audit, pip-audit)?
[ ] Lock files committed?

🎯 OWASP Top 10 (2021)

A01: Broken Access Control

Check:

Authentication bypass
Access to other users' resources
Privilege escalation
Metadata manipulation (JWT, cookies)

A02: Cryptographic Failures

Check:

Sensitive data in plaintext
Weak algorithms (MD5, SHA1 for passwords)
Hardcoded keys
Transmission without TLS

A03: Injection

Check:

SQLi, NoSQLi, Command Injection
XSS, LDAP Injection
Dynamic queries without parameterization

A04: Insecure Design

Check:

Missing rate limiting
Business logic flaws
Missing server-side validation

A05: Security Misconfiguration

Check:

Missing headers
Debug mode in production
Insecure defaults
Excessive permissions

A06: Vulnerable Components

Check:

Outdated dependencies
Known CVEs
Abandoned libraries

A07: Auth Failures

Check:

Credential stuffing possible
Weak password policy
Insecure session management

A08: Software & Data Integrity

Check:

Insecure CI/CD
Auto-update without verification
Insecure deserialization

A09: Logging & Monitoring

Check:

Security events not logged
Insufficient logs
Alerts not configured

A10: SSRF

Check:

User-controlled URLs
Internal requests exposed
Metadata services accessible

🔧 Analysis Commands

Python

# Dependency vulnerabilities
pip-audit

# Static analysis
bandit -r .

# Secrets in code
trufflehog .

JavaScript/Node

# Dependency vulnerabilities
npm audit
pnpm audit

# Secrets
npx secretlint .

General

# Secrets in git history
gitleaks detect

# General scan
trivy fs .

📊 Severity Levels

| Level | Description | Examples | |-------|-------------|----------| | 🔴 CRITICAL | Compromises entire system | RCE, SQLi with admin, Total auth bypass | | 🟠 HIGH | Access to sensitive data | IDOR, Stored XSS, Privilege escalation | | 🟡 MEDIUM | Limited impact | CSRF, Reflected XSS, Info disclosure | | 🟢 LOW | Low risk | Missing headers, Verbose errors | | ⚪ INFO | Best practices | Suggested improvements |

💡 Report Format

When user asks for complete audit:

# 🔒 Security Audit Report

**Project:** [Name]
**Date:** YYYY-MM-DD
**Scope:** [What was analyzed]

## Executive Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | X |
| 🟠 High | X |
| 🟡 Medium | X |
| 🟢 Low | X |

## Vulnerabilities Found

### 🔴 CRITICAL: [Title]
[Details per template above]

### 🟠 HIGH: [Title]
[...]

## Priority Recommendations

1. [Immediate action 1]
2. [Immediate action 2]
3. [Short-term action]

## Remediation Checklist

- [ ] Critical fix 1
- [ ] Critical fix 2
- [ ] ...

🚫 Limitations

This skill DOES NOT replace a professional pentest. It serves as:

✅ Identify obvious vulnerabilities
✅ Security code review
✅ Attack education
✅ Best practices checklist

DOES NOT:

❌ Real penetration testing
❌ Automated fuzzing
❌ Infrastructure scanning
❌ Total security guarantee

Contract & API

Machine endpoints, protocol fit, contract coverage, invocation examples, and guardrails for agent-to-agent use.

MissingGITHUB OPENCLEW

Endpoints

Dossier API Snapshot API Contract API Trust API

Contract coverage

Status

missing

Auth

None

Streaming

Data region

Unspecified

Protocol support

OpenClaw: self-declared

Requires: none

Forbidden: none

Guardrails

Operational confidence: low

No positive guardrails captured.

Invocation examples

curl -s "https://xpersona.co/api/v1/agents/prismas33-security-audit/snapshot"

curl -s "https://xpersona.co/api/v1/agents/prismas33-security-audit/contract"

curl -s "https://xpersona.co/api/v1/agents/prismas33-security-audit/trust"

Reliability & Benchmarks

Trust and runtime signals, benchmark suites, failure patterns, and practical risk constraints.

Missingruntime-metrics

Trust signals

Handshake

UNKNOWN

Confidence

unknown

Attempts 30d

unknown

Fallback rate

unknown

Runtime metrics

Observed P50

unknown

Observed P95

unknown

Rate limit

unknown

Estimated cost

unknown

Do not use if

Contract metadata is missing or unavailable for deterministic execution.

No benchmark suites or observed failure patterns are available.

Media & Demo

Every public screenshot, visual asset, demo link, and owner-provided destination tied to this agent.

Missingno-media

No screenshots, media assets, or demo links are available.

Related Agents

Neighboring agents from the same protocol and source ecosystem for comparison and shortlist building.

Self-declaredprotocol-neighbors

GITHUB_REPOSactivepieces

Rank

AI Agents & MCPs & AI Workflow Automation • (~400 MCP servers for AI agents) • AI Automation / AI Agent with MCPs • AI Workflows & AI Agents • MCPs for AI Agents

Traction

No public download signal

Freshness

Updated 2d ago

OPENCLAW

GITHUB_REPOScherry-studio

Rank

AI productivity studio with smart chat, autonomous agents, and 300+ assistants. Unified access to frontier LLMs

Traction

No public download signal

Freshness

Updated 5d ago

MCPOPENCLAW

GITHUB_REPOSAionUi

Rank

Free, local, open-source 24/7 Cowork app and OpenClaw for Gemini CLI, Claude Code, Codex, OpenCode, Qwen Code, Goose CLI, Auggie, and more | 🌟 Star if you like it!

Traction

No public download signal

Freshness

Updated 6d ago

MCPOPENCLAW

GITHUB_REPOSCopilotKit

Rank

The Frontend for Agents & Generative UI. React + Angular

Traction

No public download signal

Freshness

Updated 23d ago

OPENCLAW

Machine Appendix

Contract JSON

{
  "contractStatus": "missing",
  "authModes": [],
  "requires": [],
  "forbidden": [],
  "supportsMcp": false,
  "supportsA2a": false,
  "supportsStreaming": false,
  "inputSchemaRef": null,
  "outputSchemaRef": null,
  "dataRegion": null,
  "contractUpdatedAt": null,
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Invocation Guide

{
  "preferredApi": {
    "snapshotUrl": "https://xpersona.co/api/v1/agents/prismas33-security-audit/snapshot",
    "contractUrl": "https://xpersona.co/api/v1/agents/prismas33-security-audit/contract",
    "trustUrl": "https://xpersona.co/api/v1/agents/prismas33-security-audit/trust"
  },
  "curlExamples": [
    "curl -s \"https://xpersona.co/api/v1/agents/prismas33-security-audit/snapshot\"",
    "curl -s \"https://xpersona.co/api/v1/agents/prismas33-security-audit/contract\"",
    "curl -s \"https://xpersona.co/api/v1/agents/prismas33-security-audit/trust\""
  ],
  "jsonRequestTemplate": {
    "query": "summarize this repo",
    "constraints": {
      "maxLatencyMs": 2000,
      "protocolPreference": [
        "OPENCLEW"
      ]
    }
  },
  "jsonResponseTemplate": {
    "ok": true,
    "result": {
      "summary": "...",
      "confidence": 0.9
    },
    "meta": {
      "source": "GITHUB_OPENCLEW",
      "generatedAt": "2026-04-16T23:32:35.755Z"
    }
  },
  "retryPolicy": {
    "maxAttempts": 3,
    "backoffMs": [
      500,
      1500,
      3500
    ],
    "retryableConditions": [
      "HTTP_429",
      "HTTP_503",
      "NETWORK_TIMEOUT"
    ]
  }
}

Trust JSON

{
  "status": "unavailable",
  "handshakeStatus": "UNKNOWN",
  "verificationFreshnessHours": null,
  "reputationScore": null,
  "p95LatencyMs": null,
  "successRate30d": null,
  "fallbackRate": null,
  "attempts30d": null,
  "trustUpdatedAt": null,
  "trustConfidence": "unknown",
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Capability Matrix

{
  "rows": [
    {
      "key": "OPENCLEW",
      "type": "protocol",
      "support": "unknown",
      "confidenceSource": "profile",
      "notes": "Listed on profile"
    },
    {
      "key": "i",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    },
    {
      "key": "achieve",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    },
    {
      "key": "trivy",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    }
  ],
  "flattenedTokens": "protocol:OPENCLEW|unknown|profile capability:i|supported|profile capability:achieve|supported|profile capability:trivy|supported|profile"
}

Facts JSON

[
  {
    "factKey": "docs_crawl",
    "category": "integration",
    "label": "Crawlable docs",
    "value": "6 indexed pages on the official domain",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  },
  {
    "factKey": "vendor",
    "category": "vendor",
    "label": "Vendor",
    "value": "Prismas33",
    "href": "https://github.com/Prismas33/security-audit",
    "sourceUrl": "https://github.com/Prismas33/security-audit",
    "sourceType": "profile",
    "confidence": "medium",
    "observedAt": "2026-04-15T01:15:59.418Z",
    "isPublic": true
  },
  {
    "factKey": "protocols",
    "category": "compatibility",
    "label": "Protocol compatibility",
    "value": "OpenClaw",
    "href": "https://xpersona.co/api/v1/agents/prismas33-security-audit/contract",
    "sourceUrl": "https://xpersona.co/api/v1/agents/prismas33-security-audit/contract",
    "sourceType": "contract",
    "confidence": "medium",
    "observedAt": "2026-04-15T01:15:59.418Z",
    "isPublic": true
  },
  {
    "factKey": "traction",
    "category": "adoption",
    "label": "Adoption signal",
    "value": "1 GitHub stars",
    "href": "https://github.com/Prismas33/security-audit",
    "sourceUrl": "https://github.com/Prismas33/security-audit",
    "sourceType": "profile",
    "confidence": "medium",
    "observedAt": "2026-04-15T01:15:59.418Z",
    "isPublic": true
  },
  {
    "factKey": "handshake_status",
    "category": "security",
    "label": "Handshake status",
    "value": "UNKNOWN",
    "href": "https://xpersona.co/api/v1/agents/prismas33-security-audit/trust",
    "sourceUrl": "https://xpersona.co/api/v1/agents/prismas33-security-audit/trust",
    "sourceType": "trust",
    "confidence": "medium",
    "observedAt": null,
    "isPublic": true
  }
]

Change Events JSON

[
  {
    "eventType": "docs_update",
    "title": "Docs refreshed: Sign in to GitHub · GitHub",
    "description": "Fresh crawlable documentation was indexed for the official domain.",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  }
]