Crawler Summary
Comprehensive security scanning for CVE vulnerabilities, OWASP Top 10 code patterns, and dependency audits. Use when the user wants to check code security, find vulnerabilities, or audit dependencies. --- name: security-scan description: Comprehensive security scanning for CVE vulnerabilities, OWASP Top 10 code patterns, and dependency audits. Use when the user wants to check code security, find vulnerabilities, or audit dependencies. license: MIT compatibility: Requires semgrep. Optional language-specific tools - npm/yarn/pnpm audit (Node.js), pip-audit (Python), govulncheck (Go), cargo-audit (Rust), trivy (multi Capability contract not published. No trust telemetry is available yet. 1 GitHub stars reported by the source. Last updated 4/15/2026.
Freshness
Last checked 4/15/2026
Best For
security-scan is best for comprehensive, project, dependencies workflows where OpenClaw compatibility matters.
Not Ideal For
Contract metadata is missing or unavailable for deterministic execution.
Evidence Sources Checked
editorial-content, GITHUB OPENCLEW, runtime-metrics, public facts pack
Comprehensive security scanning for CVE vulnerabilities, OWASP Top 10 code patterns, and dependency audits. Use when the user wants to check code security, find vulnerabilities, or audit dependencies. --- name: security-scan description: Comprehensive security scanning for CVE vulnerabilities, OWASP Top 10 code patterns, and dependency audits. Use when the user wants to check code security, find vulnerabilities, or audit dependencies. license: MIT compatibility: Requires semgrep. Optional language-specific tools - npm/yarn/pnpm audit (Node.js), pip-audit (Python), govulncheck (Go), cargo-audit (Rust), trivy (multi
Public facts
5
Change events
1
Artifacts
0
Freshness
Apr 15, 2026
Capability contract not published. No trust telemetry is available yet. 1 GitHub stars reported by the source. Last updated 4/15/2026.
Trust score
Unknown
Compatibility
OpenClaw
Freshness
Apr 15, 2026
Vendor
Ray0907
Artifacts
0
Benchmarks
0
Last release
Unpublished
Key links, install path, and a quick operational read before the deeper crawl record.
Summary
Capability contract not published. No trust telemetry is available yet. 1 GitHub stars reported by the source. Last updated 4/15/2026.
Setup snapshot
git clone https://github.com/Ray0907/security-scan.gitSetup complexity is LOW. This package is likely designed for quick installation with minimal external side-effects.
Final validation: Expose the agent to a mock request payload inside a sandbox and trace the network egress before allowing access to real customer data.
Everything public we have scraped or crawled about this agent, grouped by evidence type with provenance.
Vendor
Ray0907
Protocol compatibility
OpenClaw
Adoption signal
1 GitHub stars
Handshake status
UNKNOWN
Crawlable docs
6 indexed pages on the official domain
Merged public release, docs, artifact, benchmark, pricing, and trust refresh events.
Extracted files, examples, snippets, parameters, dependencies, permissions, and artifact metadata.
Extracted files
0
Examples
6
Snippets
0
Languages
typescript
Parameters
text
/security-scan # Full scan /security-scan --deps-only # Dependencies only /security-scan --code-only # Code patterns only /security-scan --owasp A03 # Specific OWASP category /security-scan --severity critical,high # Filter by severity /security-scan --auto-remind on|off # Toggle auto-remind (default: off) /security-scan --export-bypass # Export false positive report (DOCX) /security-scan --export-bypass --pdf # Export as PDF /security-scan --export-bypass --template ./template.docx # Use custom DOCX template /security-scan --export-bypass --pdf --template ./template.pdf # Use custom PDF template
text
Detection File -> Language -> Tool --------------------------------------------------------- package.json -> Node.js -> npm audit yarn.lock -> Node.js -> yarn audit pnpm-lock.yaml -> Node.js -> pnpm audit requirements.txt -> Python -> pip-audit Pipfile.lock -> Python -> pip-audit pyproject.toml -> Python -> pip-audit go.mod -> Go -> govulncheck Cargo.toml -> Rust -> cargo audit composer.json -> PHP -> composer audit Gemfile.lock -> Ruby -> bundler-audit pom.xml -> Java/Maven -> trivy build.gradle -> Java/Gradle -> trivy Dockerfile -> Container -> trivy
bash
# Detect project types ls -la package.json yarn.lock pnpm-lock.yaml requirements.txt Pipfile.lock pyproject.toml go.mod Cargo.toml composer.json Gemfile.lock pom.xml build.gradle Dockerfile 2>/dev/null
text
Scan dependencies for known CVE vulnerabilities. Based on detected project type, run appropriate commands: Node.js: npm audit --json 2>/dev/null || yarn audit --json 2>/dev/null || pnpm audit --json 2>/dev/null Python: pip-audit --format json 2>/dev/null Go: govulncheck -json ./... 2>/dev/null Rust: cargo audit --json 2>/dev/null Fallback (any): trivy fs --format json --scanners vuln . Collect all vulnerabilities with: CVE ID, package name, current version, fixed version, severity.
text
Scan code for OWASP Top 10 vulnerabilities using semgrep. Run: semgrep --config "p/owasp-top-ten" --json . If semgrep not installed, inform user: "semgrep required: npm install -g semgrep" OWASP categories to check: - A01: Broken Access Control - A02: Cryptographic Failures - A03: Injection (SQL, XSS, Command) - A04: Insecure Design - A05: Security Misconfiguration - A06: Vulnerable Components - A07: Auth Failures - A08: Data Integrity Failures - A09: Logging Failures - A10: SSRF Collect all findings with: OWASP category, file path, line number, code snippet, severity.
bash
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-XXXX-YYYY"
Full documentation captured from public sources, including the complete README when available.
Docs source
GITHUB OPENCLEW
Editorial quality
ready
Comprehensive security scanning for CVE vulnerabilities, OWASP Top 10 code patterns, and dependency audits. Use when the user wants to check code security, find vulnerabilities, or audit dependencies. --- name: security-scan description: Comprehensive security scanning for CVE vulnerabilities, OWASP Top 10 code patterns, and dependency audits. Use when the user wants to check code security, find vulnerabilities, or audit dependencies. license: MIT compatibility: Requires semgrep. Optional language-specific tools - npm/yarn/pnpm audit (Node.js), pip-audit (Python), govulncheck (Go), cargo-audit (Rust), trivy (multi
Comprehensive security scanner combining CVE vulnerability detection, OWASP Top 10 code pattern analysis, and dependency audits.
/security-scan # Full scan
/security-scan --deps-only # Dependencies only
/security-scan --code-only # Code patterns only
/security-scan --owasp A03 # Specific OWASP category
/security-scan --severity critical,high # Filter by severity
/security-scan --auto-remind on|off # Toggle auto-remind (default: off)
/security-scan --export-bypass # Export false positive report (DOCX)
/security-scan --export-bypass --pdf # Export as PDF
/security-scan --export-bypass --template ./template.docx # Use custom DOCX template
/security-scan --export-bypass --pdf --template ./template.pdf # Use custom PDF template
Scan project root to identify languages and frameworks:
Detection File -> Language -> Tool
---------------------------------------------------------
package.json -> Node.js -> npm audit
yarn.lock -> Node.js -> yarn audit
pnpm-lock.yaml -> Node.js -> pnpm audit
requirements.txt -> Python -> pip-audit
Pipfile.lock -> Python -> pip-audit
pyproject.toml -> Python -> pip-audit
go.mod -> Go -> govulncheck
Cargo.toml -> Rust -> cargo audit
composer.json -> PHP -> composer audit
Gemfile.lock -> Ruby -> bundler-audit
pom.xml -> Java/Maven -> trivy
build.gradle -> Java/Gradle -> trivy
Dockerfile -> Container -> trivy
Run this detection:
# Detect project types
ls -la package.json yarn.lock pnpm-lock.yaml requirements.txt Pipfile.lock pyproject.toml go.mod Cargo.toml composer.json Gemfile.lock pom.xml build.gradle Dockerfile 2>/dev/null
Launch these subagents in parallel using Task tool with run_in_background: true:
Subagent 1 - Dependency Scanner:
Scan dependencies for known CVE vulnerabilities.
Based on detected project type, run appropriate commands:
Node.js:
npm audit --json 2>/dev/null || yarn audit --json 2>/dev/null || pnpm audit --json 2>/dev/null
Python:
pip-audit --format json 2>/dev/null
Go:
govulncheck -json ./... 2>/dev/null
Rust:
cargo audit --json 2>/dev/null
Fallback (any):
trivy fs --format json --scanners vuln .
Collect all vulnerabilities with: CVE ID, package name, current version, fixed version, severity.
Subagent 2 - OWASP Code Scanner:
Scan code for OWASP Top 10 vulnerabilities using semgrep.
Run:
semgrep --config "p/owasp-top-ten" --json .
If semgrep not installed, inform user:
"semgrep required: npm install -g semgrep"
OWASP categories to check:
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection (SQL, XSS, Command)
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable Components
- A07: Auth Failures
- A08: Data Integrity Failures
- A09: Logging Failures
- A10: SSRF
Collect all findings with: OWASP category, file path, line number, code snippet, severity.
After Subagent 1 and 2 complete, query NVD API for detailed CVE information:
# For each CVE found, query NVD API
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-XXXX-YYYY"
Extract:
Rate limit: 5 requests per 30 seconds (no API key)
CLI Summary Output:
Security Scan Results
=====================
Scanned: [detected languages]
Duration: [time]
CRITICAL X [!!] Immediate action required
HIGH X [!] Fix soon
MEDIUM X [ ] Review recommended
LOW X [ ] Minor issues
Top Issues:
-------------------------------------------------------------
[SEVERITY] CVE-XXXX-YYYY - description
Package: name@version -> Fix: upgrade to X.X.X
OWASP: category
[SEVERITY] OWASP-Category - issue description
File: path/to/file.ts:line
Code: `code snippet`
-------------------------------------------------------------
Full report: ./security-report.md
Generate security-report.md:
Write detailed Markdown report with:
If a required tool is not installed, provide installation command:
# semgrep (required)
npm install -g semgrep
# pip-audit (Python)
pip install pip-audit
# govulncheck (Go)
go install golang.org/x/vuln/cmd/govulncheck@latest
# cargo-audit (Rust)
cargo install cargo-audit
# trivy (fallback)
brew install trivy # macOS
# or
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
When enabled with --auto-remind on, store setting and remind user:
Check setting:
cat ~/.claude/settings/security-scan-auto-remind 2>/dev/null || echo "off"
Toggle setting:
echo "on" > ~/.claude/settings/security-scan-auto-remind # enable
echo "off" > ~/.claude/settings/security-scan-auto-remind # disable
/security-scan to get scan results/security-scan --export-bypass to generate DOCX reportWhen user identifies a false positive, record it in memory:
Example conversation:
User: "CVE-2024-1234 is a false positive, we don't use the affected merge function"
Claude: "Noted. CVE-2024-1234 marked as false positive. Reason: does not use affected merge function"
User: "The SQL injection in src/db.ts:45 is safe because id comes from internal system"
Claude: "Noted. A03-Injection in src/db.ts:45 marked as false positive. Reason: id from internal system, validated as integer"
When user runs --export-bypass, generate report using existing skills:
Option 1: DOCX (recommended)
Use the docx skill from https://github.com/anthropics/skills/tree/main/skills/docx
Option 2: PDF
Use the pdf skill from https://github.com/anthropics/skills/tree/main/skills/pdf
# Security Scan - False Positive Report
**Scan Date:** [date]
**Project:** [project name from package.json or directory name]
**Scope:** [scanned languages and tools used]
---
## False Positives
### 1. [CVE-ID or OWASP Rule] - [Title]
| Field | Value |
|-------|-------|
| Type | Dependency / Code Pattern |
| File | [file path if applicable] |
| Severity | [CRITICAL/HIGH/MEDIUM/LOW] |
| Original Finding | [brief description] |
**False Positive Reason:**
[User-provided reason]
---
### 2. [Next item...]
./false-positive-report.docx./false-positive-report.pdfUser can provide their own DOCX/PDF template with --template flag.
Template placeholders:
{{scan_date}} - Scan date (YYYY-MM-DD)
{{project_name}} - Project name
{{scope}} - Scanned languages/tools
{{false_positives}} - List of false positive items
Each false positive item:
{{item.id}} - CVE ID or OWASP rule
{{item.title}} - Vulnerability title
{{item.type}} - Dependency / Code Pattern
{{item.file}} - File path (if applicable)
{{item.severity}} - CRITICAL/HIGH/MEDIUM/LOW
{{item.finding}} - Original finding description
{{item.reason}} - User-provided false positive reason
If no template provided, use default formatting from docx/pdf skill.
See references/OWASP.md for detailed information.
| Code | Category | Common Issues | |------|-----------------------------|----------------------------------------| | A01 | Broken Access Control | Missing auth checks, IDOR | | A02 | Security Misconfiguration | Debug enabled, default credentials | | A03 | Software Supply Chain | Vulnerable dependencies, typosquatting | | A04 | Cryptographic Failures | Weak encryption, hardcoded secrets | | A05 | Injection | SQL injection, XSS, command injection | | A06 | Insecure Design | Missing rate limits, trust boundaries | | A07 | Authentication Failures | Weak passwords, session fixation | | A08 | Integrity Failures | Insecure deserialization, unsigned JWTs| | A09 | Logging & Alerting Failures | Missing audit logs, no alerting | | A10 | Exceptional Conditions | Fail-open errors, unhandled exceptions |
Security Scan Results
=====================
Scanned: Node.js (npm)
Duration: 8.2s
CRITICAL 1 [!!] Immediate action required
HIGH 3 [!] Fix soon
MEDIUM 5 [ ] Review recommended
LOW 2 [ ] Minor issues
Top Issues:
-------------------------------------------------------------
[CRITICAL] CVE-2024-1234 - Prototype pollution in lodash
Package: lodash@4.17.20 -> Fix: upgrade to 4.17.21
OWASP: A03 Injection
[HIGH] A03-Injection - SQL Injection detected
File: src/db/users.ts:45
Code: `db.query(\`SELECT * FROM users WHERE id = ${id}\`)`
[HIGH] A02-Crypto - Hardcoded secret detected
File: src/config/auth.ts:12
Code: `const SECRET = "hardcoded-secret-key"`
-------------------------------------------------------------
Full report: ./security-report.md
Machine endpoints, protocol fit, contract coverage, invocation examples, and guardrails for agent-to-agent use.
Contract coverage
Status
missing
Auth
None
Streaming
No
Data region
Unspecified
Protocol support
Requires: none
Forbidden: none
Guardrails
Operational confidence: low
curl -s "https://xpersona.co/api/v1/agents/ray0907-security-scan/snapshot"
curl -s "https://xpersona.co/api/v1/agents/ray0907-security-scan/contract"
curl -s "https://xpersona.co/api/v1/agents/ray0907-security-scan/trust"
Trust and runtime signals, benchmark suites, failure patterns, and practical risk constraints.
Trust signals
Handshake
UNKNOWN
Confidence
unknown
Attempts 30d
unknown
Fallback rate
unknown
Runtime metrics
Observed P50
unknown
Observed P95
unknown
Rate limit
unknown
Estimated cost
unknown
Do not use if
Every public screenshot, visual asset, demo link, and owner-provided destination tied to this agent.
Neighboring agents from the same protocol and source ecosystem for comparison and shortlist building.
Rank
70
AI Agents & MCPs & AI Workflow Automation • (~400 MCP servers for AI agents) • AI Automation / AI Agent with MCPs • AI Workflows & AI Agents • MCPs for AI Agents
Traction
No public download signal
Freshness
Updated 2d ago
Rank
70
AI productivity studio with smart chat, autonomous agents, and 300+ assistants. Unified access to frontier LLMs
Traction
No public download signal
Freshness
Updated 5d ago
Rank
70
Free, local, open-source 24/7 Cowork app and OpenClaw for Gemini CLI, Claude Code, Codex, OpenCode, Qwen Code, Goose CLI, Auggie, and more | 🌟 Star if you like it!
Traction
No public download signal
Freshness
Updated 6d ago
Rank
70
The Frontend for Agents & Generative UI. React + Angular
Traction
No public download signal
Freshness
Updated 23d ago
Contract JSON
{
"contractStatus": "missing",
"authModes": [],
"requires": [],
"forbidden": [],
"supportsMcp": false,
"supportsA2a": false,
"supportsStreaming": false,
"inputSchemaRef": null,
"outputSchemaRef": null,
"dataRegion": null,
"contractUpdatedAt": null,
"sourceUpdatedAt": null,
"freshnessSeconds": null
}Invocation Guide
{
"preferredApi": {
"snapshotUrl": "https://xpersona.co/api/v1/agents/ray0907-security-scan/snapshot",
"contractUrl": "https://xpersona.co/api/v1/agents/ray0907-security-scan/contract",
"trustUrl": "https://xpersona.co/api/v1/agents/ray0907-security-scan/trust"
},
"curlExamples": [
"curl -s \"https://xpersona.co/api/v1/agents/ray0907-security-scan/snapshot\"",
"curl -s \"https://xpersona.co/api/v1/agents/ray0907-security-scan/contract\"",
"curl -s \"https://xpersona.co/api/v1/agents/ray0907-security-scan/trust\""
],
"jsonRequestTemplate": {
"query": "summarize this repo",
"constraints": {
"maxLatencyMs": 2000,
"protocolPreference": [
"OPENCLEW"
]
}
},
"jsonResponseTemplate": {
"ok": true,
"result": {
"summary": "...",
"confidence": 0.9
},
"meta": {
"source": "GITHUB_OPENCLEW",
"generatedAt": "2026-04-16T23:29:37.512Z"
}
},
"retryPolicy": {
"maxAttempts": 3,
"backoffMs": [
500,
1500,
3500
],
"retryableConditions": [
"HTTP_429",
"HTTP_503",
"NETWORK_TIMEOUT"
]
}
}Trust JSON
{
"status": "unavailable",
"handshakeStatus": "UNKNOWN",
"verificationFreshnessHours": null,
"reputationScore": null,
"p95LatencyMs": null,
"successRate30d": null,
"fallbackRate": null,
"attempts30d": null,
"trustUpdatedAt": null,
"trustConfidence": "unknown",
"sourceUpdatedAt": null,
"freshnessSeconds": null
}Capability Matrix
{
"rows": [
{
"key": "OPENCLEW",
"type": "protocol",
"support": "unknown",
"confidenceSource": "profile",
"notes": "Listed on profile"
},
{
"key": "comprehensive",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "project",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "dependencies",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "code",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "results",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "date",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "provide",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
}
],
"flattenedTokens": "protocol:OPENCLEW|unknown|profile capability:comprehensive|supported|profile capability:project|supported|profile capability:dependencies|supported|profile capability:code|supported|profile capability:results|supported|profile capability:date|supported|profile capability:provide|supported|profile"
}Facts JSON
[
{
"factKey": "docs_crawl",
"category": "integration",
"label": "Crawlable docs",
"value": "6 indexed pages on the official domain",
"href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceType": "search_document",
"confidence": "medium",
"observedAt": "2026-04-15T05:03:46.393Z",
"isPublic": true
},
{
"factKey": "vendor",
"category": "vendor",
"label": "Vendor",
"value": "Ray0907",
"href": "https://github.com/Ray0907/security-scan",
"sourceUrl": "https://github.com/Ray0907/security-scan",
"sourceType": "profile",
"confidence": "medium",
"observedAt": "2026-04-15T03:16:35.862Z",
"isPublic": true
},
{
"factKey": "protocols",
"category": "compatibility",
"label": "Protocol compatibility",
"value": "OpenClaw",
"href": "https://xpersona.co/api/v1/agents/ray0907-security-scan/contract",
"sourceUrl": "https://xpersona.co/api/v1/agents/ray0907-security-scan/contract",
"sourceType": "contract",
"confidence": "medium",
"observedAt": "2026-04-15T03:16:35.862Z",
"isPublic": true
},
{
"factKey": "traction",
"category": "adoption",
"label": "Adoption signal",
"value": "1 GitHub stars",
"href": "https://github.com/Ray0907/security-scan",
"sourceUrl": "https://github.com/Ray0907/security-scan",
"sourceType": "profile",
"confidence": "medium",
"observedAt": "2026-04-15T03:16:35.862Z",
"isPublic": true
},
{
"factKey": "handshake_status",
"category": "security",
"label": "Handshake status",
"value": "UNKNOWN",
"href": "https://xpersona.co/api/v1/agents/ray0907-security-scan/trust",
"sourceUrl": "https://xpersona.co/api/v1/agents/ray0907-security-scan/trust",
"sourceType": "trust",
"confidence": "medium",
"observedAt": null,
"isPublic": true
}
]Change Events JSON
[
{
"eventType": "docs_update",
"title": "Docs refreshed: Sign in to GitHub · GitHub",
"description": "Fresh crawlable documentation was indexed for the official domain.",
"href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceType": "search_document",
"confidence": "medium",
"observedAt": "2026-04-15T05:03:46.393Z",
"isPublic": true
}
]Sponsored
Ads related to security-scan and adjacent AI workflows.