skill-spotlightdeveloper-toolssecurity-auditorclawhubopenclawsecurityowaspcode-review

security-auditor: OWASP Top 10 Code Reviews Baked Into Your Agent

March 17, 2026·6 min read

With 11,200+ downloads and 118 installs, security-auditor is one of the most technically dense skills on ClawHub. Adapted from Dave Poon's buildwithclaude project (MIT license), it transforms your OpenClaw agent into a senior application security engineer — one who conducts structured OWASP Top 10 reviews, designs authentication flows, and delivers actionable fixes rather than generic warnings.

The Problem It Solves

Generic AI security advice is worse than useless. "Validate your inputs" and "use parameterized queries" are true but unhelpful when you're looking at a specific authentication flow with a specific vulnerability. What developers need is the same rigor a senior security engineer brings to a code review: systematic coverage of known attack vectors, concrete code examples of the fix, and honest triage of severity.

security-auditor delivers that structured review as a skill. Every security analysis follows the same repeatable audit process, grounded in the OWASP Top 10 framework.

Core Concept

The skill assigns a specific role: senior application security engineer specializing in secure coding practices, vulnerability detection, and OWASP compliance. This role definition shapes everything — the questions asked, the structure of the findings, and the format of the recommendations.

The audit process is five steps:

Comprehensive security audit of code and architecture
Vulnerability identification using OWASP Top 10 framework
Authentication and authorization flow design
Input validation and encryption implementation
Security test and monitoring strategy creation

Deep Dive

OWASP Top 10 Coverage

The skill covers all ten OWASP categories with concrete implementation patterns:

A01: Broken Access Control

// ❌ Vulnerable
router.get('/admin/users', (req, res) => {
  // No authorization check
  return db.getAllUsers();
});
 
// ✅ Fixed
router.get('/admin/users', authenticate, requireRole('admin'), (req, res) => {
  return db.getAllUsers();
});

A02: Cryptographic Failures

// ❌ Vulnerable — MD5 is broken
const hash = crypto.createHash('md5').update(password).digest('hex');
 
// ✅ Fixed — bcrypt with appropriate cost factor
const hash = await bcrypt.hash(password, 12);

A03: Injection (SQL, Command, LDAP)

// ❌ Vulnerable
const user = await db.query(`SELECT * FROM users WHERE id = ${userId}`);
 
// ✅ Fixed — parameterized query
const user = await db.query('SELECT * FROM users WHERE id = $1', [userId]);

A07: Authentication Failures

// JWT validation with proper algorithm pinning
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
  algorithms: ['HS256'],  // Explicit — prevents 'none' algorithm attacks
  issuer: 'your-app',
  audience: 'your-api',
});

Secrets Management

One of the most practically useful sections:

// ❌ Never do this
const apiKey = "sk-1234...";  // Hardcoded secret
 
// ✅ Environment variables
const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error('API_KEY not configured');
 
// ✅ Even better — secrets rotation with AWS Secrets Manager
const secret = await secretsManager.getSecretValue({ SecretId: 'prod/api/key' });

The skill also covers .env file hygiene, .gitignore requirements, and secret scanning in CI pipelines.

Input Validation

import { z } from 'zod';
 
// Define schema once, validate everywhere
const UserSchema = z.object({
  email: z.string().email().max(255),
  age:   z.number().int().min(0).max(150),
  name:  z.string().min(1).max(100).regex(/^[a-zA-Z\s'-]+$/),
});
 
// Usage
const result = UserSchema.safeParse(req.body);
if (!result.success) {
  return res.status(400).json({ errors: result.error.flatten() });
}

CORS and CSP Configuration

// CORS — restrictive by default
app.use(cors({
  origin: process.env.ALLOWED_ORIGINS?.split(',') ?? [],
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  credentials: true,
  maxAge: 86400,
}));
 
// Content Security Policy
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc:  ["'self'", "'nonce-${generateNonce()}'"],
    styleSrc:   ["'self'", "'unsafe-inline'"],
    imgSrc:     ["'self'", 'data:', 'https:'],
    connectSrc: ["'self'"],
    frameSrc:   ["'none'"],
    objectSrc:  ["'none'"],
  },
}));

XSS Prevention

import DOMPurify from 'isomorphic-dompurify';
import { escape } from 'html-escaper';
 
// For user-generated HTML content
const cleanHtml = DOMPurify.sanitize(userContent);
 
// For plain text in HTML context
const safeText = escape(userInput);
 
// React — safe by default, but beware dangerouslySetInnerHTML
// Only use when necessary, always sanitize first
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }} />

Triggers

The skill activates on a wide range of security-related keywords:

security, vulnerability, OWASP, XSS, SQL injection, CSRF, CORS, CSP, authentication, authorization, encryption, secrets, JWT, OAuth, audit, penetration, sanitize, validate input

This broad trigger set means the skill loads automatically in most security-relevant conversations.

Core Security Principles

The skill operates from four principles that shape every recommendation:

Defense in depth — multiple security layers, no single point of failure
Least privilege — minimum permissions for every component
Never trust user input — validate everything at every boundary
Fail securely — errors should not reveal system internals

Comparison: Security Review Approaches

Approach	security-auditor	Generic AI review	Human security consultant
OWASP Top 10 coverage	✅ systematic	⚠️ inconsistent	✅
Code-specific fixes	✅	✅	✅
Response time	Instant	Instant	Days/weeks
Cost	Free	Free	$$$$
Audit repeatability	✅ same process each time	❌ varies	⚠️
Keeps up with threats	⚠️ training cutoff	⚠️	✅

How to Install

clawhub install security-auditor

No API keys or configuration required. Invoked automatically when security-related topics arise.

Practical Tips

Paste full code blocks — the skill performs best with complete context; isolated snippets get surface-level analysis
Specify your stack — Node.js/Express, Django, Rails, Go have different security patterns; mention it explicitly
Ask for severity triage — request that findings be prioritized by severity (Critical/High/Medium/Low) so you address the biggest risks first
Combine with code review workflows — use it before every PR merge to catch security issues before they hit production
Request threat modeling — beyond code review, ask the skill to threat-model your architecture for systemic vulnerabilities

Considerations

Training data cutoff: New CVEs and attack patterns discovered after the model's training cutoff won't be covered. Use it as a first pass, not a replacement for up-to-date security tooling like Snyk or Dependabot.
Not a penetration test: This skill reviews code and architecture; it doesn't perform active exploitation or network scanning.
Context matters: Security recommendations must fit your threat model. A personal hobby project and a healthcare SaaS have different acceptable risk levels.

The Bigger Picture

Security is the area where the cost of inconsistency is highest. Every code review that skips CORS, every auth flow that doesn't consider token expiry, every input that isn't validated creates potential vulnerabilities. security-auditor doesn't replace a professional security audit for high-stakes systems — but it brings systematic, OWASP-grounded rigor to every code review in your regular development workflow.

View the skill on ClawHub: security-auditor

← Back to Blog