flaw0Security and vulnerability scanner for OpenClaw code, plugins, skills, and Node.js dependencies. Powered by OpenClaw AI models.
Install via ClawdBot CLI:
clawdbot install ThomasLWang/flaw0Security and vulnerability scanner for OpenClaw ecosystems. Analyzes source code, plugins, skills, and Node.js dependencies to detect potential security flaws.
Goal: Achieve flaw 0 (zero flaws detected) šÆ
Install this skill via ClawHub:
npx clawhub@latest install flaw0Or install globally via npm:
npm install -g flaw0Use flaw0 to ensure your OpenClaw code and dependencies are secure:
# Check a skill before installing
flaw0 scan ~/.openclaw/skills/new-skill# Scan your code as you develop
flaw0 scan src/
# Check dependencies
flaw0 deps# Full security audit
flaw0 audit# Scan all OpenClaw components
flaw0 scan --target all
# Check specific components
flaw0 scan --target skills
flaw0 scan --target plugins
flaw0 scan --target core# Scan current directory
flaw0 scan
# Scan specific directory
flaw0 scan /path/to/code
# Use specific AI model
flaw0 scan --model claude-opus-4-6# Quick dependency scan
flaw0 deps
# Deep scan (entire dependency tree)
flaw0 deps --deep# Comprehensive scan (code + dependencies)
flaw0 audit
# Save report to file
flaw0 audit --output report.json
# JSON output for CI/CD
flaw0 audit --json# Scan OpenClaw core
flaw0 scan --target core
# Scan all plugins
flaw0 scan --target plugins
# Scan all skills
flaw0 scan --target skills
# Scan everything
flaw0 scan --target allexec() with unsanitized inputeval() usageFunction() constructor with stringsinnerHTML assignmentsdangerouslySetInnerHTML usagereadFile() with user inputMath.random() for security operationsJSON.parse() without validationResults are reported with a flaw score - lower is better:
Each issue is weighted by severity:
Total flaw score = sum of all weighted issues (rounded)
š flaw0 Security Scan Results
āāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š Result: flaw 0
ā
Status: SECURE
ā No security issues detected!
ā All checks passed
Great job! šš flaw0 Security Scan Results
āāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š Result: flaw 12
ā ļø Status: ISSUES FOUND
Code Flaws: 5
āā š“ Critical: 2
āā š High: 1
āā š” Medium: 2
āā āŖ Low: 0
Dependency Flaws: 7
āā š“ Critical CVEs: 3
āā š High CVEs: 2
āā š” Medium: 2
āā āŖ Low: 0
Detailed Report:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
1. [CRITICAL] Command Injection
Location: src/executor.js:78
Code: `exec(\`ls ${userInput}\`)`
Description: Unsanitized exec() call
ā Fix: Use execFile() or validate input
š¤ AI Confidence: high
š” AI Suggestion: Replace exec() with execFile()
and validate input against whitelist
2. [HIGH] Hardcoded API Key
Location: config/api.js:5
Code: `const API_KEY = "sk-1234..."`
Description: API key exposed in source code
ā Fix: Use process.env.API_KEY
3. [CRITICAL] CVE-2024-12345 in lodash@4.17.19
Package: lodash@4.17.19
Description: Prototype pollution vulnerability
ā Fix: npm install lodash@4.17.21
...flaw0 uses OpenClaw's AI models for intelligent code review:
flaw0 scan --model claude-sonnet-4-5flaw0 scan --model claude-opus-4-6flaw0 scan --model claude-haiku-4-5flaw0 initThis creates .flaw0rc.json:
{
"severity": {
"failOn": "high",
"ignore": ["low"]
},
"targets": {
"code": true,
"dependencies": true,
"devDependencies": false
},
"exclude": [
"node_modules/**",
"test/**",
"*.test.js"
],
"model": "claude-sonnet-4-5",
"maxFlawScore": 0
}name: Security Scan
on: [push, pull_request]
jobs:
flaw0:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- name: Install flaw0
run: npm install -g flaw0
- name: Run security scan
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: flaw0 audit
- name: Check flaw score
run: |
SCORE=$(flaw0 audit --json | jq '.flawScore')
if [ "$SCORE" -gt 0 ]; then
echo "ā Flaws detected: flaw $SCORE"
exit 1
fi
echo "ā
No flaws: flaw 0"#!/bin/bash
echo "š Running flaw0 scan..."
flaw0 scan
if [ $? -ne 0 ]; then
echo "ā Flaws detected! Commit blocked."
exit 1
fi# Download a skill to review
git clone https://github.com/user/some-skill.git /tmp/some-skill
# Scan it
flaw0 scan /tmp/some-skill
# If flaw 0, safe to install
# If flaw > 0, review issues first# Scan all installed skills
flaw0 scan --target skills
# Example output:
# ā clawdex - flaw 0
# ā database-helper - flaw 0
# ā crypto-bot - flaw 3
# ā git-assistant - flaw 0
# Overall: flaw 3# After installing new packages
npm install some-package
# Check for vulnerabilities
flaw0 deps# Comprehensive security check
flaw0 audit --output security-report.json
# Review the report
cat security-report.json | jq '.flawScore'Use flaw0 programmatically in your own tools:
const Flaw0 = require('flaw0');
const scanner = new Flaw0({
target: './src',
model: 'claude-sonnet-4-5'
});
// Run full scan
const results = await scanner.scan();
console.log(`Flaw Score: ${results.flawScore}`);
if (results.flawScore === 0) {
console.log('ā
No flaws detected!');
} else {
results.codeFlaws.forEach(flaw => {
console.log(`[${flaw.severity}] ${flaw.name}`);
console.log(` Location: ${flaw.file}:${flaw.line}`);
console.log(` Fix: ${flaw.fix}`);
});
}| Feature | flaw0 | npm audit | Snyk | ESLint Security |
|---------|-------|-----------|------|-----------------|
| Dependency CVEs | ā | ā | ā | ā |
| AI Code Analysis | ā | ā | ā | ā |
| OpenClaw-specific | ā | ā | ā | ā |
| Context-aware | ā | ā | ā ļø | ā ļø |
| False positive reduction | ā | ā | ā ļø | ā |
| Fix suggestions | ā | ā ļø | ā | ā ļø |
export ANTHROPIC_API_KEY='your-api-key-here'Get your API key from: https://console.anthropic.com/
export ANTHROPIC_API_KEY='sk-...'
# Or add to ~/.bashrc or ~/.zshrcEnsure you have a valid package.json:
npm init -y
npm installIf you hit API rate limits:
--model haiku./demo.sh for interactive demoflaw0 helps the OpenClaw community achieve secure, vulnerability-free code.
Contributions welcome! Areas for contribution:
MIT License - see LICENSE file
Goal: flaw 0 for everyone! šÆ
Remember: Security is not a one-time check. Run flaw0 regularly to maintain flaw 0 status!
Generated Mar 1, 2026
Developers creating or maintaining OpenClaw skills can use flaw0 to scan their code for security vulnerabilities before publishing. This ensures that community-contributed skills are safe and reduces the risk of introducing flaws into the OpenClaw ecosystem.
Organizations using OpenClaw for internal automation can run flaw0 to audit their custom plugins and dependencies for compliance. This helps identify hardcoded secrets and dependency vulnerabilities, supporting security policies and risk management.
Teams can integrate flaw0 into their continuous integration pipelines to automatically scan code and dependencies during builds. This provides real-time security feedback, preventing vulnerable code from being deployed to production environments.
Instructors teaching secure coding practices can use flaw0 to demonstrate common vulnerabilities like SQL injection or command injection in OpenClaw projects. Students can run scans to learn how to identify and fix security issues in their code.
Platforms hosting OpenClaw plugins can use flaw0 to screen submissions for security flaws before listing them. This enhances trust by ensuring that available plugins are vetted for vulnerabilities like code injection or outdated dependencies.
Offer flaw0 as a free open-source tool for basic scanning, with premium features like advanced AI models, detailed reporting, and team dashboards available via subscription. This attracts individual developers while monetizing enterprise needs.
Sell enterprise licenses to large organizations for unlimited scans, custom integrations, and dedicated support. This model targets companies requiring high-volume security audits and compliance with internal security standards.
Integrate flaw0 into OpenClaw skill marketplaces as a paid add-on for automated security checks. Developers pay per scan to verify their skills before publication, generating revenue from transaction fees.
š¬ Integration Tip
Start by adding flaw0 scan to your pre-commit hooks for quick checks, and use the --json flag in CI/CD pipelines for automated reporting.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.