sec-audit-cn在中国等地区进行代码安全审计、安全编码与评审时使用:覆盖 OWASP Top 10、鉴权与授权、密钥与配置、CORS/CSP、 输入校验与防注入、XSS/CSRF、依赖漏洞、日志与错误处理;输出分级结论与可执行修复建议。 适用于 Web/API、移动端后端、小程序服务端、涉及个人信息与支付回调的业务。
Install via ClawdBot CLI:
clawdbot install clawkk/sec-audit-cnGrade Fair — based on market validation, documentation quality, package completeness, maintenance status, and authenticity signals.
Accesses sensitive credential files or environment variables
process.env.API_KEYPotentially destructive shell commands in tool definitions
curl | bashCalls external URL not in known-safe list
https://api.example.comAI Analysis
The skill definition is a legitimate security audit guide focused on code review and best practices. The rule-based signals (like accessing process.env.API_KEY) appear to be examples within educational code snippets, not actual credential harvesting. The external URL mentioned is likely a placeholder example, not evidence of data exfiltration.
Generated May 19, 2026
对电商平台的Web端、移动端后端及支付回调进行安全审计,覆盖OWASP Top 10风险,重点检查用户鉴权、支付接口的防重放与签名校验、个人信息保护(如手机号、地址脱敏)及依赖漏洞。输出分级修复建议。
针对金融科技系统的安全编码与架构评审,包括身份认证(JWT/OAuth)、交易授权、密钥管理(如加密密钥轮换)、CORS/CSP配置,以及防止SQL注入和XSS攻击。符合等保2.0要求。
对微信小程序或支付宝小程序的后端服务进行安全审计,检查小程序登录、会话管理、开放平台回调验证、用户数据加密传输与存储,以及防止CSRF和SSRF攻击。输出可执行修复方案。
为医疗健康应用的开发团队提供安全编码指引,重点审查患者数据的加密存储与传输、接口鉴权、输入校验防止注入、日志脱敏(不包含完整病历),以及第三方SDK的供应链安全。
提供基于云的安全审计平台,用户上传代码或配置后自动生成OWASP Top 10审计报告及修复建议。按月或按次收费,适合中小企业。
为企业提供安全编码培训、架构评审及渗透测试服务,输出合规报告(如等保)。按项目或人天收费,适合金融机构或监管严格行业。
将安全审计规则集成到CI/CD流水线,提供插件(如VS Code、IDE),帮助开发者在编码阶段发现漏洞。工具免费或开源,增值服务(如高级报告、合规支持)订阅制。
💬 Integration Tip
将安全审计规则集成到CI/CD流水线中,使用自动化SCA和SAST工具,并在代码审查阶段结合人工评审,以提高发现效率和覆盖深度。
Scored May 19, 2026
Audited Apr 16, 2026 · audit v1.0
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope,...
Comprehensive security auditing for Clawdbot deployments. Scans for exposed credentials, open ports, weak configs, and vulnerabilities. Auto-fix mode included.
Analyze and classify agent skills for safety using local evaluation. Optionally produce a signed attestation of the vetting result.
Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI.
Audit codebases and infrastructure for security issues. Use when scanning dependencies for vulnerabilities, detecting hardcoded secrets, checking OWASP top 10 issues, verifying SSL/TLS, auditing file permissions, or reviewing code for injection and auth flaws.
Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.