security-audit-toolkitAudit codebases and infrastructure for security issues. Use when scanning dependencies for vulnerabilities, detecting hardcoded secrets, checking OWASP top 10 issues, verifying SSL/TLS, auditing file permissions, or reviewing code for injection and auth flaws.
Install via ClawdBot CLI:
clawdbot install gitgoodordietrying/security-audit-toolkitScan, detect, and fix security issues in codebases and infrastructure. Covers dependency vulnerabilities, secret detection, OWASP top 10, SSL/TLS verification, file permissions, and secure coding patterns.
# Built-in npm audit
npm audit
npm audit --json | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, via: .value.via[0]}'
# Fix automatically where possible
npm audit fix
# Show only high and critical
npm audit --audit-level=high
# Check a specific package
npm audit --package-lock-only
# Alternative: use npx to scan without installing
npx audit-ci --high# pip-audit (recommended)
pip install pip-audit
pip-audit
pip-audit -r requirements.txt
pip-audit --format=json
# safety (alternative)
pip install safety
safety check
safety check -r requirements.txt --json
# Check a specific package
pip-audit --requirement=- <<< "requests==2.25.0"# Built-in vuln checker
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Check specific binary
govulncheck -mode=binary ./myapp# cargo-audit
cargo install cargo-audit
cargo audit
# With fix suggestions
cargo audit fix# Install: https://aquasecurity.github.io/trivy
# Scan filesystem
trivy fs .
# Scan specific language
trivy fs --scanners vuln --severity HIGH,CRITICAL .
# Scan Docker image
trivy image myapp:latest
# JSON output
trivy fs --format json -o results.json .# AWS keys
grep -rn 'AKIA[0-9A-Z]\{16\}' --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml,cfg,conf,ini}' .
# Generic API keys and tokens
grep -rn -i 'api[_-]\?key\|api[_-]\?secret\|access[_-]\?token\|auth[_-]\?token\|bearer ' \
--include='*.{js,ts,py,go,java,rb,env,yml,yaml,json}' .
# Private keys
grep -rn 'BEGIN.*PRIVATE KEY' .
# Passwords in config
grep -rn -i 'password\s*[:=]' --include='*.{env,yml,yaml,json,xml,cfg,conf,ini,toml}' .
# Connection strings with credentials
grep -rn -i 'mongodb://\|mysql://\|postgres://\|redis://' --include='*.{js,ts,py,go,env,yml,yaml,json}' . | grep -v 'localhost\|127.0.0.1\|example'
# JWT tokens (three base64 segments separated by dots)
grep -rn 'eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.' --include='*.{js,ts,py,go,log,json}' .# Scan git history for secrets (not just current files)
# Using git log + grep
git log -p --all | grep -n -i 'api.key\|password\|secret\|token' | head -50
# Check staged files before commit
git diff --cached --name-only | xargs grep -l -i 'api.key\|password\|secret\|token' 2>/dev/null#!/bin/bash
# .git/hooks/pre-commit - Block commits containing potential secrets
PATTERNS=(
'AKIA[0-9A-Z]{16}'
'BEGIN.*PRIVATE KEY'
'password\s*[:=]\s*["\x27][^"\x27]+'
'api[_-]?key\s*[:=]\s*["\x27][^"\x27]+'
'sk-[A-Za-z0-9]{20,}'
'ghp_[A-Za-z0-9]{36}'
'xox[bpoas]-[A-Za-z0-9-]+'
)
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
[ -z "$STAGED_FILES" ] && exit 0
EXIT_CODE=0
for pattern in "${PATTERNS[@]}"; do
matches=$(echo "$STAGED_FILES" | xargs grep -Pn "$pattern" 2>/dev/null)
if [ -n "$matches" ]; then
echo "BLOCKED: Potential secret detected matching pattern: $pattern"
echo "$matches"
EXIT_CODE=1
fi
done
if [ $EXIT_CODE -ne 0 ]; then
echo ""
echo "To proceed anyway: git commit --no-verify"
echo "To remove secrets: replace with environment variables"
fi
exit $EXIT_CODE# Check if sensitive files are tracked
echo "--- Files that should probably be gitignored ---"
for pattern in '.env' '.env.*' '*.pem' '*.key' '*.p12' '*.pfx' 'credentials.json' \
'service-account*.json' '*.keystore' 'id_rsa' 'id_ed25519'; do
found=$(git ls-files "$pattern" 2>/dev/null)
[ -n "$found" ] && echo " TRACKED: $found"
done
# Check if .gitignore exists and has common patterns
if [ ! -f .gitignore ]; then
echo "WARNING: No .gitignore file found"
else
for entry in '.env' 'node_modules' '*.key' '*.pem'; do
grep -q "$entry" .gitignore || echo " MISSING from .gitignore: $entry"
done
fi# SQL injection: string concatenation in queries
grep -rn "query\|execute\|cursor" --include='*.{py,js,ts,go,java,rb}' . | \
grep -i "f\"\|format(\|%s\|\${\|+ \"\|concat\|sprintf" | \
grep -iv "parameterized\|placeholder\|prepared"
# Command injection: user input in shell commands
grep -rn "exec(\|spawn(\|system(\|popen(\|subprocess\|os\.system\|child_process" \
--include='*.{py,js,ts,go,java,rb}' .
# Check for parameterized queries (good)
grep -rn "\\$[0-9]\|\\?\|%s\|:param\|@param\|prepared" --include='*.{py,js,ts,go,java,rb}' .# Weak password hashing (MD5, SHA1 used for passwords)
grep -rn "md5\|sha1\|sha256" --include='*.{py,js,ts,go,java,rb}' . | grep -i "password\|passwd"
# Hardcoded credentials
grep -rn -i "admin.*password\|password.*admin\|default.*password" \
--include='*.{py,js,ts,go,java,rb,yml,yaml,json}' .
# Session tokens in URLs
grep -rn "session\|token\|jwt" --include='*.{py,js,ts,go,java,rb}' . | grep -i "url\|query\|param\|GET"
# Check for rate limiting on auth endpoints
grep -rn -i "rate.limit\|throttle\|brute" --include='*.{py,js,ts,go,java,rb}' .# Unescaped output in templates
grep -rn "innerHTML\|dangerouslySetInnerHTML\|v-html\|\|html(" \
--include='*.{js,ts,jsx,tsx,vue,html}' .
# Template injection
grep -rn "{{{.*}}}\|<%=\|<%-\|\$\!{" --include='*.{html,ejs,hbs,pug,erb}' .
# Document.write
grep -rn "document\.write\|document\.writeln" --include='*.{js,ts,html}' .
# eval with user input
grep -rn "eval(\|new Function(\|setTimeout.*string\|setInterval.*string" \
--include='*.{js,ts}' .# Direct ID usage in routes without authz check
grep -rn "params\.id\|params\[.id.\]\|req\.params\.\|request\.args\.\|request\.GET\." \
--include='*.{py,js,ts,go,java,rb}' . | \
grep -i "user\|account\|profile\|order\|document"# CORS wildcard
grep -rn "Access-Control-Allow-Origin.*\*\|cors({.*origin.*true\|cors()" \
--include='*.{py,js,ts,go,java,rb}' .
# Debug mode in production configs
grep -rn "DEBUG\s*=\s*True\|debug:\s*true\|NODE_ENV.*development" \
--include='*.{py,js,ts,yml,yaml,json,env}' .
# Verbose error messages exposed to clients
grep -rn "stack\|traceback\|stackTrace" --include='*.{py,js,ts,go,java,rb}' . | \
grep -i "response\|send\|return\|res\."# Full SSL check
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | \
openssl x509 -noout -subject -issuer -dates -fingerprint
# Check certificate expiry
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
openssl x509 -noout -enddate
# Check supported TLS versions
for v in tls1 tls1_1 tls1_2 tls1_3; do
result=$(openssl s_client -connect example.com:443 -$v < /dev/null 2>&1)
if echo "$result" | grep -q "Cipher is"; then
echo "$v: SUPPORTED"
else
echo "$v: NOT SUPPORTED"
fi
done
# Check cipher suites
openssl s_client -connect example.com:443 -cipher 'ALL' < /dev/null 2>&1 | \
grep "Cipher :"
# Check for weak ciphers
openssl s_client -connect example.com:443 -cipher 'NULL:EXPORT:DES:RC4:MD5' < /dev/null 2>&1 | \
grep "Cipher :"# Download and verify full chain
openssl s_client -connect example.com:443 -showcerts < /dev/null 2>/dev/null | \
awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{print}' > chain.pem
# Verify chain
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt chain.pem
# Check certificate details
openssl x509 -in chain.pem -noout -text | grep -A2 "Subject:\|Issuer:\|Not Before\|Not After\|DNS:"# Verify SSL isn't disabled in code
grep -rn "verify\s*=\s*False\|rejectUnauthorized.*false\|InsecureSkipVerify.*true\|CURLOPT_SSL_VERIFYPEER.*false\|NODE_TLS_REJECT_UNAUTHORIZED.*0" \
--include='*.{py,js,ts,go,java,rb,yml,yaml}' .# Find world-writable files
find . -type f -perm -o=w -not -path '*/node_modules/*' -not -path '*/.git/*' 2>/dev/null
# Find executable files that shouldn't be
find . -type f -perm -u=x -not -name '*.sh' -not -name '*.py' -not -path '*/node_modules/*' \
-not -path '*/.git/*' -not -path '*/bin/*' 2>/dev/null
# Check sensitive file permissions
for f in .env .env.* *.pem *.key *.p12 id_rsa id_ed25519; do
[ -f "$f" ] && ls -la "$f"
done
# Find files with SUID/SGID bits (Linux)
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null | head -20
# Check SSH key permissions
if [ -d ~/.ssh ]; then
echo "--- SSH directory permissions ---"
ls -la ~/.ssh/
echo ""
# Should be: dir=700, private keys=600, public keys=644, config=600
[ "$(stat -c %a ~/.ssh 2>/dev/null || stat -f %Lp ~/.ssh)" != "700" ] && echo "WARNING: ~/.ssh should be 700"
fi#!/bin/bash
# security-audit.sh - Run a comprehensive security check on a project
set -euo pipefail
PROJECT_DIR="${1:-.}"
cd "$PROJECT_DIR"
echo "========================================="
echo "Security Audit: $(basename "$(pwd)")"
echo "Date: $(date -u '+%Y-%m-%dT%H:%M:%SZ')"
echo "========================================="
echo ""
ISSUES=0
warn() { echo " [!] $1"; ((ISSUES++)); }
ok() { echo " [OK] $1"; }
section() { echo ""; echo "--- $1 ---"; }
# 1. Secrets detection
section "Secret Detection"
for pattern in 'AKIA[0-9A-Z]\{16\}' 'BEGIN.*PRIVATE KEY' 'sk-[A-Za-z0-9]\{20,\}' \
'ghp_[A-Za-z0-9]\{36\}' 'xox[bpoas]-'; do
count=$(grep -rn "$pattern" --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml}' . 2>/dev/null | \
grep -v 'node_modules\|\.git\|vendor\|__pycache__' | wc -l)
if [ "$count" -gt 0 ]; then
warn "Found $count matches for pattern: $pattern"
fi
done
grep -rn -i 'password\s*[:=]\s*["'"'"'][^"'"'"']*["'"'"']' \
--include='*.{js,ts,py,go,yml,yaml,json,env}' . 2>/dev/null | \
grep -v 'node_modules\|\.git\|example\|test\|mock\|placeholder\|changeme\|xxxx' | \
while read -r line; do warn "Hardcoded password: $line"; done
# 2. Dependency audit
section "Dependency Vulnerabilities"
if [ -f package-lock.json ] || [ -f package.json ]; then
npm audit --audit-level=high 2>/dev/null && ok "npm: no high/critical vulns" || warn "npm audit found issues"
fi
if [ -f requirements.txt ]; then
pip-audit -r requirements.txt 2>/dev/null && ok "pip: no known vulns" || warn "pip-audit found issues"
fi
if [ -f go.sum ]; then
govulncheck ./... 2>/dev/null && ok "Go: no known vulns" || warn "govulncheck found issues"
fi
# 3. Gitignore check
section ".gitignore Coverage"
if [ ! -f .gitignore ]; then
warn "No .gitignore file"
else
for entry in '.env' 'node_modules' '*.key' '*.pem' '.DS_Store'; do
grep -q "$entry" .gitignore 2>/dev/null && ok ".gitignore has $entry" || warn ".gitignore missing: $entry"
done
fi
# 4. SSL verification disabled
section "SSL Verification"
disabled=$(grep -rn "verify\s*=\s*False\|rejectUnauthorized.*false\|InsecureSkipVerify.*true" \
--include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \
grep -v 'node_modules\|\.git\|test\|spec\|mock' | wc -l)
[ "$disabled" -gt 0 ] && warn "SSL verification disabled in $disabled location(s)" || ok "No SSL bypasses found"
# 5. CORS wildcard
section "CORS Configuration"
cors=$(grep -rn "Access-Control-Allow-Origin.*\*\|cors({.*origin.*true" \
--include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \
grep -v 'node_modules\|\.git' | wc -l)
[ "$cors" -gt 0 ] && warn "CORS wildcard found in $cors location(s)" || ok "No CORS wildcard"
# 6. Debug mode
section "Debug/Development Settings"
debug=$(grep -rn "DEBUG\s*=\s*True\|debug:\s*true" \
--include='*.{py,yml,yaml,json}' . 2>/dev/null | \
grep -v 'node_modules\|\.git\|test\|jest\|vitest' | wc -l)
[ "$debug" -gt 0 ] && warn "Debug mode enabled in $debug location(s)" || ok "No debug flags found"
echo ""
echo "========================================="
echo "Audit complete. Issues found: $ISSUES"
echo "========================================="
[ "$ISSUES" -eq 0 ] && exit 0 || exit 1# Bad: hardcoded in source
API_KEY="sk-abc123..."
# Good: from environment
API_KEY="${API_KEY:?Error: API_KEY not set}"
# Good: from .env file (loaded at startup, never committed)
# .env
API_KEY=sk-abc123...
# .gitignore
.env- [ ] All user input validated (type, length, format)
- [ ] SQL queries use parameterized statements (never string concat)
- [ ] Shell commands never include user input directly
- [ ] File paths validated (no path traversal: ../)
- [ ] URLs validated (no SSRF: restrict to expected domains)
- [ ] HTML output escaped (no XSS: use framework auto-escaping)
- [ ] JSON parsing has error handling (no crash on malformed input)
- [ ] File uploads checked (type, size, no executable content)# Check security headers on a URL
curl -sI https://example.com | grep -i 'strict-transport\|content-security\|x-frame\|x-content-type\|referrer-policy\|permissions-policy'
# Expected headers:
# Strict-Transport-Security: max-age=31536000; includeSubDomains
# Content-Security-Policy: default-src 'self'
# X-Frame-Options: DENY
# X-Content-Type-Options: nosniff
# Referrer-Policy: strict-origin-when-cross-origin
# Permissions-Policy: camera=(), microphone=(), geolocation=()npm audit / pip-audit / govulncheck in CI on every pull request, not just occasionally.git filter-branch or git-filter-repo to purge, then rotate the credential.innerHTML.Access-Control-Allow-Origin: * is safe for truly public, read-only APIs. It's dangerous for anything that uses cookies or auth tokens.verify=False or rejectUnauthorized: false should only appear in test code, never in production paths.Generated Mar 1, 2026
A financial technology startup preparing for SOC 2 compliance uses the toolkit to scan its Node.js and Python microservices for dependency vulnerabilities and hardcoded secrets. The audit identifies outdated libraries with critical CVEs and exposed API keys in configuration files, enabling remediation before the auditor's visit.
A healthcare provider migrating a legacy Java application to the cloud employs the toolkit to audit for OWASP top 10 issues like SQL injection and broken authentication. It also checks file permissions on sensitive patient data directories and verifies SSL/TLS configurations for new API endpoints to meet HIPAA security requirements.
An e-commerce company conducts a quarterly security audit before peak shopping seasons using the toolkit's secret detection and dependency scanning features. It scans Go and Rust services for vulnerabilities, reviews code for XSS and CSRF flaws, and ensures pre-commit hooks block accidental secret commits in git repositories.
A SaaS provider integrates the toolkit into its CI/CD pipeline to automate security checks. It runs Trivy scans on Docker images, uses pip-audit on Python dependencies, and audits .gitignore files to prevent tracking of credentials, ensuring continuous compliance and reducing manual review overhead.
An open-source maintainer uses the toolkit to audit a public repository for security issues before a major release. It scans for hardcoded secrets in git history, checks Go and Rust dependencies with govulncheck and cargo-audit, and verifies SSL/TLS settings for documentation links to enhance community trust.
Offer monthly or annual subscriptions where clients receive automated security audits using this toolkit, with detailed reports and remediation guidance. Revenue comes from tiered plans based on codebase size and scan frequency, targeting small to medium-sized businesses lacking in-house security teams.
Provide consulting services to integrate the toolkit into existing DevOps workflows, with custom configurations for specific industries like finance or healthcare. Revenue is generated through project-based fees and ongoing support contracts, leveraging the toolkit's flexibility for tailored security solutions.
Distribute the toolkit as a free open-source tool with basic scanning capabilities, while offering premium features such as advanced vulnerability prioritization, compliance reporting, and team collaboration dashboards. Revenue is driven by upgrades to paid plans for enterprises needing enhanced functionality.
💬 Integration Tip
Integrate the toolkit into CI/CD pipelines using pre-commit hooks for secret detection and scheduled scans for dependencies to automate security checks and reduce manual effort.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.