zero2ai-security-audit

Security auditing for git commits, repos, and skills before publishing. Run automatically before any `git commit`, `git push`, or `clawhub publish`. Detects hardcoded secrets, API keys, tokens, absolute paths, committed node_modules, .env files, and other sensitive patterns. Use when reviewing code for security issues, pre-publishing skills, or investigating a potential secret exposure.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "zero2ai-security-audit" with this command: npx skills add zero2ai-hub/zero2ai-security-audit

Security Audit

Run scripts/audit.py before every commit, push, or skill publish. No exceptions.

When to run

TriggerCommand
Before git commitpython3 {skill_dir}/scripts/audit.py --staged
Before git pushpython3 {skill_dir}/scripts/audit.py --last-commit
Before clawhub publish <path>python3 {skill_dir}/scripts/audit.py <skill_path>
Ad-hoc scan any pathpython3 {skill_dir}/scripts/audit.py <path>

{skill_dir} = /home/aladdin/.openclaw/workspace/skills/skill-security-audit

Exit codes

  • 0 = clean
  • 1 = HIGH or MEDIUM findings (block publish/push)
  • 2 = usage error

What it detects

SeverityPattern
🔴 HIGHAPI keys, secrets, passwords, JWT tokens, WooCommerce keys, AWS keys, private key blocks, bearer tokens, .env files
🟡 MEDIUMAbsolute /home/<user>/ paths, /root/ paths, refresh tokens, node_modules/ committed
🔵 LOWHardcoded IPs, long base64 strings

Rules

  1. HIGH findings = hard block. Never commit or publish with HIGH findings. Rotate any exposed secret immediately.
  2. MEDIUM findings = fix before publish. Replace absolute paths with relative or env-var defaults. Remove node_modules/.
  3. LOW findings = review. Not blocking but investigate.
  4. False positives: If a match is a variable name or safe placeholder (not an actual value), document why it's safe in a comment and re-run.

After finding a real secret

  1. Do NOT push the commit. If already pushed: rotate the secret immediately, then rewrite history or delete the file from git.
  2. Rotate in the provider portal (TikTok Dev, AWS IAM, WooCommerce, etc.)
  3. Move to env var: process.env.SECRET_NAME or read from a local config file outside the repo.
  4. Add the config file path to .gitignore.
  5. Report to Aladdin immediately with severity and what was exposed.

Skill publish checklist

Before clawhub publish:

  • audit.py <skill_path> returns 0 (clean)
  • node_modules/ not present in skill folder
  • No absolute paths to user home directories
  • No hardcoded business-specific IDs or credentials
  • package.json name matches skill folder name
  • SKILL.md description updated if renamed

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Siteaudit

Comprehensive website audit combining uptime check, TLS certificate inspection, and security headers grading in one command. Use when asked to audit a websit...

Registry SourceRecently Updated
1170rogue-agent1
Security

Secrets

Deep workflow for secrets lifecycle—classification, storage (Vault/KMS/cloud), rotation, least privilege, developer ergonomics, audit, and incident response....

Registry SourceRecently Updated
1420mike47512
Security

Intercom

Create, update, improve, and review Intercom help-center and support documentation. Use when writing new Intercom articles, revising existing docs, auditing...

Registry SourceRecently Updated
1320Profile unavailable
Security

eeat-content-quality-audit

Systematic content quality audit based on 80 CORE-EEAT standards, evaluating content's GEO (Generative Engine Optimization) and SEO (Search Engine Optimizati...

Registry SourceRecently Updated
1460Profile unavailable