security-guardian
Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides structured reports to help maintain a clean and secure codebase.
About this skill
This AI agent skill, "security-guardian," provides automated security auditing capabilities primarily for OpenClaw projects. It focuses on two critical areas: detecting hardcoded credentials (like API keys and tokens) within project directories and identifying container vulnerabilities (CVEs) in Docker images using the Trivy scanner. By integrating these checks into development workflows, the skill helps developers proactively maintain a clean and secure codebase, preventing accidental secret leaks and ensuring deployed containers meet security standards. The skill features two core workflows. The "Secret Scanning" workflow utilizes a Python script to deeply inspect specified project directories, reporting any discovered secrets with file and line numbers. For remediation, it guides the agent to leverage a separate `mema-vault` skill to securely store identified secrets and replace them in the codebase. The "Container Vulnerability Scan" workflow uses a shell script to analyze Docker images, specifically flagging high and critical severity CVEs and recommending appropriate updates or patches before deployment. Developers and teams using OpenClaw projects would use this skill to enhance their security posture significantly. It automates otherwise manual and error-prone security checks, ensuring that sensitive information is not inadvertently exposed and that application containers are free from known security flaws. The structured reporting helps in quick identification and remediation, fostering a more robust and compliant development lifecycle.
Best use case
The primary use case is to proactively identify and remediate security weaknesses in software development lifecycles, specifically for OpenClaw projects. Developers, DevOps engineers, and security teams benefit most by integrating this skill into their CI/CD pipelines or using it for ad-hoc security audits before code commits or deployments, ensuring that code is free from exposed secrets and containers are secure.
Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides structured reports to help maintain a clean and secure codebase.
Users should expect structured reports detailing discovered hardcoded secrets with locations, or lists of container vulnerabilities (especially HIGH/CRITICAL CVEs) that require attention.
Practical example
Example input
Scan the 'my-api-service' directory for any hardcoded API keys or tokens.
Example output
Secret scan results for 'my-api-service': Found potential API key at `src/config.py:L12`. Please use `mema-vault` for remediation. No other secrets detected.
When to use this skill
- Before committing code to a repository to prevent hardcoded secrets from entering version control.
- During CI/CD pipelines to automatically scan container images before deployment.
- As part of a regular security audit for existing OpenClaw project repositories.
- When onboarding new developers to ensure adherence to security best practices from the start.
When not to use this skill
- When scanning non-project directories or system-level paths due to scope limitations.
- If `trivy` is not installed or cannot be installed on the host system for container scanning.
- For runtime application security monitoring (RASP) or web application firewall (WAF) functions.
- If you don't use Docker containers or have no code to scan for secrets.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-guardian/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-guardian Compares
| Feature / Agent | security-guardian | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | medium | N/A |
Frequently Asked Questions
What does this skill do?
Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides structured reports to help maintain a clean and secure codebase.
How difficult is it to install?
The installation complexity is rated as medium. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Security Guardian
System for automated security auditing and credential protection.
## Core Workflows
### 1. Secret Scanning
Scan specific project directories for hardcoded credentials.
- **Tool**: `scripts/scan_secrets.py`
- **Usage**: `python3 $WORKSPACE/skills/security-guardian/scripts/scan_secrets.py <path_to_project>`
- **Workflow**:
1. Execute scan on a specific project or directory.
2. If findings are reported (exit code 1):
- Review the file and line number.
- **Transition**: Move the secret to a secure vault (e.g., using the `mema-vault` skill).
- **Redact**: Replace the plaintext secret in the source code with an environment variable or a vault lookup call.
### 2. Container Vulnerability Scan
Analyze Docker images for vulnerabilities prior to deployment.
- **Tool**: `scripts/scan_container.sh`
- **Usage**: `bash $WORKSPACE/skills/security-guardian/scripts/scan_container.sh <image_name>`
- **Logic**: Identify `HIGH` and `CRITICAL` severities. Recommend base image updates or security patches.
## Security Guardrails
- **Scope Limitation**: Avoid scanning system-level directories. Focus only on relevant project workspaces.
- **Credential Isolation**: Hardcoded secrets are considered a high-severity finding.
- **Dependencies**: Container scanning requires `trivy` to be installed on the host system.
## Integration
- **Vaulting**: This skill identifies leaks. Remediation should be performed using a dedicated credential manager like `mema-vault`.Related Skills
Cybersecurity Risk Assessment
You are a cybersecurity risk assessment specialist. When the user needs a security audit, threat assessment, or compliance review, follow this framework.
afrexai-cybersecurity-engine
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack — zero external dependencies.
guardian-wall
Mitigate prompt injection attacks, especially indirect ones from external web content or files. Use this skill when processing untrusted text from the internet, user-uploaded files, or any external source to sanitize content and detect malicious instructions (e.g., "ignore previous instructions", "system override").
SX-security-audit
全方位安全审计技能。检查文件权限、环境变量、依赖漏洞、配置文件、网络端口、Git 安全、Shell 安全、macOS 安全、密钥检测等。支持 CLI 参数、JSON 输出、配置文件。当用户要求"安全检查"、"漏洞扫描"、"权限检查"、"安全审计"时使用此技能。
HIPAA Compliance for AI Agents
Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents.
Data Governance Framework
Assess, score, and remediate your organization's data governance posture across 6 domains.
Compliance & Audit Readiness Engine
Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.
Compliance Audit Generator
Run internal compliance audits against major frameworks without hiring a consultant.
AI Safety Audit
Comprehensive AI safety and alignment audit framework for businesses deploying AI agents. Built around the UK AI Security Institute Alignment Project standards (2026), EU AI Act requirements, and NIST AI RMF.
clickhouse-github-forensics
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks, tracking repository activity, analyzing actor behavior patterns, detecting tag/release tampering, or reconstructing incident timelines from public GitHub data. Triggers on GitHub supply chain attacks, repo compromise investigations, actor attribution, tag poisoning, or "query github events".
mema-vault
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets using a mandatory Master Key. Use for managing API keys, database credentials, and other sensitive tokens.
skill-safe-install-l0-strict
Strict secure-install workflow for ClawHub/OpenClaw skills. Use when asked to install a skill safely, inspect skill permissions, review third-party skill risk, or run a pre-install security audit. Enforce full review + sandbox + explicit consent gates, with no author-based trust bypass.