How do I install and run SecureVibes Scanner?

Install via pip (pip install securevibes), set your ANTHROPIC_API_KEY, and run the wrapper script on a local repo path (e.g., bash scripts/scan.sh /path/to/repo --force --debug).

What outputs does SecureVibes produce and where are they stored?

Results are saved under the target repo in .securevibes/, including a scan_report.md (and optional JSON/table outputs depending on format).

What are the prerequisites and security considerations?

Prerequisites include a valid ANTHROPIC_API_KEY and access to a local repository. DAST requires a target URL you own or have permission to test. Always use the safe wrapper to avoid shell injection and only scan local directories.

SecureVibes Scanner

Verified

@anshumanbh

npx machina-cli add skill @anshumanbh/securevibes-scanner --openclaw

Files (1)

SKILL.md

5.6 KB

SecureVibes Scanner

AI-native security platform that detects vulnerabilities using Claude AI. Multi-subagent pipeline: assessment → threat modeling → code review → report generation → optional DAST.

Prerequisites

Install the CLI:
```
pip install securevibes
```
Set your Anthropic API key:
```
export ANTHROPIC_API_KEY=your-key-here
```

Security Notes

Always use the scripts/scan.sh wrapper — it validates paths and rejects shell metacharacters before invoking securevibes.
Never interpolate unsanitized user input into shell commands. The wrapper uses realpath to resolve paths safely and rejects any path containing ;, |, &, $, backticks, or other metacharacters.
Scan targets must be local directories. Clone remote repos to a known safe location first, then pass the resolved path to the wrapper.
DAST scans make network requests to the --target-url you provide. Only use against apps you own or have permission to test.

Execution Model

Scans take 10-30 minutes across 4 phases. Run them as background jobs (cron or subagent), not inline.

Running a Scan

Clone the target repo to a local directory

Run the wrapper script:

bash scripts/scan.sh /path/to/repo --force --debug

Results appear in /path/to/repo/.securevibes/

Background Execution (Recommended)

For OpenClaw users, schedule scans as cron jobs:

Use sessionTarget: "isolated" with payload.kind: "agentTurn"
Set payload.timeoutSeconds: 2700 (45 minutes) to allow all phases to complete
Use delivery.mode: "announce" to get notified when done

The agentTurn message should instruct the subagent to:

cd into the repo and git pull for latest code
Clean previous .securevibes/ artifacts
Run securevibes scan . --force via the wrapper script
Read and summarize the results from .securevibes/scan_report.md

Where to store results, how to diff against previous runs, and notification routing are left to your agent's configuration.

Commands Reference

Scan

securevibes scan <path> [options]

Option	Description
`-f, --format`	`markdown` (default), `json`, `text`, `table`
`-o, --output`	Custom output path
`-s, --severity`	Filter: `critical`, `high`, `medium`, `low`
`-m, --model`	Claude model (e.g., `sonnet`, `haiku` for cheaper/faster)
`--subagent`	Run one phase only: `assessment`, `threat-modeling`, `code-review`, `report-generator`, `dast`
`--resume-from`	Resume from a specific phase onwards
`--dast`	Enable dynamic testing (requires `--target-url`)
`--target-url`	URL for DAST (e.g., `http://localhost:3000`)
`--force`	Skip prompts, overwrite existing artifacts
`--quiet`	Minimal output
`--debug`	Verbose diagnostics

Report

securevibes report <path>

Display a previously saved scan report.

Mapping Requests to Scan Args

User Says	Scan Args
"Scan this for security issues"	`--force`
"Quick security check"	`-m haiku --force`
"Threat model this project"	`--subagent threat-modeling --force`
"Just review the code"	`--subagent code-review --force`
"Show only critical/high findings"	`-s high --force`
"Full audit with DAST"	`--dast --target-url <url> --force`
"Output as JSON"	`-f json -o results.json --force`
"Resume from code review"	`--resume-from code-review --force`
"Show last scan results"	Use `securevibes report <path>` (no cron needed)

Subagent Pipeline

Runs sequentially. Each phase builds on the previous:

assessment → Architecture & attack surface mapping → .securevibes/SECURITY.md
threat-modeling → STRIDE-based threat analysis → .securevibes/THREAT_MODEL.json
code-review → Line-by-line vulnerability detection → .securevibes/VULNERABILITIES.json
report-generator → Consolidated findings report → .securevibes/scan_report.md
dast (optional) → Dynamic validation against running app

Presenting Results

After a scan completes:

Read .securevibes/scan_report.md (or .securevibes/scan_results.json for structured data)
Summarize: total findings by severity (Critical > High > Medium > Low)
Highlight top 3 most critical with file locations and remediation
Offer next steps: run DAST, fix specific issues, re-scan after changes

Overview

SecureVibes Scanner is an AI-native security platform that detects vulnerabilities in codebases using Claude AI. It runs a multi-subagent pipeline — assessment, threat modeling, code review, report generation, and optional DAST — to produce actionable findings and verified remediations. Triggers include security scan, threat modeling, security review, vulnerability assessment, code audit, or AppSec requests targeting a project or repository.

How This Skill Works

The tool orchestrates Claude-powered analysis through a CLI, following a four-phase workflow: assessment → threat modeling → code review → report generation, with an optional DAST phase for dynamic testing. It relies on a wrapper script (scripts/scan.sh) to validate paths and sanitize input, then stores results under the target repo at .securevibes/ for review and remediation tracking.

When to Use It

Before releasing a codebase, run a comprehensive vulnerability scan to surface issues across the repository.
Generate and refine threat models for an application or microservices architecture.
During code reviews to identify security issues, validate findings, and verify remediations.
Perform DAST against a target URL you own or have explicit permission to test.
Automate periodic security scans (e.g., via cron or subagent workflows) to monitor code health over time.

Quick Start

Step 1: pip install securevibes
Step 2: export ANTHROPIC_API_KEY=your-key-here
Step 3: bash scripts/scan.sh /path/to/repo --force --debug

Best Practices

Always use the scripts/scan.sh wrapper to validate paths and reject shell metacharacters before invoking SecureVibes.
Clone remote repositories to a known safe local location and pass the resolved path to the wrapper.
Keep your ANTHROPIC_API_KEY secure and set per-project or per-user as needed.
Review the generated scan_report.md and cross-check findings against prior reports to verify remediation.
Limit DAST to targets you own or have explicit authorization to test and adhere to legal/ethical guidelines.

Example Use Cases

Security engineers scan a new microservice repository to detect OWASP Top 10 vulnerabilities before deployment.
Threat modeling is generated for a multi-service app to identify attack surfaces and mitigation strategies.
A developer performs a code review pass to uncover insecure patterns and validate fixes in a web API.
DAST is executed against a staging environment to validate runtime security controls.
Nightly CI runs a full SecureVibes scan with notifications on completion to the security channel.

Frequently Asked Questions

Add this skill to your agents

SecureVibes Scanner

SecureVibes Scanner

Prerequisites

Security Notes

Execution Model

Running a Scan

Background Execution (Recommended)

Commands Reference

Scan

Report

Mapping Requests to Scan Args

Subagent Pipeline

Presenting Results

Links

Source

Overview

How This Skill Works

When to Use It

Quick Start

Best Practices

Example Use Cases

Frequently Asked Questions