
from clawsec991
Automated, multi-engine vulnerability scanner for agent platforms that runs dependency scans, SAST, CVE enrichment and agent-specific DAST harnesses to surface
ClawSec Scanner automates security analysis for agent skills and repositories. It runs dependency scans (npm audit, pip-audit), queries CVE providers (OSV, NVD, GitHub Advisory), performs static analysis with Semgrep/Bandit, and executes an agent-aware dynamic analysis harness for OpenClaw hooks. Results are normalized into a unified ScanReport JSON with severity summaries and remediation guidance.
Use ClawSec Scanner when auditing agent skills before deployment, during CI/CD checkpoints, or on a scheduled cadence to detect regressions. It's ideal for discovering vulnerable dependencies, hardcoded secrets, unsafe code patterns, and hook-specific runtime dangers in OpenClaw handlers.
Inferred support: agents and CLIs that can run subprocess tools (Node.js/python based workflows), e.g., OpenClaw gateway, Node-based agent runtimes, and CI environments.
ClawSec Scanner is a comprehensive multi-engine vulnerability scanner for agent platforms covering dependency scanning (npm audit, pip-audit), CVE database lookups (OSV, NVD, GitHub Advisory), SAST (Semgrep, Bandit), and agent-specific DAST hook inspection. Scripts are well-structured with proper error handling and fail-open design. The runner.sh requires --target which wasn't provided in dry run, and .mjs scripts were skipped by the test runner. The skill has impressive security practices including checksum-verified releases and subprocess argument arrays preventing injection.
Well-designed security scanner with proper subprocess safety (spawn arrays, no shell injection), no hardcoded secrets, no telemetry. The installation script includes PGP-signed checksum verification. The DAST module only does static source inspection of hooks (reads files, doesn't execute them). Fail-open philosophy means missing tools are skipped gracefully. GitHub Advisory query is a stub. The CLAWSEC_ALLOW_UNSIGNED_FEED env var is documented as dev-only.