// Security scanning and remediation for AI coding agents. Scan code for vulnerabilities, generate fix patches, detect sensitive data leaks, and produce compliance reports — all from your OpenClaw agent.
Merge a GitHub PR via squash after /preparepr. Use when asked to merge a ready PR. Do not push to main or modify code. Ensure the PR ends in MERGED state and clean up worktrees after success.
Prepare a GitHub PR for merge by rebasing onto main, fixing review findings, running gates, committing fixes, and pushing to the PR head branch. Use after /reviewpr. Never merge or push to main.
Review-only GitHub pull request analysis with the gh CLI. Use when asked to review a PR, provide structured feedback, or assess readiness to land. Do not merge, push, or make code changes you intend to keep.
| name | clawsecurity |
| description | Security scanning and remediation for AI coding agents. Scan code for vulnerabilities, generate fix patches, detect sensitive data leaks, and produce compliance reports — all from your OpenClaw agent. |
| user-invocable | true |
| metadata | {"openclaw":{"emoji":"🛡️","homepage":"https://clawsecurity.io","os":["darwin","linux","win32"],"requires":{"env":["CLAWSEC_API_KEY"]},"primaryEnv":"CLAWSEC_API_KEY","skillKey":"clawsecurity","install":[{"id":"clawsec-cli","kind":"node","label":"Install ClawSecurity CLI via npm","package":"@clawsec/cli"}]}} |
Security scanning, remediation, and monitoring for OpenClaw agents.
ClawSecurity protects AI coding agents by scanning code for vulnerabilities, generating minimal fix patches, detecting sensitive data in agent I/O, and producing compliance reports.
This skill provides lightweight security features from chat. For full real-time protection — live process monitoring, network inspection, I/O interception, prompt injection detection (55+ patterns), behavioral analysis, and automated quarantine — install the ClawSecurity desktop app.
Available for Linux (.deb, .rpm, .AppImage), macOS (Apple Silicon + Intel .dmg), and Windows (.msi, .exe).
| Feature | Skill (this) | Desktop App |
|---|---|---|
| Code vulnerability scanning | Yes | Yes |
| Fix patch generation | Yes | Yes |
| Security reports | Yes | Yes |
| Sensitive data detection (on-demand) | Yes | Yes |
| Live process monitoring | — | Yes |
| Live network inspection | — | Yes |
| Real-time I/O interception | — | Yes |
| Prompt injection detection (55+ patterns) | — | Yes |
| DLP — data loss prevention | — | Yes |
| Automated quarantine (suspend/kill) | — | Yes |
| Policy engine (programmable rails) | — | Yes |
| OWASP Agentic Top 10 coverage | Partial | Full |
All API calls use https://api.clawsecurity.io/api/v1. Authenticate with the CLAWSEC_API_KEY environment variable via the Authorization: Bearer $CLAWSEC_API_KEY header.
Scan a repository or directory for vulnerabilities using Semgrep, Trivy, and osv-scanner.
Usage: /clawsec-scan <repo-url-or-path>
API Call:
POST /api/v1/scans
Content-Type: application/json
Authorization: Bearer $CLAWSEC_API_KEY
{ "repoUrl": "<repo-url>" }
Response: Returns a scan_id and queues the scan. Poll GET /api/v1/scans/<scan_id> until status is "completed".
Result fields:
id — Scan IDstatus — queued | running | completed | failedfindingsCount — Total vulnerabilities foundfindings[] — Array of findings with severity, file, line, title, owasp, cweGenerate a minimal security patch for a specific vulnerability finding.
Usage: /clawsec-fix <finding-id>
API Call:
GET /api/v1/fixes/<finding-id>/preview
Authorization: Bearer $CLAWSEC_API_KEY
Response:
fixId — Fix IDredactedPatch — Preview of the patch (redacted for free users)locCount — Lines of code changedconfidence — HIGH | MEDIUM | LOWTo download the full patch (requires Pro or Enterprise subscription):
GET /api/v1/fixes/<fix-id>/patch
Authorization: Bearer $CLAWSEC_API_KEY
Returns a unified diff .patch file.
Generate a comprehensive security assessment report from scan results.
Usage: /clawsec-report <scan-id> [format]
API Call:
GET /api/v1/scans/<scan_id>/report?format=markdown
Authorization: Bearer $CLAWSEC_API_KEY
Formats: json (default), markdown, html, sarif
Report sections:
Detect sensitive data (API keys, secrets, PII) in agent input/output streams.
Usage: /clawsec-monitor <text-to-check>
API Call:
POST /api/v1/dynamic/events
Content-Type: application/json
Authorization: Bearer $CLAWSEC_API_KEY
{
"events": [
{
"type": "stdout",
"content": "<text-to-check>",
"timestamp": "<ISO8601>"
}
]
}
Detection categories: API keys, cloud credentials, private keys, database URIs, authentication tokens, PII (emails, phone numbers, SSNs)
Response: Returns detected sensitive data patterns with category, severity, and redacted preview.
/clawsec-scan . to scan the current project/clawsec-fix <finding-id> for each critical/high finding/clawsec-report <scan-id> markdown for stakeholder distribution| Engine | What It Detects |
|---|---|
| Semgrep | SAST — injection, XSS, auth bypass, insecure crypto, hardcoded secrets |
| Trivy | Dependency CVEs, container misconfigs, IaC security issues |
| osv-scanner | Open-source vulnerability database (OSV) lookup |
| Custom Rules | Anthropic Red Team 2026 disclosures, AI-specific attack patterns |
| Level | Meaning | Action |
|---|---|---|
| CRITICAL | Actively exploitable, data breach risk | Fix immediately |
| HIGH | Significant vulnerability, likely exploitable | Fix within 24h |
| MEDIUM | Moderate risk, requires specific conditions | Fix within 1 week |
| LOW | Minor issue, defense-in-depth improvement | Fix when convenient |
| Free | Pro (Coming Soon) | Enterprise (Coming Soon) | |
|---|---|---|---|
| Security scans | Unlimited | Unlimited | Unlimited |
| Fix patches | — | Included | Unlimited |
| Priority queue | — | Yes | Yes |
| API access | — | — | Full |
| Support | Community | Dedicated |
Sign up at clawsecurity.io.