neckr0ik-security-fixer

Auto-fix security vulnerabilities in OpenClaw skills. Works with neckr0ik-security-scanner to automatically remediate hardcoded secrets, shell injection risks, prompt injection, and path traversal issues. Generates secure code replacements and environment variable templates.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "neckr0ik-security-fixer" with this command: npx skills add neckr0ik/neckr0ik-security-fixer

Security Fixer

Automatically fixes security vulnerabilities found by neckr0ik-security-scanner.

Quick Start

# Scan and fix in one command
neckr0ik-security-fixer fix /path/to/skill --auto

# Interactive fix (confirm each change)
neckr0ik-security-fixer fix /path/to/skill

# Generate .env.example only
neckr0ik-security-fixer env /path/to/skill

What This Fixes

Critical Issues (Auto-fixable)

IssueFix Applied
Hardcoded SecretsReplaces with os.environ.get() + generates .env.example
Shell InjectionConverts to subprocess.run() with shell=False
eval/execWraps with safe alternatives or flags for review

High Issues (Auto-fixable)

IssueFix Applied
Prompt InjectionAdds sanitization wrapper
Path TraversalAdds pathlib validation

How It Works

  1. Runs security scan on target skill
  2. For each vulnerability, generates fix
  3. Applies fix automatically (with --auto) or prompts for confirmation
  4. Creates .env.example with detected secret placeholders
  5. Updates .gitignore to exclude .env

Example Fixes

Hardcoded API Key

Before:

api_key = "sk-abc123def456..."

After:

import os
api_key = os.environ.get("OPENAI_API_KEY")
if not api_key:
    raise ValueError("OPENAI_API_KEY environment variable required")

Generated .env.example:

OPENAI_API_KEY=your-key-here

Shell Injection

Before:

os.system(f"convert {filename} output.png")

After:

import subprocess
result = subprocess.run(
    ["convert", filename, "output.png"],
    capture_output=True,
    check=True
)

Prompt Injection

Before:

prompt = f"User says: {user_input}"

After:

import re
def sanitize_for_prompt(text: str) -> str:
    return re.sub(r'[<>\{\}\[\]\\]', '', text[:1000])

prompt = f"User says: {sanitize_for_prompt(user_input)}"

Commands

fix

neckr0ik-security-fixer fix <skill-path> [options]

Options:
  --auto        Apply all fixes without prompting
  --dry-run     Show what would be fixed without making changes
  --backup      Create .bak files before modifying

env

neckr0ik-security-fixer env <skill-path>

Generates:
  - .env.example (template with placeholders)
  - Updates .gitignore to exclude .env

report

neckr0ik-security-fixer report <skill-path> --format json

Outputs a detailed fix report with:
  - Original vulnerable code
  - Fixed code
  - Files modified
  - Manual review items

Safety Features

  • Backup files created by default (can disable with --no-backup)
  • Dry-run mode shows changes without applying
  • Manual review flagging for complex issues that need human judgment
  • Git integration - shows diff before applying

See Also

  • neckr0ik-security-scanner - Scan for vulnerabilities first
  • references/fix-templates.md - Complete fix template library
  • scripts/fixer.py - Main fixer script

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Password Policy Auditor

Audit password policies and authentication configurations for security compliance. Check password complexity, storage (hashing algorithms), rotation policies...

Registry SourceRecently Updated
00Profile unavailable
Security

Prisma Schema Analyzer

Analyze Prisma schemas for performance, relation design, index strategy, migration safety, and query optimization — audit schema.prisma for production readin...

Registry SourceRecently Updated
00Profile unavailable
Security

Openapi Validator

Validate and improve OpenAPI/Swagger specifications — check for completeness, consistency, security definitions, and API design best practices.

Registry SourceRecently Updated
260Profile unavailable
Security

SentiClaw

Runtime AI security for OpenClaw agents. Protects against prompt injection, identity spoofing, PII leakage, and runtime abuse. Drop-in 6-layer security middl...

Registry SourceRecently Updated
1530Profile unavailable