Security Audit Skill

When to use

Run a security audit to identify vulnerabilities in your Clawdbot setup before deployment or on a schedule. Use auto-fix to remediate common issues automatically.

Setup

No external dependencies required. Uses native system tools where available.

How to

Quick audit (common issues)

node skills/security-audit/scripts/audit.cjs

Full audit (comprehensive scan)

node skills/security-audit/scripts/audit.cjs --full

Auto-fix common issues

node skills/security-audit/scripts/audit.cjs --fix

Audit specific areas

node skills/security-audit/scripts/audit.cjs --credentials      # Check for exposed API keys
node skills/security-audit/scripts/audit.cjs --ports            # Scan for open ports
node skills/security-audit/scripts/audit.cjs --configs          # Validate configuration
node skills/security-audit/scripts/audit.cjs --permissions      # Check file permissions
node skills/security-audit/scripts/audit.cjs --docker           # Docker security checks

Generate report

node skills/security-audit/scripts/audit.cjs --full --json > audit-report.json

Output

The audit produces a report with:

Checks Performed

Credentials

• API keys in environment files
• Tokens in command history
• Hardcoded secrets in code
• Weak password patterns

Ports

• Unexpected open ports
• Services exposed to internet
• Missing firewall rules

Configs

• Missing rate limiting
• Disabled authentication
• Default credentials
• Open CORS policies

Files

• World-readable files
• Executable by anyone
• Sensitive files in public dirs

Docker

• Privileged containers
• Missing resource limits
• Root user in container

Auto-Fix

The --fix option automatically:

• Sets restrictive file permissions (600 on .env)
• Secures sensitive configuration files
• Creates .gitignore if missing
• Enables basic security headers

Related skills

• security-monitor - Real-time monitoring (available separately)