---
name: flaw0
description: Security and vulnerability scanner for OpenClaw code, plugins, skills, and Node.js dependencies. Powered by OpenClaw AI models.
version: 1.0.0
author: Tom
homepage: https://github.com/yourusername/flaw0
license: MIT
metadata:
openclaw:
emoji: "š"
category: "security"
tags:
- security
- vulnerability-scanner
- code-analysis
- dependency-checker
- openclaw
---
# flaw0 - Zero Flaws Security Scanner
Security and vulnerability scanner for OpenClaw ecosystems. Analyzes source code, plugins, skills, and Node.js dependencies to detect potential security flaws.
**Goal: Achieve flaw 0** (zero flaws detected) šÆ
## Installation
Install this skill via [ClawHub](https://www.clawhub.ai):
```bash
npx clawhub@latest install flaw0
```
Or install globally via npm:
```bash
npm install -g flaw0
```
## When to Use This Skill
Use **flaw0** to ensure your OpenClaw code and dependencies are secure:
### Before Installing Skills
```bash
# Check a skill before installing
flaw0 scan ~/.openclaw/skills/new-skill
```
### During Development
```bash
# Scan your code as you develop
flaw0 scan src/
# Check dependencies
flaw0 deps
```
### Before Committing
```bash
# Full security audit
flaw0 audit
```
### Auditing OpenClaw Installation
```bash
# Scan all OpenClaw components
flaw0 scan --target all
# Check specific components
flaw0 scan --target skills
flaw0 scan --target plugins
flaw0 scan --target core
```
## Usage
### Basic Commands
#### Scan Code
```bash
# Scan current directory
flaw0 scan
# Scan specific directory
flaw0 scan /path/to/code
# Use specific AI model
flaw0 scan --model claude-opus-4-6
```
#### Check Dependencies
```bash
# Quick dependency scan
flaw0 deps
# Deep scan (entire dependency tree)
flaw0 deps --deep
```
#### Full Security Audit
```bash
# Comprehensive scan (code + dependencies)
flaw0 audit
# Save report to file
flaw0 audit --output report.json
# JSON output for CI/CD
flaw0 audit --json
```
#### Scan OpenClaw Components
```bash
# Scan OpenClaw core
flaw0 scan --target core
# Scan all plugins
flaw0 scan --target plugins
# Scan all skills
flaw0 scan --target skills
# Scan everything
flaw0 scan --target all
```
## What flaw0 Detects
### Code Vulnerabilities (12+ Types)
1. **Command Injection**
- `exec()` with unsanitized input
- Shell command construction with user input
2. **Code Injection**
- `eval()` usage
- `Function()` constructor with strings
3. **SQL Injection**
- String concatenation in SQL queries
- Unparameterized queries
4. **Cross-Site Scripting (XSS)**
- `innerHTML` assignments
- `dangerouslySetInnerHTML` usage
5. **Path Traversal**
- Unvalidated file path operations
- `readFile()` with user input
6. **Hardcoded Secrets**
- API keys in source code
- Passwords and tokens
- AWS credentials
7. **Weak Cryptography**
- MD5 and SHA1 usage
- Weak hashing algorithms
8. **Insecure Randomness**
- `Math.random()` for security operations
- Predictable token generation
9. **Unsafe Deserialization**
- `JSON.parse()` without validation
- Unvalidated input parsing
10. **Missing Authentication**
- API endpoints without auth middleware
- Unprotected routes
### Dependency Issues
1. **Known CVEs** - Vulnerabilities from CVE database
2. **Outdated Packages** - Packages with security updates available
3. **Malicious Packages** - Known malware or suspicious packages
4. **Duplicate Dependencies** - Bloated dependency trees
## Understanding Results
### Flaw Score
Results are reported with a **flaw score** - lower is better:
- **flaw 0** šÆ - Perfect! No issues detected
- **flaw 1-3** š” - Minor issues
- **flaw 4-10** š - Needs attention
- **flaw 10+** š“ - Critical issues
### Score Calculation
Each issue is weighted by severity:
- **Critical**: 3 points
- **High**: 2 points
- **Medium**: 1 point
- **Low**: 0.5 points
**Total flaw score** = sum of all weighted issues (rounded)
### Example Output
#### Clean Code (flaw 0)
```
š flaw0 Security Scan Results
āāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š Result: flaw 0
ā
Status: SECURE
ā No security issues detected!
ā All checks passed
Great job! š
```
#### Issues Found (flaw 12)
```
š flaw0 Security Scan Results
āāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š Result: flaw 12
ā ļø Status: ISSUES FOUND
Code Flaws: 5
āā š“ Critical: 2
āā š High: 1
āā š” Medium: 2
āā āŖ Low: 0
Dependency Flaws: 7
āā š“ Critical CVEs: 3
āā š High CVEs: 2
āā š” Medium: 2
āā āŖ Low: 0
Detailed Report:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
1. [CRITICAL] Command Injection
Location: src/executor.js:78
Code: `exec(\`ls ${userInput}\`)`
Description: Unsanitized exec() call
ā Fix: Use execFile() or validate input
š¤ AI Confidence: high
š” AI Suggestion: Replace exec() with execFile()
and validate input against whitelist
2. [HIGH] Hardcoded API Key
Location: config/api.js:5
Code: `const API_KEY = "sk-1234..."`
Description: API key exposed in source code
ā Fix: Use process.env.API_KEY
3. [CRITICAL] CVE-2024-12345 in lodash@4.17.19
Package: lodash@4.17.19
Description: Prototype pollution vulnerability
ā Fix: npm install lodash@4.17.21
...
```
## AI-Powered Analysis
flaw0 uses OpenClaw's AI models for intelligent code review:
### Available Models
#### claude-sonnet-4-5 (default)
- Balanced speed and accuracy
- Best for most use cases
- Good false positive reduction
```bash
flaw0 scan --model claude-sonnet-4-5
```
#### claude-opus-4-6
- Most thorough analysis
- Deepest context understanding
- Slower but most accurate
```bash
flaw0 scan --model claude-opus-4-6
```
#### claude-haiku-4-5
- Fastest scanning
- Good for quick checks
- Use in CI/CD for speed
```bash
flaw0 scan --model claude-haiku-4-5
```
### AI Features
- **Context-aware analysis** - Understands code flow and context
- **False positive reduction** - Filters out non-issues
- **Confidence scoring** - Rates detection confidence
- **Fix suggestions** - Provides specific remediation steps
## Configuration
### Create Config File
```bash
flaw0 init
```
This creates `.flaw0rc.json`:
```json
{
"severity": {
"failOn": "high",
"ignore": ["low"]
},
"targets": {
"code": true,
"dependencies": true,
"devDependencies": false
},
"exclude": [
"node_modules/**",
"test/**",
"*.test.js"
],
"model": "claude-sonnet-4-5",
"maxFlawScore": 0
}
```
### Configuration Options
- **severity.failOn** - Exit with error on this severity level or higher
- **severity.ignore** - Skip these severity levels
- **targets** - What to scan (code, dependencies)
- **exclude** - File patterns to ignore
- **model** - AI model to use
- **maxFlawScore** - Maximum acceptable flaw score
## CI/CD Integration
### GitHub Actions
```yaml
name: Security Scan
on: [push, pull_request]
jobs:
flaw0:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- name: Install flaw0
run: npm install -g flaw0
- name: Run security scan
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: flaw0 audit
- name: Check flaw score
run: |
SCORE=$(flaw0 audit --json | jq '.flawScore')
if [ "$SCORE" -gt 0 ]; then
echo "ā Flaws detected: flaw $SCORE"
exit 1
fi
echo "ā
No flaws: flaw 0"
```
### Pre-commit Hook
```bash
#!/bin/bash
echo "š Running flaw0 scan..."
flaw0 scan
if [ $? -ne 0 ]; then
echo "ā Flaws detected! Commit blocked."
exit 1
fi
```
## Examples
### Scan Before Installing a Skill
```bash
# Download a skill to review
git clone https://github.com/user/some-skill.git /tmp/some-skill
# Scan it
flaw0 scan /tmp/some-skill
# If flaw 0, safe to install
# If flaw > 0, review issues first
```
### Audit Your OpenClaw Skills
```bash
# Scan all installed skills
flaw0 scan --target skills
# Example output:
# ā clawdex - flaw 0
# ā database-helper - flaw 0
# ā crypto-bot - flaw 3
# ā git-assistant - flaw 0
# Overall: flaw 3
```
### Check Dependencies After Install
```bash
# After installing new packages
npm install some-package
# Check for vulnerabilities
flaw0 deps
```
### Full Project Audit
```bash
# Comprehensive security check
flaw0 audit --output security-report.json
# Review the report
cat security-report.json | jq '.flawScore'
```
## API Usage
Use flaw0 programmatically in your own tools:
```javascript
const Flaw0 = require('flaw0');
const scanner = new Flaw0({
target: './src',
model: 'claude-sonnet-4-5'
});
// Run full scan
const results = await scanner.scan();
console.log(`Flaw Score: ${results.flawScore}`);
if (results.flawScore === 0) {
console.log('ā
No flaws detected!');
} else {
results.codeFlaws.forEach(flaw => {
console.log(`[${flaw.severity}] ${flaw.name}`);
console.log(` Location: ${flaw.file}:${flaw.line}`);
console.log(` Fix: ${flaw.fix}`);
});
}
```
## How It Works
1. **Pattern Matching** - Fast regex-based detection of common vulnerabilities
2. **AI Analysis** - Claude AI reviews each issue in context
3. **False Positive Filtering** - AI identifies and removes non-issues
4. **Dependency Checking** - Integrates with npm audit and CVE databases
5. **Scoring** - Calculates weighted flaw score
6. **Reporting** - Generates detailed, actionable reports
## Tips for Achieving flaw 0
1. **Fix Critical issues first** - Biggest security impact
2. **Update dependencies** - Resolve known CVEs quickly
3. **Use parameterized queries** - Prevent SQL injection
4. **Validate all inputs** - Stop injection attacks
5. **Use environment variables** - No hardcoded secrets
6. **Apply security headers** - Use helmet.js
7. **Implement authentication** - Protect all endpoints
8. **Use strong crypto** - SHA-256 or better
9. **Sanitize output** - Prevent XSS
10. **Review AI suggestions** - Learn from recommendations
## Comparison with Ot
... (truncated)Generate e-commerce product photography and videos.
Post investment ideas to the AI-native investment community.
Generate and send video messages
Expert guide for designing iOS, macOS, watchOS, tvOS, and visionOS apps.