Skill

Security Review

Performs security reviews for risky code changes like sensitive file edits, shell commands, dependencies, CI/CD, and secrets using Clawdstrike MCP tools for policy checks.

Docker

CI/CD

security

From clawdstrike

Install

Run in your terminal

npx claudepluginhub backbay-labs/clawdstrike --plugin clawdstrike

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.5k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.5k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

139.9k

Stats

Parent Repo Stars273

Parent Repo Forks28

Last CommitMar 2, 2026

Actions

View Source View Plugin View on GitHub View README

Security Review

<trigger> This skill activates when the user or conversation involves: - Multi-file edits touching security-sensitive paths (auth, config, credentials, .env, keys) - Shell commands that modify system state, install packages, or change permissions - New dependency additions or version changes - Changes to CI/CD, Docker, or infrastructure configuration - File writes to sensitive directories (/etc, ~/.ssh, ~/.aws, ~/.config) - File reads of sensitive paths (private keys, credential stores, token caches, certificate files) - Any content containing these keywords: "secret", "credential", "API key", "token", "password", "private key", "certificate", ".env", "auth", "permission" </trigger>

Security Checklist

Before proceeding with risky actions, use the clawdstrike_check MCP tool to verify policy compliance:

Pre-flight check: Call clawdstrike_check with the action_type and target before executing
Secret scanning: Verify no secrets, API keys, or credentials are being written to files
Dependency audit: For new dependencies, check for known vulnerabilities
Permission scope: Ensure file operations stay within allowed paths
Shell safety: Validate shell commands against the ShellCommandGuard policy

Action Type Mapping

Use these action_type values when calling clawdstrike_check:

Scenario	action_type	target
Writing/reading files	`file`	Absolute file path
Running shell commands	`shell`	The command string
HTTP/network requests	`egress`	Domain or URL
Installing packages	`shell`	Install command
MCP tool invocation	`mcp_tool`	Tool name

Response Guidelines

When this skill is active:

Proactively call clawdstrike_check before file writes to sensitive paths
Flag potential security issues with severity levels (Critical/High/Medium/Low)
Suggest safer alternatives when an action would be blocked by policy
Reference specific guards that would evaluate the action

Recommended Tools

Use these MCP tools in order of priority when this skill activates:

Tool	When to Use
`clawdstrike_check`	Before any file write, shell command, or egress -- the primary enforcement tool
`clawdstrike_policy_eval`	To test hypothetical actions without executing them -- use for planning
`clawdstrike_policy_show`	To understand which guards are active and what the current restrictions are
`clawdstrike_scan`	To audit all MCP server configs for misconfigurations before a review
`clawdstrike_policy_lint`	To validate policy YAML files for syntax/schema errors

Guard Reference

These guards are evaluated during checks:

ForbiddenPathGuard - Blocks access to sensitive filesystem paths
PathAllowlistGuard - Enforces allowlist-based path access
SecretLeakGuard - Detects secrets/credentials in file content
ShellCommandGuard - Blocks dangerous shell commands
EgressAllowlistGuard - Controls outbound network access
PatchIntegrityGuard - Validates patch/diff safety