Explore the Skill Store

Bulletproof AI code verification. The agent IS the engine — no external tools required. Spawns parallel verification workers that slop-scan, type-check, mutation-test, and cross-verify before shipping. Language-agnostic. Framework-agnostic. Now with Swift/iOS support. Use when: (1) Building new projects and need verified, tested code ("build X with tests"), (2) Migrating/rebuilding codebases ("rewrite in TypeScript"), (3) Fixing bugs with proof nothing else broke ("fix this bug, verify no regressions"), (4) Auditing existing code quality ("audit this project", "how good are these tests?"), (5) Any request mentioning "reckit", "wreckit", "mutation testing", "verification", "proof bundle", "code audit", or "bulletproof". Produces a proof bundle (.wreckit/) with gate results and Ship/Caution/Blocked verdict.

Search, describe, and execute enterprise tools (Jira, Salesforce, Gmail, Slack, Google Calendar, Google Drive, GitHub, Notion, Box, etc.) via the Venn tool-router REST API. Use when the user asks to: (1) query or search data in enterprise SaaS apps, (2) create, update, or manage records (tickets, emails, calendar events, documents), (3) automate multi-step workflows across connected services, or (4) check what integrations are available. Triggers on phrases like "check my Jira tickets", "search Slack", "create a Salesforce lead", "find emails from X", "sync data between apps", or any reference to connected enterprise tools.

Replace OpenClaw's local file vault with Supabase Vault for AES-256 encrypted-at-rest secret storage. All API keys and auth tokens stored encrypted in Postgres via pgsodium/libsodium. Bootstrap credentials protected by OS keychain or machine-derived AES-256-GCM (zero external deps). Includes dashboard Integrations tab with connect/migrate/manage UI. Use when: (1) setting up Supabase Vault as the OpenClaw secrets backend, (2) migrating existing secrets from ~/.openclaw/secrets.json to Supabase, (3) managing or adding secrets from the dashboard.

Comprehensive SQL injection vulnerability assessment techniques for web applications, covering detection, exploitation, and defense validation.

Review code changes for security vulnerabilities. Checks for OWASP Top 10, secrets exposure, injection flaws, auth issues, and insecure defaults. Use when reviewing PRs, commits, or code diffs.

Review the security of an OpenClaw skill or agent before installation, import, activation, or trust. Use when the user asks whether a skill is safe, asks to review a .skill package, asks whether a GitHub/ClawHub/zip-based skill is safe, or expresses intent to install/import/enable a skill. Default behavior: if the user wants to install a skill, audit first, then present the verdict and ask for confirmation before installing. Focus on data exposure, local command execution, persistence, network access, privilege escalation, destructive behavior, and supply-chain risk.

OpenClaw 安全部署指南 / Security deployment guide — help users secure their OpenClaw installation

Automated security scanning and vulnerability detection for web applications, APIs, and infrastructure. Use when you need to scan targets for vulnerabilities, check SSL certificates, find open ports, detect misconfigurations, or perform security audits. Integrates with nmap, nuclei, and other security tools.

Run a world-class security assessment before installing any external package, CLI, npm module, Python library, or third-party integration. Produces a GO/NO-GO/CONDITIONAL verdict with source code analysis, CVE search, and data flow review.

Audit and harden an OpenClaw host and its network exposure. Use for security checks, hardening, firewall setup, network exposure review, metrics endpoint restriction, OpenClaw gateway security fixes, or step-by-step remediation on a Linux host running OpenClaw.

Enforce strict security rules to protect sensitive information (API keys, tokens, credentials, PII, financial data). Always sanitize or refuse to reveal full sensitive data in ANY chat (private or group). Guide users to view sensitive info locally instead. Apply session initialization protocol at start of every session. Use when handling requests involving sensitive data or when user asks to bypass security rules.

Review code with secure-by-default standards, prioritize exploitable risks, and deliver minimal-diff fixes with evidence and regression checks.

Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.

Audit codebases and infrastructure for security issues. Use when scanning dependencies for vulnerabilities, detecting hardcoded secrets, checking OWASP top 10 issues, verifying SSL/TLS, auditing file permissions, or reviewing code for injection and auth flaws.

Comprehensive security auditing for Clawdbot deployments. Scans for exposed credentials, open ports, weak configs, and vulnerabilities. Auto-fix mode included.

Troubleshoot Prisma Access issues including GlobalProtect connectivity, policy matching, tunnel status, SCM API errors, and configuration push failures. Use when diagnosing connection problems or configuration issues.

Generate Prisma Access configurations for Strata Cloud Manager (SCM). Use when creating security policies, NAT rules, decryption policies, URL filtering profiles, GlobalProtect configs, or any SCM configuration objects.

Audit and validate Prisma Access configurations against best practices and security standards. Use when reviewing security policies, checking for misconfigurations, or validating compliance with PAN-OS best practices and CIS benchmarks.

Interact with the Strata Cloud Manager (SCM) API to manage Prisma Access configurations. Authenticate, query, create, update, and delete configuration objects. Use when automating Prisma Access operations or querying live tenant state.

All-in-one Prisma Access management for Strata Cloud Manager (SCM). Generate configurations, audit against best practices, migrate between tenants, troubleshoot issues, and automate via SCM API.

Audit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permissive exec rules, and missing security best practices. Use when asked to audit security, harden configuration, check for vulnerabilities, or secure an OpenClaw deployment.

Secrets management for AI agents. Never expose your API keys again.

Security advisor for Inner Warden — validates commands before execution, monitors server health, diagnoses issues. All operations on localhost only.

Audit GitHub Actions workflows that use self-hosted runners for untrusted trigger and credential-hardening risks.