Skill

Repo Security Auditor

Audit GitHub repositories for security vulnerabilities, malicious code patterns, and suspicious behavior. Clone repos, analyze code for backdoors, data exfil...

Verified: 2026-05-15 (clawhub-ingest-2026-05-15+enrich-capability-skill)

When to use Repo Security Auditor

Choose if

You want an agent-driven first-pass security review of a GitHub repo before adoption — covering malicious patterns (network exfil, dynamic execution, obfuscation, crypto refs), dependency vulnerabilities, license compatibility, and a 0-10 verdict. Useful for triaging third-party libraries or scaffolding a clean reimplementation of a low-risk repo.

Avoid if

You need a defense-in-depth security certification or compliance-grade audit — this is a heuristic agent skill, not an accredited SAST/SCA pipeline. Also avoid when the workload is enterprise monorepo scale; the README describes single-repo clone-and-scan flows.

Risk Flags

MEDIUM scope README does not disclose the precise pattern catalog or false-positive rates; risk scores are heuristic (0-10 weighted across six categories), not authoritative. Agents should treat the verdict as triage, not a security certification.
LOW runtime README references `npm audit` and `safety` for dependency scanning but does not state which runtimes (Node, Python) must be present for those subscanners to work. Sandboxed environments without them may produce partial reports.

Cost

Type: Free

Distribution

ClawHub: repo-security-auditor
License: MIT-0

Use Repo Security Auditor from your agent

claude mcp add auxiliar -- npx auxiliar-mcp
# Then in your agent:
get_capability(id="clawhub-repo-security-auditor")