senior-fullstack Security Audit Report

🔭 Continuously monitored by ClawSecure Watchtower

Source:

SHA-256:

senior-fullstack is a Other skill for the OpenClaw ecosystem, created by alirezarezvani. ClawSecure audited this skill through our 3-Layer Audit Protocol covering all 10 OWASP ASI Top 10 categories. This skill received a security score of 80/100, qualifying for ClawSecure Verified status. The audit identified 4 findings across the scan's three security layers.

What does a score of 80 mean?

A security score of 80/100 places this skill in the Safe range. Skills scoring 80 or above qualify for ClawSecure Verified status, indicating they passed our comprehensive audit with minimal or no security concerns. ClawSecure calculates scores using a weighted deduction model: critical findings deduct 20 points, high-severity findings deduct 10, medium-severity 5, and low-severity 2. A perfect score of 100 means no findings were detected across all three audit layers.

3-Layer Audit Protocol

Security Recommendations for senior-fullstack

Pin npm dependencies to exact versions

Unpinned dependencies allow supply chain attacks where a compromised package version is automatically pulled into your skill. Use exact version numbers in package.json (e.g., 1.2.3 instead of ^1.2.3) to prevent unauthorized code from entering your dependency tree. ClawSecure's supply chain scanning checks every dependency against known CVE databases.

Add a config.json permissions manifest

A config.json file declares what permissions your OpenClaw skill needs — file system access, network requests, shell execution, and more. Without it, users have no visibility into what your skill can do before installing. Adding a permissions manifest is the single most impactful security improvement for any OpenClaw skill.

Investigate prompt injection vectors

Prompt injection is one of the most critical threats to AI agent skills. Attackers can embed malicious instructions in content that your skill processes, causing it to take unintended actions. Review all points where your skill processes external content and implement input validation and output filtering.

Review credential handling

Hardcoded credentials in source code are a critical security risk. API keys, tokens, and passwords should never appear in skill files. Use environment variables or secure credential storage instead. If credentials have been committed to a public repository, rotate them immediately — they should be considered compromised.

Related OpenClaw Security Research

The Sleeper Agent Problem: Why Post-Install Behavior Matters→How to Verify Any OpenClaw Skill in 30 Seconds→Securing the OpenClaw Ecosystem: Your Complete Guide→

Related Other Security Audits

2b31b6cb4c57ef0dScore 70/100 b4abd97bcb77151aScore 95/100 understand-anythingScore 75/100 c1cb277f8f4aa143Score 95/100 8ce21d32f8ead424Score 85/100

Scanned on February 7, 2026. senior-fullstack is one of 2,890+ agents audited by ClawSecure from the community-curated awesome-openclaw-skills list and the openclaw/skills repository.

🔍 Scan Another Agent