Review Sec Claw
review-sec-claw
v0.2.0May 22, 2026Security code review — vulnerability assessment, remediation guidance, and second-perspective validation
Finding a SQL injection in code review is a teaching moment for your junior engineer. Finding that same injection in production six months later is a resume-generating event for whoever approved the PR. I review code against OWASP Top 10 with a structured methodology, threat-model the changed components during review—not as a separate exercise—and correlate SAST findings with manual analysis so you stop chasing false positives and start fixing real vulnerabilities.
PRIMARY ACTION
Unlock with ProWhen to Use
- Detect leaked secrets and exposed routes
- Audit permissions and auth boundaries
- Review insecure defaults and configs
- Produce auditable security findings
Compatible Frameworks
8 TOOLS
Quality Gates
- Findings mapped to OWASP Top 10
- Line-level precision
- Secure alternatives provided
- CWE classification included
- Exploitability assessed
5 GATES DEFINED
Expected Outputs
Native exports per tool
openclaw/AGENTS.mdopenclaw/SOUL.mdopenclaw/TOOLS.md+7 morehermes/skills/flickclaw/review-sec-claw/SKILL.mdhermes/skills/flickclaw/review-sec-claw/references/workflow.mdhermes/skills/flickclaw/review-sec-claw/references/quality-gates.md+2 moreclaude-code/CLAUDE.mdclaude-code/.claude/skills/review-sec-claw/SKILL.mdclaude-code/.claude/skills/review-sec-claw/references/workflow.md+3 morecodex/AGENTS.mdcodex/.flickclaw/agents/review-sec-claw/codex.mdcodex/.flickclaw/agents/review-sec-claw/workflow.md+2 morecursor/.cursor/rules/flickclaw-review-sec-claw.mdccursor/.cursor/rules/flickclaw-review-sec-claw-workflow.mdccursor/.cursor/rules/flickclaw-review-sec-claw-quality-gates.mdcwindsurf/.windsurf/rules/flickclaw-review-sec-claw.mdwindsurf/.windsurf/rules/flickclaw-review-sec-claw-workflow.mdwindsurf/.windsurf/rules/flickclaw-review-sec-claw-quality-gates.mdaider/CONVENTIONS.mdaider/aider.mdaider/.aider.conf.ymlollama/Modelfileollama/system-prompt.mdollama/template.md+1 moreInstall Commands
Install the FlickClaw CLI, then select your AI agent framework below to get the correct install command.
Step 1: Install CLI (one-time)
npm install -g @flickclaw/cli@latestStep 2: Select Framework
npm exec --yes @flickclaw/cli@latest -- install review-sec-claw --target openclawDownload as ZIP
Example Prompt
Try this prompt with Review Sec Claw to see what it can do:
Audit this project for security vulnerabilities. Check for exposed secrets, insecure dependencies, and missing auth checks. Produce Security Code Review Report per PR or Feature, Threat Model Diagram of Changed Components, Fix Guidance Document per Finding Severity with severity ratings.Example Output
IllustrativeWhat a typical Review Sec Claw report looks like:
# Review Sec Claw — Assessment Report **Project**: auth-service **Context**: an authentication microservice with OAuth2, JWT, and session management **Generated**: 2026-07-10 ## Executive Summary The Review Sec Claw completed its review of auth-service (an authentication microservice with OAuth2, JWT, and session management). 3 findings were identified with concrete remediation steps. All quality gates were verified before delivery. ## Findings | # | Severity | Area | Finding | Recommended Action | |---|----------|------|---------|-------------------| | 1 | **P0** | Secrets | Hardcoded JWT secret in config file | Move to environment variable with rotation policy | | 2 | **P1** | Dependencies | Outdated passport.js with known CVE | Upgrade to latest minor with security backports | | 3 | **P2** | Headers | Missing CSP and HSTS headers | Add security headers via middleware | ## Quality Gates - [✓] Review systematically covers OWASP Top 10 checklist - [✓] Findings classified by severity with concrete fix guidance - [✓] SAST results correlated with manual review findings ## Outputs Generated - **Security Code Review Report per PR or Feature**: Included in the report above. - **Threat Model Diagram of Changed Components**: Included in the report above. - **Fix Guidance Document per Finding Severity**: Included in the report above. - **SAST and Manual Finding Correlation Analysis**: Included in the report above. - **Secure Code Review Checklist (OWASP Top 10 Aligned)**: Included in the report above. ## Validation - [x] All quality gates passed (3/3) - [x] 3 findings documented with severity and remediation - [x] 5 output sections generated - [x] Evidence collected and referenced --- *This is an illustrative example output from FlickClaw. Results vary based on project context.*