openguardrails/skills/thomas-security
skills/thomas-security/SKILL.md
<!-- Copyright (c) 2026 OpenGuardrails.com Author: thomas-security <[email protected]> SPDX-License-Identifier: Apache-2.0 --> --- name: thomas-security description: | Use this skill when the user asks you to check, scan, audit, or red-team the security of an AI agent — either yourself, another agent installed on the same machine (OpenClaw, Claude Code, Cursor, Hermes), or a remote agent endpoint. Triggered by phrases like "give my agent a security check", "scan yourself
$ install --global
skillsauthnpx skillsauth add openguardrails/openguardrails skills/thomas-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 23, 2026, 10:59 AM148.1s1 file scanned
SKILL.md
<!--
Copyright (c) 2026 OpenGuardrails.com
Author: thomas-security <[email protected]>
SPDX-License-Identifier: Apache-2.0
-->
name: thomas-security
description: |
Use this skill when the user asks you to check, scan, audit, or
red-team the security of an AI agent — either yourself, another
agent installed on the same machine (OpenClaw, Claude Code, Cursor,
Hermes), or a remote agent endpoint. Triggered by phrases like
"give my agent a security check", "scan yourself for malicious
skills", "red-team my agent at <url>", "can I trust this MCP
server", or anything that names
name: thomas-security
description: |
Use this skill when the user asks you to check, scan, audit, or
red-team the security of an AI agent — either yourself, another
agent installed on the same machine (OpenClaw, Claude Code, Cursor,
Hermes), or a remote agent endpoint. Triggered by phrases like
"give my agent a security check", "scan yourself for malicious
skills", "red-team my agent at <url>", "can I trust this MCP
server", or anything that names thomas / thomas-security.
Invokes the thomas CLI.
thomas-security — Agent Security Skill
You are being invoked because the user wants an AI agent audited.
thomas is an agentic security CLI that runs security checkups and
red-team tests against AI agents. This skill is a thin wrapper: your
job is to run the CLI correctly, interpret the results, and explain
them to the user in plain language.
The subject of the audit may be:
- Yourself — the user is asking you to self-exam. Treat this as the default when the user says "this agent" without pointing elsewhere.
- Another agent on the same machine — e.g., you are Claude Code and the user has OpenClaw or Hermes installed and wants that one checked.
- A remote agent endpoint — the user will provide a URL or a shell command that speaks the target's protocol.
If the request is ambiguous, ask which before running anything. Checkups are read-only; red-team is not — always confirm the target.
Prerequisite
The thomas binary must be installed. If thomas --version fails:
npm install -g @openguardrails/thomas-security
Do not substitute a different tool. If install fails, stop and tell the user.
Decide which subcommand
| User intent | Run |
| ---------------------------------------------- | ------------------------ |
| "Check / scan / audit / health-check my agent" | thomas scan --json |
| "Red-team / pentest / attack my agent" | thomas redteam ... |
| "Install thomas into my agent" | thomas integrate ... |
When in doubt, start with scan. It's safe and read-only.
scan — static security checkups
thomas scan --json
- Walks the usual install locations (
~/.claude,~/.openclaw,~/.cursor,~/.config/*mcp*, the current project) and matches installed skills / plugins / MCP configs / lockfiles against the checkup rules shipped in thethomas-securityrepo. - Output: one JSON object with a
findings[]array. - Exit codes:
0clean ·2findings below threshold ·3findings at/above threshold ·1tool error.
Reporting:
- Count by severity. Preserve severity strings verbatim.
- For each
criticalfinding, stop and surface it before suggesting remediation. Do not auto-remediate. - If zero findings, say so plainly. Don't invent reassurance.
redteam — dynamic red-team run
thomas redteam --target <target> --suite <suite> --json
<target> is one of:
- HTTP endpoint:
https://my-agent.example/chatacceptingPOST { "prompt": "..." }→{ "response": "..." } - Shell command:
cmd:bun my-agent.ts(stdin → stdout)
Only run this against targets the user owns and has explicitly asked you to test. Attack prompts are loud in logs. Confirm the target with the user before the first run.
Failures (findings[] entries) mean the target fell for a known
attack. Quote title and evidence verbatim — don't paraphrase.
integrate — drop a thomas hook into another agent
thomas integrate skill— print a portableSKILL.mdthomas integrate plugin— print a plugin manifest for OpenClaw-family hoststhomas integrate sdk— print a TypeScript SDK snippet
Emit directly to the user's chosen destination. Don't commit to their repo without asking.
Reporting back to the user
Three parts, terse:
- One-sentence verdict. "Clean." or "1 critical, 2 high, 3 medium."
- Each critical/high finding as a short paragraph: title, where it was found, what to do. One paragraph each.
- Optional follow-up. e.g., "Want me to red-team your local dev agent next?"
Do not dump raw JSON unless asked.
What NOT to do
- Do not run
redteamagainst any endpoint the user did not name. - Do not auto-remediate
criticalfindings. Surface, confirm, then act. - Do not invent new checkups or attacks at runtime. New content goes
through a PR against the
thomas-securityrepo — see thecontributeskill. - Do not summarize the open/closed-source split from memory — if the
user asks why some pieces are closed, point them to
docs/PHILOSOPHY.md.
Related Skills
openguardrails/skills/contribute
testing
VerifiedTrustedCommunity
<!-- Copyright (c) 2026 OpenGuardrails.com Author: thomas-security <[email protected]> SPDX-License-Identifier: Apache-2.0 --> --- name: thomas-security-contribute description: | Use this skill when the user asks you to add, draft, or submit a new security checkup, red-team test, or integration to the `thomas-security` repository. Triggered by phrases like "add a checkup for <CVE>", "write a red-team attack for <incident>", "contribute this advisory to thomas", "add an i
338SKILL.mdUpdated Apr 20, 2026
openguardrails/skills/openguardrails
development
VerifiedTrustedCommunity
<!-- Copyright (c) 2026 OpenGuardrails.com Author: thomas-security <[email protected]> SPDX-License-Identifier: Apache-2.0 --> --- name: openguardrails description: | Use this skill when the user asks you to check, scan, test, or audit the security of an AI agent — either yourself, another agent installed on the same machine (e.g., OpenClaw, Hermes, Claude Code, Cursor), or a remote agent endpoint. Triggered by phrases like "give my agent a security check", "scan yoursel
338SKILL.mdUpdated Apr 18, 2026
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026
openclaw/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,764SKILL.mdUpdated Apr 10, 2026