🔒
Security Auditor (Agent Zero) — Manual Install Guide
Agent ZeroAdvanced
Prerequisites
- ✓A running Agent Zero instance (v0.9.8 or later)
- ✓SSH access to your VPS
- ✓Docker installed on your VPS
Estimated time: ~20 minutes
Installation Steps
1
Connect to your VPS
SSH into the server where your Agent Zero instance is running.
Terminal
ssh root@your-vps-ip2
Create the plugin directory
Create the plugin directory inside the Agent Zero container for the Security Auditor (Agent Zero) plugin.
Terminal
docker exec agent-zero mkdir -p /a0/usr/plugins/security-auditor/3
Create plugins/security-auditor/plugin.json
Plugin manifest declaring name, version, hooks, and tool registrations
Terminal
docker exec -i agent-zero sh -c 'cat > "/a0/usr/plugins/security-auditor/plugin.json"' << 'BUNDLEOF'
{
"name": "security-auditor",
"version": "1.0.0",
"description": "Security audit specialist with OWASP methodology and CVE checking",
"author": "RunClaw",
"agent_zero_version": ">=0.9.8",
"hooks": [
"agent_init"
],
"tools": [
"vuln_scanner",
"dependency_checker"
],
"dependencies": []
}
BUNDLEOFView file contents/a0/usr/plugins/security-auditor/plugin.json
{
"name": "security-auditor",
"version": "1.0.0",
"description": "Security audit specialist with OWASP methodology and CVE checking",
"author": "RunClaw",
"agent_zero_version": ">=0.9.8",
"hooks": [
"agent_init"
],
"tools": [
"vuln_scanner",
"dependency_checker"
],
"dependencies": []
}4
Create plugins/security-auditor/prompts/system.md
System prompt additions for security audit methodology
Terminal
docker exec agent-zero mkdir -p "/a0/usr/plugins/security-auditor/prompts" && docker exec -i agent-zero sh -c 'cat > "/a0/usr/plugins/security-auditor/prompts/system.md"' << 'BUNDLEOF'
# Security Auditor Plugin
You have the Security Auditor plugin active. You are a specialist in application security, vulnerability assessment, and security best practices.
## Audit Frameworks
### OWASP Top 10 (2021)
| ID | Category | Common Examples |
|----|----------|----------------|
| A01 | Broken Access Control | IDOR, privilege escalation, CORS misconfig |
| A02 | Cryptographic Failures | Plaintext passwords, weak hashing, missing TLS |
| A03 | Injection | SQL injection, XSS, command injection |
| A04 | Insecure Design | Missing threat modeling, business logic flaws |
| A05 | Security Misconfiguration | Default credentials, verbose errors, open ports |
| A06 | Vulnerable Components | Outdated dependencies with known CVEs |
| A07 | Auth Failures | Weak passwords, missing MFA, session issues |
| A08 | Data Integrity Failures | Insecure deserialization, unsigned updates |
| A09 | Logging Failures | Missing audit logs, insufficient monitoring |
| A10 | SSRF | Server-side request forgery, internal network access |
### Severity Classification (CVSS-aligned)
| Severity | CVSS Score | Description |
|----------|-----------|-------------|
| CRITICAL | 9.0-10.0 | Immediate exploitation risk, remote code execution |
| HIGH | 7.0-8.9 | Significant risk, data exposure, auth bypass |
| MEDIUM | 4.0-6.9 | Moderate risk, requires specific conditions |
| LOW | 0.1-3.9 | Minimal risk, informational findings |
| INFO | 0.0 | Best practice recommendation, no immediate risk |
## Audit Standards
- Always classify findings by OWASP category AND severity
- Provide proof-of-concept or exploitation scenario for each finding
- Include specific remediation code, not just descriptions
- Prioritize findings by exploitability and impact
- Note false positives and explain why they were ruled out
BUNDLEOFView file contents/a0/usr/plugins/security-auditor/prompts/system.md
# Security Auditor Plugin
You have the Security Auditor plugin active. You are a specialist in application security, vulnerability assessment, and security best practices.
## Audit Frameworks
### OWASP Top 10 (2021)
| ID | Category | Common Examples |
|----|----------|----------------|
| A01 | Broken Access Control | IDOR, privilege escalation, CORS misconfig |
| A02 | Cryptographic Failures | Plaintext passwords, weak hashing, missing TLS |
| A03 | Injection | SQL injection, XSS, command injection |
| A04 | Insecure Design | Missing threat modeling, business logic flaws |
| A05 | Security Misconfiguration | Default credentials, verbose errors, open ports |
| A06 | Vulnerable Components | Outdated dependencies with known CVEs |
| A07 | Auth Failures | Weak passwords, missing MFA, session issues |
| A08 | Data Integrity Failures | Insecure deserialization, unsigned updates |
| A09 | Logging Failures | Missing audit logs, insufficient monitoring |
| A10 | SSRF | Server-side request forgery, internal network access |
### Severity Classification (CVSS-aligned)
| Severity | CVSS Score | Description |
|----------|-----------|-------------|
| CRITICAL | 9.0-10.0 | Immediate exploitation risk, remote code execution |
| HIGH | 7.0-8.9 | Significant risk, data exposure, auth bypass |
| MEDIUM | 4.0-6.9 | Moderate risk, requires specific conditions |
| LOW | 0.1-3.9 | Minimal risk, informational findings |
| INFO | 0.0 | Best practice recommendation, no immediate risk |
## Audit Standards
- Always classify findings by OWASP category AND severity
- Provide proof-of-concept or exploitation scenario for each finding
- Include specific remediation code, not just descriptions
- Prioritize findings by exploitability and impact
- Note false positives and explain why they were ruled out
5
Create plugins/security-auditor/prompts/instructions.md
Detailed instructions for OWASP audits, vulnerability classification, and remediation
Terminal
docker exec agent-zero mkdir -p "/a0/usr/plugins/security-auditor/prompts" && docker exec -i agent-zero sh -c 'cat > "/a0/usr/plugins/security-auditor/prompts/instructions.md"' << 'BUNDLEOF'
# Security Auditor -- Behavioral Instructions
## Code Audit Workflow
1. **Identify the attack surface** -- What inputs does this code accept? What data does it handle?
2. **Check each OWASP category** -- Systematically test against the Top 10
3. **Classify findings** -- Severity + OWASP category + CVSS-aligned score
4. **Provide remediations** -- Specific code fixes, not generic advice
5. **Prioritize** -- Order findings by severity and exploitability
## What to Look For
### Authentication & Authorization
- [ ] Passwords hashed with bcrypt/argon2 (NOT MD5/SHA-1/SHA-256)
- [ ] Constant-time comparison for secrets (timingSafeEqual)
- [ ] Session tokens with sufficient entropy (>= 128 bits)
- [ ] RBAC/ABAC checks on every protected endpoint
- [ ] JWT signature validation (algorithm confusion attack prevention)
### Input Handling
- [ ] Parameterized queries (no string concatenation in SQL)
- [ ] Input validation on all user-supplied data
- [ ] Output encoding for XSS prevention
- [ ] File upload restrictions (type, size, extension)
- [ ] Path traversal prevention (no user input in file paths)
### Configuration & Infrastructure
- [ ] TLS enforced everywhere (no HTTP fallback)
- [ ] CORS configured restrictively (not wildcard)
- [ ] CSP headers present and restrictive
- [ ] No secrets in source code or logs
- [ ] Error messages don't leak internal details
### Dependencies
- [ ] No known CVEs in direct dependencies
- [ ] Dependencies pinned to specific versions
- [ ] Lock file present and committed
- [ ] Automated dependency update process
## Report Format
For every finding:
```
### [SEVERITY] Finding Title -- OWASP A[XX]
**Location:** file:line or endpoint
**Description:** What the vulnerability is
**Impact:** What an attacker could do
**Proof of Concept:** How to exploit it
**Remediation:**
(nested code block with fix)
**References:**
- [Relevant CVE or documentation link]
```
## Dependency Scanning
When scanning dependencies:
1. Check each package version against known CVE databases
2. Distinguish between direct and transitive dependencies
3. Assess whether the vulnerable code path is actually used
4. Recommend specific version updates
5. Flag any breaking changes in recommended updates
BUNDLEOFView file contents/a0/usr/plugins/security-auditor/prompts/instructions.md
# Security Auditor -- Behavioral Instructions
## Code Audit Workflow
1. **Identify the attack surface** -- What inputs does this code accept? What data does it handle?
2. **Check each OWASP category** -- Systematically test against the Top 10
3. **Classify findings** -- Severity + OWASP category + CVSS-aligned score
4. **Provide remediations** -- Specific code fixes, not generic advice
5. **Prioritize** -- Order findings by severity and exploitability
## What to Look For
### Authentication & Authorization
- [ ] Passwords hashed with bcrypt/argon2 (NOT MD5/SHA-1/SHA-256)
- [ ] Constant-time comparison for secrets (timingSafeEqual)
- [ ] Session tokens with sufficient entropy (>= 128 bits)
- [ ] RBAC/ABAC checks on every protected endpoint
- [ ] JWT signature validation (algorithm confusion attack prevention)
### Input Handling
- [ ] Parameterized queries (no string concatenation in SQL)
- [ ] Input validation on all user-supplied data
- [ ] Output encoding for XSS prevention
- [ ] File upload restrictions (type, size, extension)
- [ ] Path traversal prevention (no user input in file paths)
### Configuration & Infrastructure
- [ ] TLS enforced everywhere (no HTTP fallback)
- [ ] CORS configured restrictively (not wildcard)
- [ ] CSP headers present and restrictive
- [ ] No secrets in source code or logs
- [ ] Error messages don't leak internal details
### Dependencies
- [ ] No known CVEs in direct dependencies
- [ ] Dependencies pinned to specific versions
- [ ] Lock file present and committed
- [ ] Automated dependency update process
## Report Format
For every finding:
```
### [SEVERITY] Finding Title -- OWASP A[XX]
**Location:** file:line or endpoint
**Description:** What the vulnerability is
**Impact:** What an attacker could do
**Proof of Concept:** How to exploit it
**Remediation:**
(nested code block with fix)
**References:**
- [Relevant CVE or documentation link]
```
## Dependency Scanning
When scanning dependencies:
1. Check each package version against known CVE databases
2. Distinguish between direct and transitive dependencies
3. Assess whether the vulnerable code path is actually used
4. Recommend specific version updates
5. Flag any breaking changes in recommended updates
6
Create plugins/security-auditor/tools/vuln_scanner.py
Tool for checking code patterns against vulnerability signatures
Terminal
docker exec agent-zero mkdir -p "/a0/usr/plugins/security-auditor/tools" && docker exec -i agent-zero sh -c 'cat > "/a0/usr/plugins/security-auditor/tools/vuln_scanner.py"' << 'BUNDLEOF'
"""
Tool: VulnScanner
Description: Scan code for common vulnerability patterns
Plugin: security-auditor
Checks source code against known vulnerability patterns including SQL
injection, XSS, command injection, path traversal, and more. Maps
findings to OWASP categories.
"""
from python.helpers.tool import Tool, Response
class VulnScanner(Tool):
"""Scan code for security vulnerability patterns.
Use this tool to check source code against known vulnerability
signatures and OWASP categories.
"""
VULN_PATTERNS = {
"sql_injection": {
"patterns": [
"f'SELECT",
'f"SELECT',
"format("SELECT",
"% (", ".format(",
"string concatenation in query",
],
"owasp": "A03:2021 - Injection",
"severity": "CRITICAL",
},
"xss": {
"patterns": [
"innerHTML",
"document.write",
"dangerouslySetInnerHTML",
"v-html",
],
"owasp": "A03:2021 - Injection",
"severity": "HIGH",
},
"command_injection": {
"patterns": [
"exec(",
"eval(",
"subprocess.call(shell=True",
"os.system(",
"child_process.exec(",
],
"owasp": "A03:2021 - Injection",
"severity": "CRITICAL",
},
"path_traversal": {
"patterns": ["../", "..\\", "path.join(user_input"],
"owasp": "A01:2021 - Broken Access Control",
"severity": "HIGH",
},
"weak_crypto": {
"patterns": ["md5(", "sha1(", "DES", "RC4", "Math.random()"],
"owasp": "A02:2021 - Cryptographic Failures",
"severity": "HIGH",
},
"hardcoded_secrets": {
"patterns": [
"password =",
"api_key =",
"secret =",
"token =",
"AWS_SECRET",
],
"owasp": "A05:2021 - Security Misconfiguration",
"severity": "HIGH",
},
}
async def execute(self, code: str = "", language: str = "auto", **kwargs):
"""Scan code for vulnerability patterns.
Args:
code: Source code to scan
language: Programming language hint (auto, python, javascript, go, etc.)
"""
if not code:
return Response(
message="Please provide source code to scan.",
break_loop=False,
)
line_count = len(code.strip().split("\n"))
findings = []
code_lower = code.lower()
for vuln_type, details in self.VULN_PATTERNS.items():
for pattern in details["patterns"]:
if pattern.lower() in code_lower:
findings.append(
f"- **[{details['severity']}]** Potential {vuln_type.replace('_', ' ')} "
f"-- {details['owasp']}\n"
f" Pattern matched: '{pattern}'"
)
break # One finding per category is enough for initial scan
if findings:
findings_report = "\n".join(findings)
return Response(
message=(
f"## Vulnerability Scan Results\n\n"
f"- **Lines scanned:** {line_count}\n"
f"- **Language:** {language}\n"
f"- **Findings:** {len(findings)}\n\n"
f"### Potential Vulnerabilities\n\n"
f"{findings_report}\n\n"
f"Performing detailed analysis with remediation recommendations."
),
break_loop=False,
)
return Response(
message=(
f"## Vulnerability Scan Results\n\n"
f"- **Lines scanned:** {line_count}\n"
f"- **Language:** {language}\n"
f"- **Findings:** 0\n\n"
f"No known vulnerability patterns detected in initial scan. "
f"Proceeding with deeper analysis of logic flows, auth patterns, "
f"and data handling."
),
break_loop=False,
)
BUNDLEOFView file contents/a0/usr/plugins/security-auditor/tools/vuln_scanner.py
"""
Tool: VulnScanner
Description: Scan code for common vulnerability patterns
Plugin: security-auditor
Checks source code against known vulnerability patterns including SQL
injection, XSS, command injection, path traversal, and more. Maps
findings to OWASP categories.
"""
from python.helpers.tool import Tool, Response
class VulnScanner(Tool):
"""Scan code for security vulnerability patterns.
Use this tool to check source code against known vulnerability
signatures and OWASP categories.
"""
VULN_PATTERNS = {
"sql_injection": {
"patterns": [
"f'SELECT",
'f"SELECT',
"format("SELECT",
"% (", ".format(",
"string concatenation in query",
],
"owasp": "A03:2021 - Injection",
"severity": "CRITICAL",
},
"xss": {
"patterns": [
"innerHTML",
"document.write",
"dangerouslySetInnerHTML",
"v-html",
],
"owasp": "A03:2021 - Injection",
"severity": "HIGH",
},
"command_injection": {
"patterns": [
"exec(",
"eval(",
"subprocess.call(shell=True",
"os.system(",
"child_process.exec(",
],
"owasp": "A03:2021 - Injection",
"severity": "CRITICAL",
},
"path_traversal": {
"patterns": ["../", "..\\", "path.join(user_input"],
"owasp": "A01:2021 - Broken Access Control",
"severity": "HIGH",
},
"weak_crypto": {
"patterns": ["md5(", "sha1(", "DES", "RC4", "Math.random()"],
"owasp": "A02:2021 - Cryptographic Failures",
"severity": "HIGH",
},
"hardcoded_secrets": {
"patterns": [
"password =",
"api_key =",
"secret =",
"token =",
"AWS_SECRET",
],
"owasp": "A05:2021 - Security Misconfiguration",
"severity": "HIGH",
},
}
async def execute(self, code: str = "", language: str = "auto", **kwargs):
"""Scan code for vulnerability patterns.
Args:
code: Source code to scan
language: Programming language hint (auto, python, javascript, go, etc.)
"""
if not code:
return Response(
message="Please provide source code to scan.",
break_loop=False,
)
line_count = len(code.strip().split("\n"))
findings = []
code_lower = code.lower()
for vuln_type, details in self.VULN_PATTERNS.items():
for pattern in details["patterns"]:
if pattern.lower() in code_lower:
findings.append(
f"- **[{details['severity']}]** Potential {vuln_type.replace('_', ' ')} "
f"-- {details['owasp']}\n"
f" Pattern matched: '{pattern}'"
)
break # One finding per category is enough for initial scan
if findings:
findings_report = "\n".join(findings)
return Response(
message=(
f"## Vulnerability Scan Results\n\n"
f"- **Lines scanned:** {line_count}\n"
f"- **Language:** {language}\n"
f"- **Findings:** {len(findings)}\n\n"
f"### Potential Vulnerabilities\n\n"
f"{findings_report}\n\n"
f"Performing detailed analysis with remediation recommendations."
),
break_loop=False,
)
return Response(
message=(
f"## Vulnerability Scan Results\n\n"
f"- **Lines scanned:** {line_count}\n"
f"- **Language:** {language}\n"
f"- **Findings:** 0\n\n"
f"No known vulnerability patterns detected in initial scan. "
f"Proceeding with deeper analysis of logic flows, auth patterns, "
f"and data handling."
),
break_loop=False,
)
7
Create plugins/security-auditor/tools/dependency_checker.py
Tool for checking package versions against known CVEs
Terminal
docker exec agent-zero mkdir -p "/a0/usr/plugins/security-auditor/tools" && docker exec -i agent-zero sh -c 'cat > "/a0/usr/plugins/security-auditor/tools/dependency_checker.py"' << 'BUNDLEOF'
"""
Tool: DependencyChecker
Description: Check package versions against known CVE databases
Plugin: security-auditor
Analyzes project dependencies to identify packages with known
vulnerabilities, outdated versions, and security advisories.
"""
from python.helpers.tool import Tool, Response
class DependencyChecker(Tool):
"""Check project dependencies for known vulnerabilities.
Use this tool to scan package.json, requirements.txt, go.mod, or
similar dependency files for packages with known CVEs.
"""
async def execute(
self,
dependencies: str = "",
ecosystem: str = "npm",
**kwargs,
):
"""Check dependencies for known vulnerabilities.
Args:
dependencies: Dependency list (package@version, one per line or comma-separated)
ecosystem: Package ecosystem (npm, pypi, go, cargo, maven). Default: npm
"""
if not dependencies:
return Response(
message="Please provide a list of dependencies to check (package@version format).",
break_loop=False,
)
# Parse dependency list
deps = []
for line in dependencies.replace(",", "\n").strip().split("\n"):
line = line.strip()
if line and not line.startswith("#"):
deps.append(line)
dep_count = len(deps)
dep_list = "\n".join(f"- {dep}" for dep in deps)
return Response(
message=(
f"## Dependency Security Check\n\n"
f"- **Ecosystem:** {ecosystem}\n"
f"- **Packages to check:** {dep_count}\n\n"
f"### Dependencies\n\n"
f"{dep_list}\n\n"
f"Checking each package version against known CVE databases, "
f"security advisories ({ecosystem} audit, GitHub Security Advisories, "
f"NVD), and end-of-life status. Results will include severity, "
f"CVE IDs, and recommended update versions."
),
break_loop=False,
)
BUNDLEOFView file contents/a0/usr/plugins/security-auditor/tools/dependency_checker.py
"""
Tool: DependencyChecker
Description: Check package versions against known CVE databases
Plugin: security-auditor
Analyzes project dependencies to identify packages with known
vulnerabilities, outdated versions, and security advisories.
"""
from python.helpers.tool import Tool, Response
class DependencyChecker(Tool):
"""Check project dependencies for known vulnerabilities.
Use this tool to scan package.json, requirements.txt, go.mod, or
similar dependency files for packages with known CVEs.
"""
async def execute(
self,
dependencies: str = "",
ecosystem: str = "npm",
**kwargs,
):
"""Check dependencies for known vulnerabilities.
Args:
dependencies: Dependency list (package@version, one per line or comma-separated)
ecosystem: Package ecosystem (npm, pypi, go, cargo, maven). Default: npm
"""
if not dependencies:
return Response(
message="Please provide a list of dependencies to check (package@version format).",
break_loop=False,
)
# Parse dependency list
deps = []
for line in dependencies.replace(",", "\n").strip().split("\n"):
line = line.strip()
if line and not line.startswith("#"):
deps.append(line)
dep_count = len(deps)
dep_list = "\n".join(f"- {dep}" for dep in deps)
return Response(
message=(
f"## Dependency Security Check\n\n"
f"- **Ecosystem:** {ecosystem}\n"
f"- **Packages to check:** {dep_count}\n\n"
f"### Dependencies\n\n"
f"{dep_list}\n\n"
f"Checking each package version against known CVE databases, "
f"security advisories ({ecosystem} audit, GitHub Security Advisories, "
f"NVD), and end-of-life status. Results will include severity, "
f"CVE IDs, and recommended update versions."
),
break_loop=False,
)
8
Create plugins/security-auditor/extensions/agent_init/setup.py
Initialization extension that logs plugin activation on agent start
Terminal
docker exec agent-zero mkdir -p "/a0/usr/plugins/security-auditor/extensions/agent_init" && docker exec -i agent-zero sh -c 'cat > "/a0/usr/plugins/security-auditor/extensions/agent_init/setup.py"' << 'BUNDLEOF'
"""
Extension: agent_init
Plugin: security-auditor
Runs when the agent initializes. Logs activation of the Security Auditor
plugin and sets up runtime state with enabled audit categories.
"""
from python.helpers.log import Log
async def execute(agent, **kwargs):
"""Initialize the Security Auditor plugin."""
Log.info("Security Auditor plugin activated", head="plugin")
Log.info(
"OWASP-based security auditing enabled: code review, dependency scanning, infra assessment",
head="plugin",
)
if not hasattr(agent, "plugin_state"):
agent.plugin_state = {}
agent.plugin_state["security-auditor"] = {
"active": True,
"version": "1.0.0",
"frameworks": ["OWASP Top 10", "NIST CSF", "CWE"],
"severity_levels": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"],
}
BUNDLEOFView file contents/a0/usr/plugins/security-auditor/extensions/agent_init/setup.py
"""
Extension: agent_init
Plugin: security-auditor
Runs when the agent initializes. Logs activation of the Security Auditor
plugin and sets up runtime state with enabled audit categories.
"""
from python.helpers.log import Log
async def execute(agent, **kwargs):
"""Initialize the Security Auditor plugin."""
Log.info("Security Auditor plugin activated", head="plugin")
Log.info(
"OWASP-based security auditing enabled: code review, dependency scanning, infra assessment",
head="plugin",
)
if not hasattr(agent, "plugin_state"):
agent.plugin_state = {}
agent.plugin_state["security-auditor"] = {
"active": True,
"version": "1.0.0",
"frameworks": ["OWASP Top 10", "NIST CSF", "CWE"],
"severity_levels": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"],
}
9
Restart Agent Zero
Restart the Agent Zero container to load the new plugin.
Terminal
docker restart agent-zero10
Verify installation
Open your Agent Zero interface and verify the plugin loads correctly.
Note:Look for "Security Auditor (Agent Zero)" in the available plugins or extensions.
That was 10 steps.
With RunClaw, it's just one click.
Install with RunClawDone reading?
RunClaw handles all of this automatically. Create your first agent in minutes.
Try RunClaw FreeNo credit card required