OpenSkillIndex← back to search
claude-code

Skills elixir-security-review

Reviews Elixir code for security vulnerabilities including code injection, atom exhaustion, and secret handling. Use when reviewing code handling user input, external data, or sensitive configuration.

install
source · Clone the upstream repo
git clone https://github.com/openclaw/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/anderskev/elixir-security-review" ~/.claude/skills/clawdbot-skills-elixir-security-review && rm -rf "$T"
manifest: skills/anderskev/elixir-security-review/SKILL.md
source content

Elixir Security Review

Quick Reference

Issue TypeReference
Code.eval_string, binary_to_termreferences/code-injection.md
String.to_atom dangersreferences/atom-exhaustion.md
Config, environment variablesreferences/secrets.md
ETS visibility, process dictionaryreferences/process-exposure.md

Review Checklist

Critical (Block Merge)

  • No 
    Code.eval_string/1
    on user input
  • No 
    :erlang.binary_to_term/1
    without 
    :safe
    on untrusted data
  • No 
    String.to_atom/1
    on external input
  • No hardcoded secrets in source code

Major

  • ETS tables use appropriate access controls
  • No sensitive data in process dictionary
  • No dynamic module creation from user input
  • Path traversal prevented in file operations

Configuration

  • Secrets loaded from environment
  • No secrets in config/*.exs committed to git
  • Runtime config used for deployment secrets

Valid Patterns (Do NOT Flag)

  • String.to_atom on compile-time constants - Atoms created at compile time are safe
  • Code.eval_string in dev/test - May be needed for tooling
  • ETS :public tables - Valid when intentionally shared
  • binary_to_term with :safe - Explicitly safe option used

Context-Sensitive Rules

IssueFlag ONLY IF
String.to_atomInput comes from external source (user, API, file)
binary_to_termData comes from untrusted source
ETS :publicContains sensitive data

Before Submitting Findings

Use the issue format: 

[FILE:LINE] ISSUE_TITLE
for each finding.

Load and follow review-verification-protocol before reporting any issue.