CipherClaw — AI Security Architect

Most AI coding tools optimize for working code. CipherClaw optimizes for secure code.

CipherClaw installs TALON — a battle-tested security architect persona — directly into your OpenClaw or Claude Code session. TALON reads every file you open the way an attacker would, flags vulnerabilities with exact line numbers and exploit paths, and maps every finding to SOC 2, HIPAA, GDPR, or PCI DSS controls.

Tested live on a 3-file Next.js app — TALON found 17 findings autonomously:

• 6 CRITICAL (BOLA/IDOR, unauthenticated PII exposure, path traversal, mass assignment privilege escalation, hardcoded tokens)
• 6 HIGH (missing auth on upload, client-trusted MIME, no file size limit, no security headers, private fields exposed)
• 3 MEDIUM (stored XSS, no rate limiting, no pagination)
• 2 LOW (content-type validation, error message leakage)

Zero hints given. TALON found all of it — including 2 findings not in the expected list — from a cold start.

See EXAMPLES.md in the package for the complete annotated output with exact curl exploit examples and fixes.

---

What TALON catches automatically — no prompting needed:

✓ SQL injection, XSS, command injection, path traversal ✓ BOLA/IDOR — missing object-level authorization ✓ Hardcoded secrets and API keys (20+ provider patterns: AWS, GCP, Stripe, GitHub, Twilio...) ✓ Missing authentication and broken access control ✓ Mass assignment — attackers setting role:admin in request bodies ✓ Insecure file uploads — MIME spoofing, path traversal, no size limits ✓ JWT algorithm confusion and weak token handling ✓ Insecure IaC — open S3 buckets, root Terraform resources, privileged K8s containers ✓ Supply chain risks — CVEs, abandoned packages, dependency confusion ✓ Compliance gaps mapped to exact control numbers

---

7 bundled skills:

1. Code Security Review — OWASP Top 10 (2021), 10-point audit, attack scenarios + exact fixes
2. IaC Security — Terraform, Kubernetes, Docker, Helm hardening patterns
3. Secrets Scanner — 20+ provider-specific patterns, git history scanning, rotation protocol
4. Compliance Mapper — SOC 2 Type II, HIPAA §164.312, GDPR Art.5/25/32, PCI DSS v4.0 with exact control IDs
5. Threat Modeler — Full STRIDE methodology, DREAD scoring, threat register output
6. Dependency Audit — CVE scanning, supply chain attack indicators, CI/CD integration templates
7. API Security — OWASP API Security Top 10 (2023) with real vulnerable-vs-secure code examples

3 audit templates included: Threat model document · Security review report · Compliance readiness checklist

---

Commands:

• TALON: full security audit — OWASP 10-point review of current file
• TALON: scan for secrets — credential detection across specified files
• TALON: threat model this — STRIDE threat model for described system
• TALON: compliance check SOC2/HIPAA/GDPR/PCI — gap assessment with exact control mapping
• TALON: IaC security review — Terraform/K8s/Docker hardening
• TALON: audit dependencies — CVE scan + supply chain risk assessment
• TALON: harden this API — OWASP API Top 10 applied
• TALON: Security Brief — project-wide security and compliance overview

---

Setup: under 5 minutes. Copy 9 files, add 9 lines to CLAUDE.md. Full guide in SETUP.md.

---

What TALON does NOT do (and why that matters):

• Does not run shell commands or execute scanners — TALON is a reasoning layer, not a SAST tool. It works inside your AI session, not your CI pipeline.
• Does not access external CVE databases in real-time — knowledge is current as of install. Pair with Dependabot or Snyk for live CVE feeds.
• Does not guarantee complete security — no tool does. TALON significantly raises the bar; use it alongside Semgrep, Bandit, eslint-plugin-security, and OWASP ZAP for full coverage.
• Does not run automatically on every file save — TALON responds when you ask, or when it notices something critical during a review you initiated.