← Back to Skills Marketplace
Arc Sentinel
by
arc-claw-bot
· GitHub ↗
· v1.0.0
1770
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install arc-sentinel
Description
Security monitoring and infrastructure health checks for OpenClaw agents. Run breach monitoring (HaveIBeenPwned), SSL certificate expiry checks, GitHub security audits, credential rotation tracking, secret scanning, git hygiene, token watchdog, and permission audits. Use when performing security scans, checking credential rotation status, auditing repos for leaked secrets, or monitoring SSL certificates and infrastructure health.
README (SKILL.md)
Arc Sentinel
Security monitoring toolkit for OpenClaw agents. Runs automated checks against your infrastructure and reports issues.
Configuration
Before first use, create sentinel.conf in the skill directory:
cp sentinel.conf.example sentinel.conf
Edit sentinel.conf with your values:
- DOMAINS — Space-separated list of domains to check SSL certificates
- GITHUB_USER — GitHub username for repo audits
- KNOWN_REPOS — Space-separated list of expected repo names (unexpected repos trigger warnings)
- MONITOR_EMAIL — Email address for HaveIBeenPwned breach checks
- HIBP_API_KEY — Optional; HIBP v3 API key ($3.50/mo) for automated breach lookups
Also customize credential-tracker.json with your own credentials and rotation policies. A template is provided.
Quick Start
Full scan
cd \x3Cskill-dir>
bash sentinel.sh
Output
- Formatted report to stdout with color-coded severity
- JSON report saved to
reports/YYYY-MM-DD.json - Exit codes:
0= all clear,1= warnings,2= critical
Checks
1. SSL Certificate Expiry
Check certificate expiry for configured domains. Warns at \x3C30 days, critical at \x3C14 days.
2. GitHub Security
- List repos and check Dependabot/vulnerability alert status
- Review recent account activity for anomalies
- Flag unexpected repositories
3. Breach Monitoring (HaveIBeenPwned)
- Query HIBP API for breached accounts (requires API key)
- Falls back to manual check URL if no key is set
4. Credential Rotation Tracking
Read credential-tracker.json and flag credentials that are overdue, approaching expiry, or never rotated. Supports policies: quarterly (90d), 6_months (180d), annual (365d), auto.
Additional Scripts
| Script | Purpose |
|---|---|
scripts/secret-scanner.sh |
Scan repos/files for leaked secrets and API keys |
scripts/git-hygiene.sh |
Audit git history for security issues |
scripts/token-watchdog.sh |
Monitor token validity and expiry |
scripts/permission-auditor.sh |
Audit file and access permissions |
scripts/skill-auditor.sh |
Audit installed skills for security |
scripts/full-audit.sh |
Run all scripts in sequence |
Agent Usage
During heartbeats or on request:
- Run
bash sentinel.shfrom the skill directory - Review output for WARN or CRITICAL items
- Report findings to the human if anything needs attention
- Update
credential-tracker.jsonwhen credentials are rotated
Cron Setup
# Weekly Monday 9am
0 9 * * 1 cd /path/to/arc-sentinel && bash sentinel.sh >> reports/cron.log 2>&1
Requirements
openssl(SSL checks)ghCLI authenticated (GitHub checks)curl(HIBP)python3(JSON processing)
Usage Guidance
Arc Sentinel implements a broad set of local checks and contains many scripts that will read sensitive files (SSH keys, AWS credentials, Docker/NPM/Kube configs, other skills' code), and it will write findings — including matched secret strings — into stdout and report files. Before running it: (1) review the bundled scripts yourself (they are included) to confirm you accept their behavior; (2) do not run as root — run with least privilege or inside an isolated environment (container/VM) to limit exposure; (3) remove or sanitize any real credentials in credential-tracker.json before use and avoid putting API keys/secrets into sentinel.conf unless you understand where reports will be stored/transmitted; (4) note the registry metadata does not list required binaries or env vars even though SKILL.md and the scripts require openssl, gh, curl, python3 and access to many config paths — ask the publisher to correct metadata; (5) if you plan to run it on a machine with sensitive secrets, consider running first in a throwaway VM and inspect generated reports to ensure they are stored only where you expect. If you want me to, I can point out exact lines where each sensitive path is accessed or produce a checklist of files this skill will read.
Capability Analysis
Type: OpenClaw Skill
Name: arc-sentinel
Version: 1.0.0
The OpenClaw AgentSkills bundle 'arc-sentinel' is designed for security monitoring and auditing. It accesses sensitive files (e.g., `~/.ssh`, `~/.aws/credentials`, `~/.config/fulcra/token.json`, `~/.kube/config`) and performs system checks (e.g., `lsof`, `LaunchAgents` review). While these actions are aligned with its stated purpose of security auditing, the `SKILL.md` explicitly instructs the AI agent to `Update credential-tracker.json when credentials are rotated`. This instruction grants the agent file modification capabilities, which, although intended for a benign purpose, represents a risky capability that could be abused if the agent were compromised or given malicious instructions. Additionally, the `sentinel.sh` script makes an external network call to `https://haveibeenpwned.com/api/v3/breachedaccount/` using the configured `MONITOR_EMAIL` and `HIBP_API_KEY`, which is a legitimate security check but involves sending user data to an external service. The `skill-auditor.sh` script, while designed to detect malicious behavior in *other* skills, demonstrates the skill's ability to scan and analyze code across the agent's environment, which is a powerful and potentially risky capability.
Capability Assessment
Purpose & Capability
The name/description (arc-sentinel — SSL, breach checks, GitHub audits, secret scanning, token watchdog, permission audits) match the included scripts, which implement those checks. However registry metadata (no required binaries, no env vars listed) does not declare dependencies that SKILL.md and the scripts explicitly require (openssl, gh, curl, python3). This metadata mismatch is unexpected and should be corrected.
Instruction Scope
Runtime instructions tell the agent to run sentinel.sh which executes multiple scanners that read many sensitive locations (e.g., ~/.ssh, ~/.aws/credentials, ~/.docker/config.json, ~/.kube/config, ~/.config/fulcra/token.json, LaunchAgents, other skills under ~/.openclaw/workspace/skills). The scanners also grep repository contents and git history and will write findings (including matched secret strings) to stdout and JSON/text reports in reports/YYYY-MM-DD.json. There are no explicit steps that upload findings to remote endpoints inside these scripts, but the practice of collecting and saving secrets in local report files is a privacy/exfiltration risk if those reports are later transmitted or accessible. The skill-auditor script will scan other installed skills (reads other skills' files) which is reasonable for an auditor but is broad and should be consented to.
Install Mechanism
No install spec — instruction-only with bundled scripts. This lowers supply-chain risk (nothing downloaded at install time). All code is present in the package, so reviewable before execution.
Credentials
Registry metadata declares no required environment variables or primary credential, yet the code reads environment and configuration (HOME, AWS_ACCESS_KEY_ID, KUBECONFIG, and many files under $HOME). SKILL.md documents HIBP API key as optional, but this (and other credentials) are not declared in the skill metadata. The scripts access many sensitive config paths and may include secret values in reports; requiring explicit declaration of which credentials/configs are needed and why would be expected for a security tool.
Persistence & Privilege
always:false (not force-included) and default model invocation settings are used. The skill does not request to modify other skills' configs or set always:true. It will, however, by default scan the skills directory (~/.openclaw/workspace/skills) which reads other skills' files — that is a privileged read action but appears consistent with its auditing purpose and is not the same as persisting or escalating privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install arc-sentinel - After installation, invoke the skill by name or use
/arc-sentinel - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: SSL monitoring, GitHub security audits, breach detection, credential rotation tracking
Metadata
Frequently Asked Questions
What is Arc Sentinel?
Security monitoring and infrastructure health checks for OpenClaw agents. Run breach monitoring (HaveIBeenPwned), SSL certificate expiry checks, GitHub security audits, credential rotation tracking, secret scanning, git hygiene, token watchdog, and permission audits. Use when performing security scans, checking credential rotation status, auditing repos for leaked secrets, or monitoring SSL certificates and infrastructure health. It is an AI Agent Skill for Claude Code / OpenClaw, with 1770 downloads so far.
How do I install Arc Sentinel?
Run "/install arc-sentinel" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Arc Sentinel free?
Yes, Arc Sentinel is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Arc Sentinel support?
Arc Sentinel is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Arc Sentinel?
It is built and maintained by arc-claw-bot (@arc-claw-bot); the current version is v1.0.0.
More Skills