← Back to Skills Marketplace

ClawHeart Security

Name: ClawHeart Security
Author: tjsdyy

by tjsdyy · GitHub ↗ · v2.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install clawheart-security

Description

让 AI Agent 在对话框里直接驱动本机 ClawHeart 的安全审计、技能鉴定、Agent 凭据治理。当用户问"扫一下 AI 安全"或类似意图时调用 `clawheart` CLI。

README (SKILL.md)

ClawHeart 安全助手

你可以通过 clawheart 命令行调用本机 ClawHeart 服务做 AI 安全审计、技能鉴定、Agent 凭据治理。

前置：用户机器需要安装 ClawHeart CLI（clawheart-cli 或 clawheart，PATH 中可执行）。若 which clawheart 失败，引导用户访问 https://clawheart.live 下载，或跑 curl -fsSL clawheart.live/install.sh | sh。

触发条件 → 命令映射

用户意图（关键词举例）	命令
"扫描安全 / AI 风险 / 检查我的配置"	`clawheart scan --json`
"看看本地的技能 / SKILL.md / Agent 装了什么"	`clawheart skills list --json`
"技能有恶意吗 / 鉴定一下技能"	`clawheart skills scan --all --json`
"我装了哪些 Agent / Claude / Codex / Cursor 在哪"	`clawheart agents list --json`
"MCP server 有哪些"	`clawheart agents mcp --json`
"我的 Provider / API key 配置"	`clawheart providers list --json`
"ClawHeart 整机状态 / 代理在跑吗"	`clawheart status --json`
"引导我设置 / 第一次用"	`clawheart init --json` 然后状态机交互
"备份技能 / 打包技能"	`clawheart skills backup --json`

输出解析规范

所有命令返回顶层 JSON：

{ "ok": true,  "data": { ... } }
{ "ok": false, "error": "..." }

data 的 schema 因命令而异，用户友好的摘要文本不在 JSON 里 —— 你需要根据 data 用自然语言重述。

工作流示例

扫描

跑 clawheart scan --json
从 data.results 里筛 outcome=fail 的项目
优先告知用户严重问题：
- 每项给 id + description + detail + remediation
然后简单提一句"还有 X 个警告 / Y 项通过 / Z 项跳过"
不要逐项列举 skipped — 它们多是"未实现"占位，列出来反而让用户疑惑

技能鉴定

clawheart skills scan --all --json
聚焦 data 数组中 blocked: true 或 score \x3C 60 的技能
给用户列出"危险技能" + 建议（一般是用 clawheart skills backup \x3Cid> 备份后删除）

Agent 列表

clawheart agents list --json
把 data 数组里每个 Agent 的 id + agent_name + config_path + mcp_servers 简洁报给用户

不要做的事

❌ 不要直接读 ~/.clawheart-v2/ 文件 — 必须通过 CLI
❌ 不要替用户输入密码 / API key
❌ skipped 项的 "未实现" 状态不要解读为漏洞或问题
❌ 不要自己尝试 sudo —— 遇到需要权限的提示直接转告用户

CLI 不可用时的兜底

若 clawheart 命令找不到：

ClawHeart CLI 似乎没装。访问 https://clawheart.live 下载，或运行：

macOS / Linux：curl -fsSL https://clawheart.live/install.sh | sh

Windows：iwr https://clawheart.live/install.ps1 -useb | iex

完整命令清单

clawheart scan [--category=\x3CC>] [--ids=\x3CID,...>] [--json]
clawheart skills {list,scan \x3Cid>|--all,backup [\x3Cids>]} [--json]
clawheart agents {list,mcp [--agent=\x3Cid>],rescan} [--json]
clawheart providers {list,add,import,overwrite \x3Cid>} [--json]
clawheart status [--json]
clawheart init [--reset] [--json]
clawheart --version

Usage Guidance

Install only if you intentionally want an agent to drive ClawHeart on your machine. Before use, confirm each scan or inventory command, avoid provider add/import/overwrite and init --reset unless you explicitly requested that change, and review the external ClawHeart CLI installer before running the suggested curl or PowerShell install commands.

Capability Tags

requires-sensitive-credentials

Capability Assessment

ℹ Purpose & Capability

The stated purpose is AI security auditing, skill review, agent discovery, MCP listing, provider configuration review, and credential governance, which matches most documented commands.

⚠ Instruction Scope

The activation examples and command mapping use broad phrases such as scanning AI security or checking configuration, which could cause local agent, skill, MCP, and provider inventory commands to run from ambiguous user intent.

ℹ Install Mechanism

The artifact is a single non-executable SKILL.md, but it recommends installing the external ClawHeart CLI with curl-to-shell or PowerShell iex commands if the CLI is missing.

⚠ Credentials

Local security inventory and provider configuration inspection are purpose-aligned, but they touch sensitive system posture and credential-adjacent data without requiring explicit confirmation before enumeration.

⚠ Persistence & Privilege

The main workflows are read-oriented, but the full command list includes provider add/import/overwrite and init --reset, which can mutate credential or ClawHeart state and are not clearly gated.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install clawheart-security
After installation, invoke the skill by name or use /clawheart-security
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.0.0

Initial public release. Drives clawheart-cli for AI security scan, skill audit, agent discovery, MCP listing, provider profile listing.

Metadata

Slug clawheart-security

Version 2.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is ClawHeart Security?

让 AI Agent 在对话框里直接驱动本机 ClawHeart 的安全审计、技能鉴定、Agent 凭据治理。当用户问"扫一下 AI 安全"或类似意图时调用 `clawheart` CLI。 It is an AI Agent Skill for Claude Code / OpenClaw, with 57 downloads so far.

How do I install ClawHeart Security?

Run "/install clawheart-security" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ClawHeart Security free?

Yes, ClawHeart Security is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does ClawHeart Security support?

ClawHeart Security is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created ClawHeart Security?

It is built and maintained by tjsdyy (@tjsdyy); the current version is v2.0.0.

More Skills