Description

Install and configure the security-related plugins required by OpenClaw, including the `ai-assistant-security-openclaw` plugins. Use this skill when you want...

README (SKILL.md)

ClawSentry

Name: clawSecurityTest
Author: qinjianfenghzau-wq

Script Functionality

The bundled script (bundle.cjs) performs the following operations:

Plugin Installation: Installs the ai-assistant-security-openclaw plugin for OpenClaw.
Device Fingerprinting: Collects machine identifiers using the node-machine-id library to generate a device fingerprint.
Login Token Creation: Communicates with the authorization API to create a login token.
Login URL Generation: Generates a unique login URL based on the login token.
Local Storage: Stores the login URL, token, and device fingerprint in {baseDir}/.state/login_state.json.
Background Monitoring: Spawns a detached child process to monitor login status for up to 10 minutes.
Configuration Update: Updates OpenClaw plugin configuration with encrypted API keys upon successful login.

Network Endpoints

The script communicates with the following API endpoints:

Login Token Creation: /OpenTOP/V1/Console/CreateLoginToken
Login Status Check: /OpenTOP/V1/Console/GetLoginTokenIdentity

All communications are conducted over HTTPS.

Local File Operations

The script reads from and writes to the following files:

Reads: Machine identifiers via the node-machine-id library
Writes:
- {baseDir}/.state/login_state.json (stores login URL, token, and device fingerprint)
- {baseDir}/.state/poll_login.log (logs monitoring activity)
- OpenClaw plugin configuration (updates with encrypted API keys)

Data Collection

The script collects the following data:

Device Fingerprint: Generated from machine identifiers for device-binding purposes
Login Status: Monitored to determine when the user completes the login process

Install Mechanism

Installation Method

The skill uses a bundled CommonJS script (bundle.cjs) for installation. This script is executed directly to install and configure the ai-assistant-security-openclaw plugin.

Script Source

The bundled script is generated from the source code in the ClawSentry repository. It includes the following third-party libraries:

node-machine-id: Used to generate device fingerprints
child_process: Used by node-machine-id to query system information

Risk Considerations

Bundled Code: The script includes bundled third-party libraries, which may execute system-level operations.
System Queries: The script uses node-machine-id library, which may use child_process to query system information.
Network Access: The script communicates with remote API endpoints for authentication.
Arbitrary Code Execution: Running bundled scripts from unknown sources can execute arbitrary code on your system.

Security Measures

HTTPS Communication: All network requests are conducted over HTTPS to ensure data encryption.
Encrypted Storage: Sensitive information (such as API keys) is encrypted before storage.
Limited Scope: The script only modifies OpenClaw plugin configurations and creates temporary files in the .state directory.
Transparent Operations: All script operations are documented in this file for transparency.

Verification Steps

Before executing the script, you should:

Review Full Script: Examine the complete script code to understand its functionality
Verify Integrity: Check the script's file integrity using a hash if provided
Monitor Execution: Run the script in a controlled environment and monitor its output
Ensure Trust: Only run the script if you trust the source of this skill
Check Permissions: Ensure the script has appropriate file permissions

Alternative Installation

If you prefer a more controlled installation, you can:

Manually install the ai-assistant-security-openclaw plugin
Configure the plugin settings through the OpenClaw configuration system
Follow the manual setup instructions provided in the plugin documentation

Use Cases

Use this skill when you need to install and prepare the ai-assistant-security-openclaw plugins for the OpenClaw environment on the current machine.
Trigger this skill when the user mentions requirements such as "install clawSentry / ai-assistant-security-openclaw plugin / 帮我安装clawSentry技能 / 安装clawSentry技能".

Steps

1. Verify Node.js is installed:

Ensure Node.js (version 14 or higher) is installed on the system. You can check with:

node --version

2. Execute the combined script to install plugin and generate login link:

node {baseDir}/scripts/bundle.cjs

After the script completes:

The script will display the login URL directly. You can also extract it from the output by looking for the line that starts with [LOGIN_URL]:
You can also read the login URL from {baseDir}/.state/login_state.json file (look for the loginUrl field). If the file doesn't exist, try reading it again after a few seconds. If you can't find the files, try looking in .openclaw/skills/ClawSentry/scripts/ directory.
Send the login URL to the user along with this message: "After completing login, if you want to check if the installation was successful, please wait one minute and then ask me such as 'view all plugin list / 查看我的本地插件 '"

Usage Guidance

This skill reasonably matches its stated goal (installing a security plugin with an auth flow), but it runs an included Node script that: (1) collects machine identifiers by invoking system commands, (2) spawns a detached background process, (3) stores login tokens and encrypted API keys locally, and (4) communicates with remote auth endpoints whose hostnames are not specified in SKILL.md. Before running it: review the full bundle.cjs source line-by-line (or have a trusted reviewer do so); confirm the remote service hostname(s) and verify TLS endpoints; verify how encryption keys are derived and where decrypted secrets are stored; run the script in an isolated sandbox or VM first; avoid running as an administrative user; and ensure you trust the skill author/source. If you cannot review the code or confirm the endpoints and encryption details, treat this skill as high-risk and do not run it on production or sensitive machines.

Capability Analysis

Type: OpenClaw Skill Name: clawprepub Version: 1.0.0 The ClawSentry skill bundle is a legitimate installer for a security monitoring plugin associated with Volcengine (ByteDance). The bundled script `bundle.cjs` performs machine fingerprinting using the `node-machine-id` library, communicates with official endpoints (clawsentry.cn) to facilitate a login flow, and automatically updates the OpenClaw configuration with retrieved API keys. While the script utilizes high-privilege operations such as spawning detached background processes and executing CLI commands to restart the gateway, these actions are transparently documented in `SKILL.md` and are strictly aligned with the stated purpose of automated plugin setup and configuration.

Capability Assessment

ℹ Purpose & Capability

The stated purpose (install and configure a security plugin and perform an auth/login flow) matches the script's actions: plugin installation, generation of a login token/URL, device-binding via machine id, and updating plugin configuration. Collecting a device fingerprint for 'device-binding' is plausible for this purpose, but the SKILL.md does not document where the remote service is hosted or how encryption keys are derived/managed, which is an important missing justification.

⚠ Instruction Scope

Runtime instructions tell the agent/operator to execute the included bundle.cjs directly. The script executes system commands (via node-machine-id using child_process.exec/execSync), writes login state and logs into a .state directory, spawns a detached background monitoring process for up to 10 minutes, and performs network requests to authentication endpoints. These operations are within the broad goal but are sensitive (machine identifiers, token storage, background process). The SKILL.md lacks details about the remote host(s) used, what exact data is sent, and how long the background process runs/what it can do beyond polling.

⚠ Install Mechanism

There is no package-manager install; the skill bundles an executable CommonJS script (bundle.cjs) and instructs running it. Executing a non-reviewed bundled script from an unknown source is higher risk because it can run arbitrary code on the host. The bundle does include third-party code (node-machine-id) and uses child_process; that pattern is expected for machine-id collection but still elevates risk when the bundle origin is unknown.

ℹ Credentials

The skill declares no required env vars or credentials, which is consistent with a browser-based auth flow returning a token. However, it collects device identifiers (potentially sensitive), stores tokens and encrypted API keys locally, and updates plugin configuration without declaring how encryption keys are derived or protected. The lack of declared endpoints/hosts and missing explanation for encryption key management are notable omissions.

✓ Persistence & Privilege

The skill does not request always:true and does not claim permanent system-wide changes. It writes files under a .state directory and spawns a detached background monitor for a short duration (claimed up to 10 minutes). Modifying the plugin's own configuration is expected for installation. Still, the background process behavior should be reviewed (what it can do beyond simple polling).

Version History

v1.0.0

ClawSentry 1.0.0 - Initial release - Installs and configures the `ai-assistant-security-openclaw` plugin for OpenClaw in a single step. - Generates a device fingerprint using machine identifiers for secure device binding. - Handles secure login flow: creates a login token, generates a unique login URL, and stores authentication state locally. - Monitors login status in the background for up to 10 minutes, updating plugin configuration with encrypted API keys on success. - All operations and network communications are documented for transparency and security.

Metadata

Slug clawprepub

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is clawSecurityTest?

Install and configure the security-related plugins required by OpenClaw, including the `ai-assistant-security-openclaw` plugins. Use this skill when you want... It is an AI Agent Skill for Claude Code / OpenClaw, with 131 downloads so far.

How do I install clawSecurityTest?

Run "/install clawprepub" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is clawSecurityTest free?

Yes, clawSecurityTest is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does clawSecurityTest support?

clawSecurityTest is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created clawSecurityTest?

It is built and maintained by qinjianfenghzau-wq (@qinjianfenghzau-wq); the current version is v1.0.0.

More Skills

clawSecurityTest