← Back to Skills Marketplace
427
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install security-audit-hand
Description
自主安全审计 - 定期检查系统安全、发现风险、生成报告
Usage Guidance
This SKILL.md appears coherent for a local security auditor, but it will read configuration files and logs (which may contain API keys or other secrets) and run system/network commands. Before using it: (1) review the SKILL.md line-by-line so you understand what files and commands will be accessed; (2) run the audit in a controlled environment (non-root account or test host) if you are concerned about exposure; (3) back up and/or rotate any secrets that will be inspected if you aren't comfortable exposing them; (4) ensure results are stored locally and not automatically posted to external channels (the config mentions notify_channel like 'feishu' — configure or disable it); (5) be aware memory_recall may surface agent memory contents — remove or restrict that step if needed. Because the skill is instruction-only and makes no installs, the main risk is sensitive-data exposure through the audit steps rather than hidden code. If you want higher assurance, ask the author for an explicit privacy/exfiltration statement or run the procedure manually following the provided commands.
Capability Analysis
Type: OpenClaw Skill
Name: security-audit-hand
Version: 1.0.0
The skill is designed for security auditing, which involves legitimate checks. However, it explicitly instructs the agent to read potentially sensitive files like `~/.openclaw/.api-keys.md` and search `/tmp/openclaw/*.log` for API key patterns (`sk-`, `nvapi-`). While the stated purpose is to identify security risks, these commands directly expose sensitive API keys to the agent's processing context. Additionally, `curl ifconfig.me` makes an external network call to retrieve the public IP. These actions represent risky capabilities that could lead to data exposure, even without explicit instructions for malicious exfiltration, thus classifying it as suspicious.
Capability Assessment
Purpose & Capability
Name/description (periodic security audit) align with the actions in SKILL.md: system info collection, config/log inspection, permission checks and report generation. The file paths and commands referenced are relevant to auditing OpenClaw and host system state.
Instruction Scope
Instructions tell the agent to run shell commands (uname, netstat, curl), query OpenClaw CLI, read ~/.openclaw files (openclaw.json, .api-keys.md), and grep logs in /tmp/openclaw/*.log. Those are reasonable for an audit but access secrets and logs — the SKILL.md grants broad read access to user config and logs which is sensitive. 'memory_recall' usage is runtime-specific and may expose agent memory.
Install Mechanism
No install spec and no code files (prompt-only). This minimizes risk from downloading/executing third-party code; nothing is written to disk by an installer.
Credentials
The skill declares no required env vars or credentials, which is appropriate, but its instructions explicitly read files that likely contain API keys and tokens (e.g., ~/.openclaw/.api-keys.md and openclaw.json). Accessing those secrets is expected for an auditor but is sensitive — the skill does not request explicit consent or mention exfiltration controls.
Persistence & Privilege
always:false and no install steps mean it does not force permanent presence or modify other skills. It relies on agent invocation (normal). It does reference saving history and notification settings in templates, but no mechanism for persisting or self-enabling is provided in the package.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install security-audit-hand - After installation, invoke the skill by name or use
/security-audit-hand - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of security-audit-hand skill.
- Provides scheduled autonomous security audits for systems.
- Includes 16-layer security checks inspired by the OpenFang Security Model.
- Audits system vulnerabilities, configurations, permissions, and logs.
- Assigns risk scores and generates detailed security reports with repair recommendations.
- Offers templates, dashboards, and configurable audit/report settings.
- Supports both manual and automated audit triggers.
Metadata
Frequently Asked Questions
What is Security Audit Hand?
自主安全审计 - 定期检查系统安全、发现风险、生成报告. It is an AI Agent Skill for Claude Code / OpenClaw, with 427 downloads so far.
How do I install Security Audit Hand?
Run "/install security-audit-hand" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Security Audit Hand free?
Yes, Security Audit Hand is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Security Audit Hand support?
Security Audit Hand is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Security Audit Hand?
It is built and maintained by xiaomo (@bandwe); the current version is v1.0.0.
More Skills