← Back to Skills Marketplace
69
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install configsafe
Description
Infrastructure configuration auditor — scans Dockerfiles, K8s manifests, Terraform, and CI/CD pipelines for security misconfigurations
README (SKILL.md)
\r \r
ConfigSafe — Infrastructure Configuration Auditor\r
\r ConfigSafe scans infrastructure configuration files for security misconfigurations across Dockerfiles, docker-compose, Kubernetes manifests, Terraform, CI/CD pipelines, and web server configs. It uses regex-based pattern matching against 80+ misconfiguration patterns, lefthook for git hook integration, and produces markdown security reports with CIS benchmark mapping.\r \r
Commands\r
\r
Free Tier (No license required)\r
\r
configsafe scan [file|directory]\r
One-shot configuration security scan of files or directories.\r \r How to execute:\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" scan [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Auto-detects configuration types (Dockerfile, docker-compose, Kubernetes, Terraform, CI/CD, Nginx/Apache)\r
3. Finds all config files matching known patterns\r
4. Runs 80+ misconfiguration patterns against each file\r
5. Calculates a security score (0-100) per file and overall\r
6. Outputs findings with: file, line number, check ID, severity, description, recommendation\r
7. Exit code 0 if secure (score >= 70), exit code 1 if issues found\r
8. Free tier limited to 5 config files per scan\r
\r
**Example usage scenarios:**\r
- "Scan my infrastructure configs for security issues" -> runs `configsafe scan .`\r
- "Check this Dockerfile for misconfigurations" -> runs `configsafe scan Dockerfile`\r
- "Audit my Kubernetes manifests" -> runs `configsafe scan k8s/`\r
- "Is my Terraform config secure?" -> runs `configsafe scan terraform/`\r
\r
### Pro Tier ($19/user/month -- requires CONFIGSAFE_LICENSE_KEY)\r
\r
#### `configsafe hooks install`\r
Install git pre-commit hooks that scan staged config files before every commit.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" hooks install\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Copies lefthook config to project root\r
3. Installs lefthook pre-commit hook\r
4. On every commit: scans all staged config files for misconfigurations, blocks commit if critical/high findings, shows remediation advice\r
\r
#### `configsafe hooks uninstall`\r
Remove ConfigSafe git hooks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" hooks uninstall\r
```\r
\r
#### `configsafe report [directory]`\r
Generate a markdown security report with findings, severity breakdown, and remediation steps.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" report [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs full scan of the directory\r
3. Generates a formatted markdown report from template\r
4. Includes per-file breakdowns, security scores, CIS benchmark references\r
5. Output suitable for security reviews and compliance audits\r
\r
#### `configsafe benchmark [directory]`\r
Run CIS benchmark checks against infrastructure configurations.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" benchmark [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Maps findings to CIS Docker Benchmark, CIS Kubernetes Benchmark, and CIS AWS Foundations\r
3. Reports pass/fail status for each benchmark check\r
4. Outputs overall compliance percentage\r
\r
### Team Tier ($39/user/month -- requires CONFIGSAFE_LICENSE_KEY with team tier)\r
\r
#### `configsafe policy [directory]`\r
Enforce organization-specific security policies on infrastructure configurations.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" policy [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Loads custom policies from ~/.openclaw/openclaw.json (configsafe.config.customPolicies)\r
3. Enforces organization-specific rules (e.g., required labels, forbidden images, mandatory resource limits)\r
4. Combines custom policies with built-in patterns for comprehensive scanning\r
5. Outputs SARIF-compatible results\r
\r
#### `configsafe compliance [directory]`\r
Generate a full compliance report covering CIS and NIST frameworks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" compliance [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs full scan with all patterns\r
3. Maps findings to CIS Docker Benchmark, CIS Kubernetes Benchmark, CIS AWS Foundations, and NIST 800-190\r
4. Generates comprehensive compliance report with pass/fail per control\r
5. Includes executive summary, detailed findings, and remediation roadmap\r
\r
#### `configsafe status`\r
Show license and configuration information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" status\r
```\r
\r
## Detected Misconfigurations\r
\r
ConfigSafe detects 80+ misconfiguration patterns across 6 config types:\r
\r
| Category | Examples | Severity |\r
|----------|----------|----------|\r
| **Dockerfile** | Running as root, `latest` tag, ADD vs COPY, exposed sensitive ports, missing health checks, secrets in ENV, curl pipe bash, chmod 777, missing multi-stage builds | Critical/High |\r
| **docker-compose** | privileged: true, host network, Docker socket mount, missing resource limits, plaintext secrets, unbound ports, missing restart policy | Critical/High |\r
| **Kubernetes** | Running as root, privileged containers, missing security context, missing resource limits, hostPath volumes, default namespace, missing probes, allowPrivilegeEscalation | Critical/High |\r
| **Terraform** | Hardcoded credentials, missing encryption, public S3 buckets, open security groups (0.0.0.0/0), missing logging, overly permissive IAM, default VPC | Critical/High |\r
| **CI/CD Pipelines** | Plaintext secrets, PR trigger with write perms, unpinned actions, missing timeout, unrestricted self-hosted runners, artifact upload without expiry | High/Medium |\r
| **Nginx/Apache** | Missing security headers, server tokens enabled, SSL/TLS misconfig, open proxy, missing rate limiting, directory listing enabled | Medium/High |\r
\r
## Configuration\r
\r
Users can configure ConfigSafe in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
"skills": {\r
"entries": {\r
"configsafe": {\r
"enabled": true,\r
"apiKey": "YOUR_LICENSE_KEY_HERE",\r
"config": {\r
"severityThreshold": "high",\r
"customPolicies": [],\r
"excludePatterns": ["**/test/**", "**/examples/**"],\r
"reportFormat": "markdown"\r
}\r
}\r
}\r
}\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration\r
- **All scanning happens locally** -- no code or configs are sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Pattern matching only -- no AST parsing, no external dependencies\r
- Supports scanning multiple config types in a single pass\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = secure (score >= 70), 1 = issues found (for CI/CD integration)\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries `hooks install`, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://configsafe.pages.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no config files found in target, report clean scan with info message\r
- If config type cannot be determined, skip the file gracefully\r
\r
## When to Use ConfigSafe\r
\r
The user might say things like:\r
- "Scan my Dockerfile for security issues"\r
- "Check my Kubernetes manifests for misconfigurations"\r
- "Audit my Terraform configs"\r
- "Is my docker-compose file secure?"\r
- "Check my CI/CD pipeline for security problems"\r
- "Generate a security report for my infrastructure"\r
- "Run CIS benchmark checks"\r
- "Set up pre-commit hooks for config scanning"\r
- "Check if my containers are running as root"\r
- "Scan for open security groups in Terraform"\r
- "Are there any hardcoded secrets in my configs?"\r
- "Check my nginx config for security headers"\r
Usage Guidance
ConfigSafe otherwise looks coherent for an offline config scanner, but exercise caution before installing: 1) The license-validation code embeds JWT payloads directly into shell-invoked python/node commands — if an attacker can supply or modify your license key or ~/.openclaw/openclaw.json this could allow code injection during license checks. 2) Hooks install will run the skill's shell scripts on every commit (normal for linters/scanners but remember hooks execute code locally). Recommended actions before installing or enabling hooks: inspect ~/.openclaw/openclaw.json and any license keys you provide; run the skill in an isolated environment (e.g., VM or disposable container) first; consider patching license.sh to parse JSON safely (e.g., pass the payload on stdin to python or use jq with a filename, avoid inlining unescaped JSON into -c strings). If you cannot verify the license source or config file integrity, treat the skill as potentially hazardous and avoid enabling automated hooks on sensitive repos.
Capability Analysis
Type: OpenClaw Skill
Name: configsafe
Version: 1.0.2
ConfigSafe is an infrastructure configuration auditor that scans Dockerfiles, Kubernetes manifests, Terraform, and CI/CD pipelines for security misconfigurations using local regex-based pattern matching. The skill bundle contains standard shell scripts (analyzer.sh, configsafe.sh) and a comprehensive set of detection patterns (patterns.sh) aligned with its stated purpose. It features offline license validation via JWT (license.sh) and integrates with git hooks using lefthook, with no evidence of data exfiltration, unauthorized network calls, or malicious intent.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description, required binaries (git, bash, python3, jq), CLI surface, and files (bash scripts + pattern definitions) align with an offline configuration scanner that offers scans, reports, and git-hook integration. Requested primary credential CONFIGSAFE_LICENSE_KEY is appropriate for Pro/Team features.
Instruction Scope
Runtime instructions and scripts are local and focused on scanning configs and installing lefthook pre-commit hooks. Hooks will run the skill's shell scripts from the skill directory on each commit (expected for a pre-commit scanner) — remember that any pre-commit hook executes arbitrary code during commits, which is normal but worth noting.
Install Mechanism
Install spec only installs the well-known 'lefthook' brew formula, which is a reasonable, low-risk choice for hook management. No archived downloads or unusual external installers are used.
Credentials
The single declared credential (CONFIGSAFE_LICENSE_KEY) is appropriate, but the code reads ~/.openclaw/openclaw.json and will attempt to parse it (SKILL.md lists that config path). The registry metadata above listed 'Required config paths: none', which is inconsistent with the SKILL.md. More importantly, license.sh embeds decoded JWT JSON directly into inline python/node -c commands (and into jq expressions) without safe escaping; a malicious or crafted license value or a tampered ~/.openclaw/openclaw.json could cause command execution or syntax injection during license validation.
Persistence & Privilege
always:false and user-invocable:true. The skill installs lefthook config into repositories when requested and sources its own scripts; it does not request permanent system-wide privileges or modify other skills' configs. Pre-commit hooks will run on commit, which is expected for this functionality.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install configsafe - After installation, invoke the skill by name or use
/configsafe - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Fix: POSIX ERE regex compliance, declare all deps, JWT verification
Metadata
Frequently Asked Questions
What is configsafe?
Infrastructure configuration auditor — scans Dockerfiles, K8s manifests, Terraform, and CI/CD pipelines for security misconfigurations. It is an AI Agent Skill for Claude Code / OpenClaw, with 69 downloads so far.
How do I install configsafe?
Run "/install configsafe" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is configsafe free?
Yes, configsafe is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does configsafe support?
configsafe is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created configsafe?
It is built and maintained by suhteevah (@suhteevah); the current version is v1.0.2.
More Skills