← Back to Skills Marketplace
CTO×CISO Training
by
JohnSmithfan
· GitHub ↗
· v2.0.0
· MIT-0
93
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install cto-ciso-training
Description
联合CTO与CISO制定培训计划,执行在线考核,颁发数字签名证书,实时追踪并报告培训进度与合规状态。
README (SKILL.md)
SKILL.md — CTO × CISO 联合培训技能包
版本:v1.0.0 联署:CTO(技术标准)+ CISO(安全合规) 依赖 Skill:
ai-company-cto、ai-company-ciso、ai-company-hr(CHO) 适用场景:执行培训实施、培训考核、证书颁发、进度追踪 输出目录:knowledge-base/training/
接口总览
本 Skill 对外暴露四个标准接口,供 CHO(或其他 Agent)调用:
| 接口 | 调用方式 | 说明 |
|---|---|---|
create_training_plan |
脚本调用 | 根据CHO培训计划生成可执行课件包 |
conduct_exam |
脚本调用 | 执行在线考核,返回成绩单 |
issue_certificate |
脚本调用 | 颁发数字签名培训证书 |
track_progress |
脚本调用 | 追踪学员培训进度,输出状态报告 |
接口一:create_training_plan
用途:接收 CHO 传递的培训计划,生成完整课件与考核题目。
CHO 调用示例:
调用方:CHO(sessions_send / sessions_spawn)
接口脚本:scripts/create_training_plan.py
传入参数(JSON):
{
"plan_id": "PLAN-2026-Q2-001",
"title": "Q2 全员合规与安全培训",
"modules": [
{
"module_id": "M1",
"name": "合规与安全",
"owner": "CISO",
"audience": "全员",
"hours": 2,
"topics": [
"数据分类与分级",
"R1-R10 合规红线解读",
"隐私保护操作规范",
"安全事件上报流程"
]
},
{
"module_id": "M3",
"name": "岗位技能",
"owner": "CTO",
"audience": "技术岗",
"hours": 2,
"topics": [
"安全编码规范(OWASP Top 10)",
"代码审计流程",
"密钥管理最佳实践"
]
}
],
"deadline": "2026-04-30",
"language": "zh-CN"
}
CHO 调用方输出要求:
plan_id:CHO 分配的唯一计划ID(格式:PLAN-YYYY-QX-NNN)modules:CHO 在阶段①中确定的培训模块deadline:CHO 设定的完成截止日期
返回文件(保存至 knowledge-base/training/plans/{plan_id}/):
plans/PLAN-2026-Q2-001/
├── courseware_M1.md # M1 课件内容
├── courseware_M3.md # M3 课件内容
├── exam_questions.json # 全部考核题目(理论+实操)
├── exam_answer_key.json # 答案与评分标准
├── schedule.json # 排期时间表(供 COO 确认)
└── metadata.json # 元数据(创建时间/CTO签名/CISO签名)
内部逻辑:
- CTO 根据
topics生成技术内容(M3) - CISO 根据 topics 生成合规内容(M1)
- 双方交叉审核对方内容(CISO审技术稿,CTO审合规稿)
- 生成标准化考核题目(理论选择50题 + 实操场景5题)
- 汇总打包,输出 metadata(含双签名字段)
双签名字段(metadata.json):
{
"signatures": {
"CTO": "\x3Cbase64签名,验证技术内容准确性>",
"CISO": "\x3Cbase64签名,验证安全合规内容准确性>"
},
"ctos_approved": true,
"ciso_approved": true
}
接口二:conduct_exam
用途:执行在线考核,自动评分,输出成绩单供 CHO 归档。
CHO 调用示例:
接口脚本:scripts/conduct_exam.py
传入参数(JSON):
{
"exam_id": "EXAM-2026-Q2-001",
"plan_id": "PLAN-2026-Q2-001",
"candidate_id": "AGENT-CMO-001",
"candidate_name": "CMO-Agent",
"candidate_role": "CMO",
"start_time": "2026-04-15T09:00:00+08:00",
"duration_minutes": 90,
"mode": "online"
}
考核结构(由 create_training_plan 生成的 exam_questions.json 驱动):
| 考核部分 | 题量 | 满分 | 时长 | 及格线 |
|---|---|---|---|---|
| 理论笔试(选择题) | 50题 | 50分 | 60min | ≥40分 |
| 实操场景题 | 5题 | 50分 | 30min | ≥37.5分 |
| 合计 | 55题 | 100分 | 90min | ≥77.5分 |
实操场景示例(由 CTO + CISO 联合设计):
- 场景A:在代码中发现一处SQL注入漏洞,给出修复方案(CTO评分)
- 场景B:收到钓鱼邮件,判断并写出上报流程(CISO评分)
- 场景C:数据分类任务,将5份文件正确分类(CISO评分)
- 场景D:设计一个最小权限访问控制方案(CTO评分)
- 场景E:模拟一次安全事件,完整走一遍上报→响应→复盘流程(CISO+CTO联合评分)
返回文件(保存至 knowledge-base/training/exams/{exam_id}/):
exams/EXAM-2026-Q2-001/AGENT-CMO-001/
├── score_theory.json # 理论得分明细
├── score_practical.json # 实操得分明细
├── score_total.json # 总成绩单
├── spd_analysis.json # SPD 分析(供 CQO 验收)
├── quality_gate_result.json # 质量门禁结果(供 CHO 判定)
└── metadata.json # 考核元数据
score_total.json 输出示例:
{
"exam_id": "EXAM-2026-Q2-001",
"candidate_id": "AGENT-CMO-001",
"theory_score": 45,
"practical_score": 42,
"total_score": 87,
"pass": true,
"grade": "合格",
"spd": 0.08,
"theory_detail": {
"correct": 45,
"total": 50,
"weak_areas": ["密钥管理", "安全编码"]
},
"practical_detail": {
"scenarios": [
{"id": "A", "score": 9, "max": 10, "grader": "CTO"},
{"id": "B", "score": 8, "max": 10, "grader": "CISO"},
{"id": "C", "score": 8, "max": 10, "grader": "CISO"},
{"id": "D", "score": 8, "max": 10, "grader": "CTO"},
{"id": "E", "score": 9, "max": 10, "grader": "CTO+CISO"}
]
},
"recommendation": "PASS — 建议纳入合格学员库"
}
质量门禁判定逻辑(供 CHO 调用):
# quality_gate_result.json
def check_quality_gate(batch_results):
pass_rate = len([r for r in batch_results if r["pass"]]) / len(batch_results)
avg_spd = sum(r["spd"] for r in batch_results) / len(batch_results)
return {
"pass_gate": pass_rate >= 0.90 and avg_spd \x3C 0.10,
"pass_rate": round(pass_rate, 3),
"avg_spd": round(avg_spd, 4),
"action": "UNLOCK_NEXT_PHASE" if pass_rate >= 0.90 else "REOPEN_BATCH"
}
接口三:issue_certificate
用途:为考核通过者颁发数字签名培训证书,支持链式存证。
CHO 调用示例:
接口脚本:scripts/issue_certificate.py
传入参数(JSON):
{
"cert_id": "CERT-2026-Q2-001-CMO-001",
"exam_id": "EXAM-2026-Q2-001",
"candidate_id": "AGENT-CMO-001",
"candidate_name": "CMO-Agent",
"plan_id": "PLAN-2026-Q2-001",
"modules_completed": ["M1", "M3"],
"total_score": 87,
"issue_date": "2026-04-15",
"valid_until": "2027-04-15",
"issuer_cto": true,
"issuer_ciso": true
}
返回文件(保存至 knowledge-base/training/certs/{cert_id}/):
certs/CERT-2026-Q2-001-CMO-001/
├── certificate.json # 证书主体(JSON,含双签)
├── certificate_digital.md # 可读版证书
├── audit_trail.json # 证书颁发审计链
└── metadata.json
certificate.json 结构:
{
"cert_id": "CERT-2026-Q2-001-CMO-001",
"version": "1.0",
"holder": {
"id": "AGENT-CMO-001",
"name": "CMO-Agent",
"role": "CMO"
},
"training": {
"plan_id": "PLAN-2026-Q2-001",
"title": "Q2 全员合规与安全培训",
"modules": [
{"id": "M1", "name": "合规与安全", "score": 43, "pass": true},
{"id": "M3", "name": "岗位技能", "score": 44, "pass": true}
]
},
"total_score": 87,
"grade": "合格",
"issue_date": "2026-04-15",
"valid_until": "2027-04-15",
"signatures": {
"CTO": {
"signed": true,
"algorithm": "RSA-2048-SHA256",
"fingerprint": "\x3CCTO公钥指纹>"
},
"CISO": {
"signed": true,
"algorithm": "RSA-2048-SHA256",
"fingerprint": "\x3CCISO公钥指纹>"
}
},
"audit_hash": "\x3CSHA256哈希,防篡改>"
}
CHO 调用说明:
- CHO 须在学员通过考核后调用此接口
- 证书有效期1年(可配置),过期须重新参加培训
- 证书编号格式:
CERT-{计划ID}-{学员ID},全局唯一 - 双签发证:CTO + CISO 均签字方可出证,确保内容权威性
接口四:track_progress
用途:实时追踪全员培训进度,生成状态报告供 CHO 汇报使用。
CHO 调用示例:
接口脚本:scripts/track_progress.py
传入参数(JSON):
{
"plan_id": "PLAN-2026-Q2-001",
"report_type": "summary",
"include_detail": true
}
report_type 选项:
summary:全员汇总报告(CHO→CEO 月报用)detail:每个学员的详细状态(CHO→CLO 人事档案用)compliance:未完成名单(CHO→CLO 合规追踪用)
返回文件(保存至 knowledge-base/training/reports/{plan_id}/):
reports/PLAN-2026-Q2-001/
├── progress_summary.json # 全员进度汇总
├── progress_detail.json # 逐人详细状态
├── compliance_report.json # 合规追踪报告(供 CLO)
├── spd_batch_analysis.json # 批次质量分析(供 CQO)
└── action_items.json # 待办事项(供 CHO 执行)
progress_summary.json 示例:
{
"plan_id": "PLAN-2026-Q2-001",
"report_date": "2026-04-20",
"total_enrolled": 24,
"status_breakdown": {
"not_started": 2,
"in_progress": 5,
"completed_not_certified": 1,
"certified": 16,
"failed_once": 2,
"failed_twice_pending_review": 1
},
"completion_rate": 0.667,
"certification_rate": 0.667,
"quality_gate": {
"batch_pass_rate": 0.889,
"avg_spd": 0.091,
"gate_passed": true
},
"expiry_warning": [
{"cert_id": "CERT-2025-Q1-CMO-001", "expires": "2026-05-01", "days_left": 11}
]
}
action_items.json 示例(CHO 后续执行用):
{
"plan_id": "PLAN-2026-Q2-001",
"generated_at": "2026-04-20T12:00:00+08:00",
"actions": [
{
"id": "A001",
"type": "reminder",
"target": ["AGENT-FIN-002", "AGENT-FIN-003"],
"description": "发送培训未开始提醒",
"due": "2026-04-21"
},
{
"id": "A002",
"type": "remedial",
"target": ["AGENT-SUPPORT-007"],
"description": "安排补训,考核未通过模块(M3)",
"due": "2026-04-25"
},
{
"id": "A003",
"type": "escalation",
"target": ["AGENT-SALES-012"],
"description": "连续2次未通过,提交 CRO 启动退出审查",
"due": "2026-04-22"
},
{
"id": "A004",
"type": "expiry_notice",
"target": ["AGENT-CMO-001"],
"description": "证书即将到期(11天后),发送续期提醒",
"due": "2026-04-21"
}
]
}
CHO 标准调用工作流
CHO 发起培训(阶段①完成)
↓
┌──────────────────────────────────┐
│ 1. 调用 create_training_plan │ → 生成课件 + 考题 + 双签名 metadata
└──────────────┬───────────────────┘
↓
课件排期确认(COO确认时间表)
↓
┌──────────────────────────────────┐
│ 2. 通知各部门开始培训(阶段②) │
└──────────────┬───────────────────┘
↓
每位学员完成学习后
↓
┌──────────────────────────────────┐
│ 3. 调用 conduct_exam │ → 每人调用一次,输出成绩单
└──────────────┬───────────────────┘
↓
汇总批次成绩,判定质量门禁
↓
门禁未通过?→ 整体重开(返回阶段②)
门禁通过?→ 继续
↓
┌──────────────────────────────────┐
│ 4. 对通过者调用 issue_certificate │ → 颁发双签数字证书
└──────────────┬───────────────────┘
↓
┌──────────────────────────────────┐
│ 5. 调用 track_progress │ → 生成月报 + 合规报告 + 待办清单
└──────────────┬───────────────────┘
↓
CHO 执行 action_items
↓
向 CEO 提交月度培训报告
内部脚本清单
| 脚本 | 入口文件 | 依赖 |
|---|---|---|
| create_training_plan.py | 接收 plan_json,生成课件包 | 无外部依赖,输出本地文件 |
| conduct_exam.py | 接收 exam_args,运行考核逻辑 | 读取 plans/{id}/exam_questions.json |
| issue_certificate.py | 接收 cert_args,生成证书 | 需调用 exec 执行数字签名命令 |
| track_progress.py | 接收 report_args,聚合状态 | 读取 exams/ 和 certs/ 下所有记录 |
版本历史
| 版本 | 日期 | 变更内容 |
|---|---|---|
| v1.0.0 | 2026-04-13 | 初始版本,4个标准接口,完整双签体系,CHO标准调用工作流 |
Usage Guidance
该 Skill 在目标和实现总体一致:它在本地生成课件、评分、发放证书并生成报告,且作者注明了多项安全加固(ID 白名单、路径 normpath 限定、禁止在 plan_json 中注入凭据、无网络调用)。在决定安装/使用前请注意并采取下列步骤:
- 验证签名实现:不要将生成的 certificate.json 当作具备真实公/私钥数字签名的法律/合规凭证。要求作者/发布者说明并提供真实的签名方案(私钥存储与公钥验证流程),或在部署前用企业的密钥服务替换占位签名逻辑。
- 检查完整源码与可执行性:在本次提交文本中有若干脚本片段看起来被截断或含拼写错误(例如 issue_certificate.py 末尾的 'safe_write_tex',track_progress.py 的截断变量),请在受控测试环境中运行所有脚本并确认没有语法错误或运行时崩溃;若这些是发布文档中的截断而非实际文件,也请索要发布包的完整校验和(hash)以验证完整性。
- 代码审计重点:确认所有路径锁定逻辑在你的环境中有效(TRAINING_WORKSPACE 指向你允许的目录),并复核 safe_read_json/safe_write_json 的前缀检查不会被边界情况绕过(例如不同操作系统的路径分隔符或符号链接)。
- 测试在隔离环境中执行:首次运行放在受限测试账户或容器内,检查输出目录、文件权限与实际行为,确保不会读取或写入工作区外的内容。
- 信任与来源:此包主页未知且来源 ID 为 registry 元数据中的 owner id;若这是用于企业合规流程,优先要求可以核验的发布方身份、变更记录、以及 SECURITY_REVIEW.md 中提到的审查人签名/联系方式。
综合来看:功能合理且安全设计意识良好,但“证书签名”为占位式实现与文档陈述不一致,且提供文本中出现的截断/拼写问题增加了不确定性;在验证上述问题前不建议在生产合规流程中直接信任其证书为法律/加密意义上的“签名”。
Capability Analysis
Type: OpenClaw Skill
Name: cto-ciso-training
Version: 2.0.0
The skill bundle provides a comprehensive framework for corporate training and certification, involving roles like CTO and CISO. The Python scripts (create_training_plan.py, conduct_exam.py, issue_certificate.py, and track_progress.py) exhibit high-quality defensive coding practices, including strict regex-based input validation, path normalization to prevent traversal attacks, and explicit filtering of sensitive keywords such as 'token' and 'api_key'. The inclusion of a SECURITY_REVIEW.md file detailing the mitigation of common vulnerabilities suggests an intentional focus on security and transparency. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Capability Tags
Capability Assessment
Purpose & Capability
名称、描述与包含的脚本(创建计划、执行考核、颁发证书、追踪进度)一致:脚本只在本地 workspace 下读写培训知识库,不要求外部凭据或网络,功能与目的对等。依赖其它 Skill 的引用(ai-company-cto 等)是合理的协作说明。
Instruction Scope
SKILL.md 指示通过脚本接口读写 knowledge-base/training/,脚本大体遵循该范围并实现路径锁定与 ID 白名单,这是符合预期的。但存在重要不一致:文档/示例中对证书签名的表述(例如示例 JSON 用到 'RSA-2048-SHA256')与实现代码(使用基于哈希的本地签名占位符,并在 signatures 中标注 'HMAC-SHA256')不一致;这会误导使用者将产物视为真正的公/私钥数字签名。此外,在提供给评审的文本中若干脚本片断被截断或含拼写/调用错误(如 issue_certificate.py 末尾出现 'safe_write_tex',track_progress.py 中出现截断的变量名),这些表象指向打包/发布时的完整性或质量问题,需要确认实际发布包内脚本是否完整且可执行。
Install Mechanism
无安装 spec(instruction-only + 包含脚本文件),没有下载外部二进制或从不明 URL 拉取代码,因而安装风险低。脚本为纯 Python 文本并声明无外部网络依赖。
Credentials
Skill 不请求任何机密环境变量或外部凭据;仅可选使用 TRAINING_WORKSPACE 环境变量以定位 workspace,这与其功能相称。备注:所谓“数字签名”在实现中不使用任何密钥材料——签名仅为基于内容与固定 signer 字符串的哈希(占位实现),并不能替代真实的密钥管理/签名体系;如果你计划把这些证书用于合规/法务证明,必须要求开发者提供真实的密钥/验真方法。
Persistence & Privilege
技能没有设置 always:true,也不会修改其他技能或系统范围的配置。脚本只在用户 workspace 下创建/读取文件(knowledge-base/training),权限范围有限且可审计。
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install cto-ciso-training - After installation, invoke the skill by name or use
/cto-ciso-training - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
Security hardened v2.0: input validation, path traversal protection, audit hash, double-signature certificates
Metadata
Frequently Asked Questions
What is CTO×CISO Training?
联合CTO与CISO制定培训计划,执行在线考核,颁发数字签名证书,实时追踪并报告培训进度与合规状态。 It is an AI Agent Skill for Claude Code / OpenClaw, with 93 downloads so far.
How do I install CTO×CISO Training?
Run "/install cto-ciso-training" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is CTO×CISO Training free?
Yes, CTO×CISO Training is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does CTO×CISO Training support?
CTO×CISO Training is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created CTO×CISO Training?
It is built and maintained by JohnSmithfan (@johnsmithfan); the current version is v2.0.0.
More Skills