← Back to Skills Marketplace
Firm Runtime Audit Pack
by
romainsantoli-web
· GitHub ↗
· v1.0.0
312
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install firm-runtime-audit-pack
Description
Runtime environment and configuration audit pack. Validates Node.js version, secrets workflow, HTTP headers, allowed commands, trusted proxy, disk budget, an...
README (SKILL.md)
firm-runtime-audit-pack
⚠️ Contenu généré par IA — validation humaine requise avant utilisation.
Purpose
Audits the runtime environment of OpenClaw deployments: Node.js version compliance, secrets handling, HTTP security headers, command allowlists, proxy configuration, disk budget, and direct message policies.
Tools (7)
| Tool | Description | Severity |
|---|---|---|
openclaw_node_version_check |
Verify Node.js runtime version | CRITICAL |
openclaw_secrets_workflow_check |
Audit secrets handling in workflows | CRITICAL |
openclaw_http_headers_check |
Check HTTP security headers (HSTS, CSP) | HIGH |
openclaw_nodes_commands_check |
Validate nodes.allowCommands config | HIGH |
openclaw_trusted_proxy_check |
Verify trusted proxy configuration | HIGH |
openclaw_session_disk_budget_check |
Check session disk budget limits | MEDIUM |
openclaw_dm_allowlist_check |
Audit DM channel allowlist policy | MEDIUM |
Usage
skills:
- firm-runtime-audit-pack
# Run full runtime audit:
openclaw_node_version_check config_path=/path/to/config.json
openclaw_secrets_workflow_check config_path=/path/to/config.json
openclaw_http_headers_check config_path=/path/to/config.json
Requirements
mcp-openclaw-extensions >= 3.0.0- Node.js >= 20.x recommended
Usage Guidance
This skill is mostly a wrapper that documents and calls auditing checks provided by the mcp-openclaw-extensions package. Before installing or running it: 1) Verify and obtain mcp-openclaw-extensions from a trusted source and review its code or documentation so you know exactly what each 'openclaw_*' check does. 2) Avoid running secret-auditing checks directly against production secrets — run against sanitized copies or ensure the check does not exfiltrate sensitive fields. 3) Review where reports are written or sent (local files, logs, external endpoints) and ensure they won't leak sensitive config. 4) If you need higher assurance, request an explicit install spec or signed release for the required extension so you can validate what will be executed.
Capability Analysis
Type: OpenClaw Skill
Name: firm-runtime-audit-pack
Version: 1.0.0
The skill bundle describes a 'firm-runtime-audit-pack' designed for auditing runtime environment and configuration aspects like Node.js version, secrets handling, HTTP headers, and command allowlists. The `SKILL.md` file clearly outlines the purpose and lists seven specific security audit tools. There is no executable code provided in these files, only metadata and documentation. No evidence of malicious intent, prompt injection, data exfiltration, or other harmful behaviors was found in `_meta.json` or `SKILL.md`. The content is consistent with a legitimate security auditing tool.
Capability Assessment
Purpose & Capability
The name/description (runtime audit of Node.js, secrets workflow, headers, command allowlists, proxy, disk budget, DM allowlist) match the listed 'openclaw_*' tools and the example usage. The declared dependency on mcp-openclaw-extensions >= 3.0.0 reasonably explains where those checks come from.
Instruction Scope
The SKILL.md is instruction-only and simply directs the agent to run named checks against a provided config_path. It does not instruct reading unrelated system paths or sending results to external endpoints. However, several checks (especially the 'secrets_workflow' check) implicitly require reading configuration or workflow definitions that may contain secrets — the skill does not specify how sensitive data is handled or reported.
Install Mechanism
No install spec and no code files — lowest-risk delivery. The skill relies on mcp-openclaw-extensions being available in the environment; the SKILL.md does not provide an install method for that dependency, so installation must be managed separately by the user/agent.
Credentials
The skill does not request environment variables or credentials, which is proportionate. Nonetheless, some checks will need access to configuration files (example shows config_path=/path/to/config.json) and may parse sensitive entries; the SKILL.md does not document how secrets are protected or whether checks will read external secret stores.
Persistence & Privilege
always:false and user-invocable:true. No indication the skill persists or modifies other skills or agent-wide settings. Autonomous invocation is allowed by default but not uniquely privileged here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install firm-runtime-audit-pack - After installation, invoke the skill by name or use
/firm-runtime-audit-pack - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — 7 tools: node version, secrets, HTTP headers, commands, proxy, disk, DM
Metadata
Frequently Asked Questions
What is Firm Runtime Audit Pack?
Runtime environment and configuration audit pack. Validates Node.js version, secrets workflow, HTTP headers, allowed commands, trusted proxy, disk budget, an... It is an AI Agent Skill for Claude Code / OpenClaw, with 312 downloads so far.
How do I install Firm Runtime Audit Pack?
Run "/install firm-runtime-audit-pack" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Firm Runtime Audit Pack free?
Yes, Firm Runtime Audit Pack is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Firm Runtime Audit Pack support?
Firm Runtime Audit Pack is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Firm Runtime Audit Pack?
It is built and maintained by romainsantoli-web (@romainsantoli-web); the current version is v1.0.0.
More Skills