← Back to Skills Marketplace
stoneyhoo

Security

by stoney · GitHub ↗ · v1.0.5 · MIT-0
cross-platform ✓ Security Clean
166
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install lobsterai-security
Description
Enterprise-grade security framework for LobsterAI with audit logging, RBAC, input validation, output sanitization, code scanning, and dependency vulnerabilit...
README (SKILL.md)

Security

Comprehensive security framework for LobsterAI providing audit logging, role-based access control (RBAC), input validation, output sanitization, code scanning, and dependency vulnerability detection.

Core Features

Audit Logger

  • Records all skill executions with timestamps, user context, and input/output
  • JSON-structured logs for easy analysis
  • Automatic log rotation (90 days retention)
  • Encrypted storage support

Authorizer (RBAC)

  • Role-based access control configuration
  • Fine-grained permission management
  • JSON-based role definitions
  • Session validation

Input Validator

  • Path traversal prevention
  • Dangerous command detection (rm, del, eval, etc.)
  • Cron expression validation
  • Working directory restrictions

Output Sanitizer

  • Automatic redaction of sensitive data (passwords, API keys, tokens)
  • Error message sanitization
  • Safe error formatting for user display

Code Scanner

  • Static code analysis for common vulnerabilities
  • Pattern-based malicious code detection
  • Configurable scan rules

Dependency Scanner

  • NPM vulnerability scanning (npm audit)
  • Python package vulnerability detection (pip-audit)
  • Automated dependency checking

Usage

All security features are available for import by other skills:

from security.audit_logger import audit_log_skill_start, audit_log_skill_end
from security.authorizer import Authorizer
from security.input_validator import InputValidator, ValidationError
from security.output_sanitizer import sanitize_text, create_safe_error
from security.code_scanner import CodeScanner
from security.dependency_scanner import DependencyScanner

Configuration

Copy rbac_config.example.json to rbac_config.json and customize roles and permissions.

Scan Scope

The code scanner and dependency scanner are designed to scan all skills in the SKILLs directory when invoked explicitly (e.g., python -m security.code_scanner --skill all). This allows comprehensive security assessment across your entire LobsterAI installation.

Privacy Note: Scanning all skills grants this module read access to all skill code and dependencies. This is intentional for a security audit tool, but users should be aware of the broad read scope. Ensure you trust the skill source before enabling full-system scanning.

To limit scanning to specific skills, invoke with explicit skill IDs:

python -m security.code_scanner --skill web-search --skill scheduled-task

Environment Variables

This skill requires the following environment variables to function correctly:

Variable Description Required Default
LOBSTERAI_HOME Base directory for LobsterAI data and logs Yes (if not using default) ${APPDATA}/LobsterAI (Windows) or ${HOME}/.config/LobsterAI (Linux/macOS)
LOBSTERAI_AUDIT_SECRET HMAC secret for audit log signature (optional) No -
LOBSTERAI_USER_ID Current user identifier for audit trails No anonymous
SKILLS_ROOT Path to the SKILLs root directory No (auto-detected) Parent directory of the current skill

Note: Ensure LOBSTERAI_HOME/logs/security/ exists and is writable.

Deployment

See DEPLOYMENT.md for detailed deployment instructions, security hardening checklist, and incident response procedures.

Testing

Run python tests.py to execute the test suite.

Integration

This module integrates seamlessly with LobsterAI's skill execution pipeline, providing:

  • Pre-execution validation
  • Runtime monitoring
  • Post-execution sanitization
  • Comprehensive audit trails

Security Maturity

⭐⭐⭐☆☆ (3/10) - Active development

We are continuously improving our security posture. See SECURITY.md for the complete security architecture and best practices.

Usage Guidance
This package appears to implement what it claims: auditing, RBAC, input/output sanitization, code and dependency scanning. Before installing or enabling system-wide scans you should: (1) review the code (especially audit_logger, code_scanner, dependency_scanner) yourself or in a staging environment; (2) limit initial scans to specific skills (use --skill <id>) rather than --skill all; (3) set up and protect LOBSTERAI_HOME and rbac_config.json with restrictive file permissions; (4) configure LOBSTERAI_AUDIT_SECRET if you need tamper-evident logs; (5) be aware the module will read other skills' source and dependency files (potentially exposing secrets if they are hard-coded); and (6) run the module in an isolated environment first (or with limited privileges) if you are unsure of the source. The registry metadata omission of required environment variables is a minor inconsistency — prefer the SKILL.md values when configuring.
Capability Analysis
Type: OpenClaw Skill Name: lobsterai-security Version: 1.0.5 The bundle is a comprehensive security framework for LobsterAI, providing features such as RBAC, audit logging, input validation, and security scanning. While it contains high-privilege capabilities, such as a script that automatically modifies other skills to inject auditing logic (scripts/integrate_audit.py) and a scanner that reads all skill source code (code_scanner.py), these behaviors are clearly documented and strictly aligned with the stated purpose of an enterprise security tool. No evidence of data exfiltration, hidden backdoors, or malicious intent was found.
Capability Assessment
Purpose & Capability
The files (audit logger, RBAC authorizer, input validator, output sanitizer, code and dependency scanners) match the skill name and description. The scanner components explicitly target SKILLs code and dependency files which is expected for a security framework. Minor mismatch: the registry metadata listed no required environment variables, but SKILL.md documents LOBSTERAI_HOME, LOBSTERAI_AUDIT_SECRET, LOBSTERAI_USER_ID and SKILLS_ROOT — these environment variables are reasonable for this skill but the registry omission is an inconsistency to note.
Instruction Scope
SKILL.md and the code explicitly allow scanning 'all skills' under the SKILLs directory and advise copying the security module into the SKILLS_ROOT. The scanner reads other skills' source code and dependency files (intentionally). The code and examples use subprocess calls to optional external tools (e.g., safety, pip-audit) and spawn the Python audit logger from other skill wrappers (including background launches that write PID files under /tmp in examples). These behaviors are coherent with the stated purpose but constitute broad read scope and some runtime actions that should only be enabled if you trust the package.
Install Mechanism
There is no declared install spec; the package is provided as code files and DEPLOYMENT.md instructs manual copying into SKILLS_ROOT. No external downloads/URLs or package installs are forced by the skill itself. This is lower risk than a remote installer but means files will be written into your SKILLs tree if you follow the deployment steps—review the code before copying.
Credentials
Required environment variables in SKILL.md (LOBSTERAI_HOME, SKILLS_ROOT, optional LOBSTERAI_AUDIT_SECRET, LOBSTERAI_USER_ID) are appropriate for logging and locating SKILLs. The skill will read code and dependency files across SKILLs if asked to scan 'all', which is necessary for its scanning function but grants broad read access to other skills (including any hard-coded secrets within them). No unrelated external credentials are requested.
Persistence & Privilege
The skill is not force-included (always:false) and uses normal integration patterns (importable Python package and optional wrappers). It does not request elevated platform privileges in its code. Note: autonomous invocation (disable-model-invocation:false) is the platform default — combined with the skill's ability to scan the whole SKILLs tree, this increases the impact if you allow the skill to be invoked broadly; that is expected for a security tool but worth considering before enabling automated scans.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install lobsterai-security
  3. After installation, invoke the skill by name or use /lobsterai-security
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.5
Add skill.json for declarative environment configuration; fix env var names
v1.0.4
Fix environment variable metadata: declare LOBSTERAI_HOME, LOBSTERAI_AUDIT_SECRET, LOBSTERAI_USER_ID, SKILLS_ROOT in SKILL.md to match platform metadata
v1.0.3
Fixed environment variable metadata, added CLI entry point to audit_logger.py, removed JavaScript child_process integration, and corrected documentation inconsistencies.
v1.0.2
- Added comprehensive SKILL.md documentation outlining all major features, environment variables, and integration details. - Clarified audit logging, RBAC, input validation, output sanitization, code scanning, and dependency scanning capabilities. - Provided configuration steps and example usage for easy adoption. - Included important privacy and scan-scope caveats for full-system audits. - Added security maturity information and references to further documentation.
Metadata
Slug lobsterai-security
Version 1.0.5
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is Security?

Enterprise-grade security framework for LobsterAI with audit logging, RBAC, input validation, output sanitization, code scanning, and dependency vulnerabilit... It is an AI Agent Skill for Claude Code / OpenClaw, with 166 downloads so far.

How do I install Security?

Run "/install lobsterai-security" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Security free?

Yes, Security is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Security support?

Security is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Security?

It is built and maintained by stoney (@stoneyhoo); the current version is v1.0.5.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments