← Back to Skills Marketplace

Security Constitution

Name: Security Constitution
Author: byronbanck-ai

by byronbanck-AI · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

128

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install security-constitution

Description

为 OpenClaw 提供企业级安全保障的四级风险控制技能。 - 四级风险评估（L1-L4）：L1直接拒绝，L2密码确认，L3记录放行，L4直接放行 - 密码二次验证：敏感操作需主人确认 - 操作日志审计：记录所有操作供审计 - 绝对锁定：改密码/改owner/绕过安全机制均无法执行 ⚠️ 此技能是 AGENTS...

Usage Guidance

This skill appears to implement a reasonable risk-gating policy, but it is underspecified around secrets and identity verification. Before installing: (1) Confirm where the owner's password is stored and how password verification is performed — do NOT allow the agent to ask users to 'type the password' into chat. (2) Require that password checks be done against a hashed/secure store (not logged), and that logs never include plaintext secrets. (3) Ask for a precise definition of how sender identity is extracted and protected (so that an attacker cannot impersonate the owner). (4) If you plan to use this skill in production, review the actual implementation (code) or request stricter SKILL.md rules that forbid collecting secrets via chat and mandate encrypted storage and audit controls. Because these gaps affect sensitive behavior, proceed only after clarifying/mitigating them.

Capability Analysis

Type: OpenClaw Skill Name: security-constitution Version: 1.0.0 The 'security-constitution' skill is a security policy framework designed to enforce risk-based access control for an OpenClaw agent. It implements a four-level risk assessment system (L1-L4), requiring password verification for high-risk operations and logging all activities to 'memory/security-log.md' for auditing. The skill includes 'Absolute Lock' instructions in 'SKILL.md' to prevent the agent from modifying its own security settings or revealing passwords, and it lacks any indicators of data exfiltration or malicious command execution.

Capability Assessment

✓ Purpose & Capability

Name and description match the requested behavior: a policy-based risk gate that reads a local policy (~/.openclaw/workspace/security-policy.json) and enforces L1–L4 rules, logs to a local memory log, and runs hooks. No unrelated binaries, env vars, or installs are requested.

⚠ Instruction Scope

SKILL.md tells the agent to read a local policy file, identify sender/owner, classify commands by risk, request password confirmations for L2, and log operations. However it leaves critical details unspecified: where/how the owner password is stored and verified, how sender identity is extracted and authenticated, and how keyword matching is performed. The instructions therefore grant broad discretion to solicit passwords and block actions without clear safe handling rules.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files — minimal installation risk (nothing is downloaded or written by an installer).

⚠ Credentials

No environment variables or external credentials are requested, which is consistent, but the policy requires password confirmation flows without specifying secure storage/verification. That means the agent could prompt users to type sensitive secrets into chat or store them in plain logs (the skill references a memory/security-log.md) — disproportionate risk because sensitive input handling is undefined.

ℹ Persistence & Privilege

The skill does not request always:true and does not declare writes beyond its own memory/log paths. The 'absolute lock' policy (disallow changing owner/password) is an instruction-level rule rather than a demonstrated capability to enforce across other skills; there's risk if the agent enforces it by modifying global configs, but SKILL.md does not show any cross-skill config changes.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install security-constitution
After installation, invoke the skill by name or use /security-constitution
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of security-constitution, implementing enterprise-grade, four-level risk control for OpenClaw: - Introduces L1–L4 risk assessment with distinct handling for each level (deny, confirm with password, log, direct allow). - Adds password re-authentication for sensitive operations and owner-only confirmations. - Implements comprehensive operation logging for auditing purposes. - Enforces absolute lockout on owner change, password change, and any attempt to bypass security mechanisms—these cannot be overridden. - Provides detailed hooks for operation pre- and post-processing, password failure, and bypass attempts. - Offers clear response templates and workflows for risk actions and user confirmations.

Metadata

Slug security-constitution

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Security Constitution?

为 OpenClaw 提供企业级安全保障的四级风险控制技能。 - 四级风险评估（L1-L4）：L1直接拒绝，L2密码确认，L3记录放行，L4直接放行 - 密码二次验证：敏感操作需主人确认 - 操作日志审计：记录所有操作供审计 - 绝对锁定：改密码/改owner/绕过安全机制均无法执行 ⚠️ 此技能是 AGENTS... It is an AI Agent Skill for Claude Code / OpenClaw, with 128 downloads so far.

How do I install Security Constitution?

Run "/install security-constitution" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Security Constitution free?

Yes, Security Constitution is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Security Constitution support?

Security Constitution is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Security Constitution?

It is built and maintained by byronbanck-AI (@byronbanck-ai); the current version is v1.0.0.

More Skills