← Back to Skills Marketplace
Trent OpenClaw Security Assessment
by
trent-ai-release
· GitHub ↗
· v1.2.0
· MIT-0
358
Downloads
10
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install trentclaw
Description
Assess your Agent deployment against security risks using Trent.
Usage Guidance
This skill appears to do what it says: collect OpenClaw metadata, package workspace skills (with redaction), and upload them to Trent for analysis using TRENT_API_KEY. Before installing or running: 1) Only provide a TRENT_API_KEY you trust (the key gives the remote service ability to accept uploads and run analyses). 2) Review and confirm the upload step when prompted — the code asks you to confirm before uploading, but an automated agent could bypass that prompt. 3) Be aware redaction is regex-based and may miss custom secret formats; remove or move any highly sensitive files (private keys, proprietary data) out of the workspace or keep them in environment variables rather than in files. 4) The client writes streaming output to temp files (tempfile.mktemp is used) — consider specifying output_file or cleaning temp files if you are concerned about local exposure. 5) If you don't want any code leaving your environment, do not confirm uploads; the local metadata-only Phase 1 and the system_analysis output functions can be used for limited local inspection. If you need more assurance, review the code yourself or run it in an isolated environment before granting the TRENT_API_KEY.
Capability Analysis
Type: OpenClaw Skill
Name: trentclaw
Version: 1.2.0
The skill bundle implements a security auditor that collects OpenClaw configuration metadata and packages workspace source code into ZIP files for upload to a remote service (trent.ai). While it includes extensive local secret redaction logic (secret_redactor.py, package_skills.py) and instructs the agent to seek user confirmation before uploading (SKILL.md), the core functionality involves large-scale data exfiltration of potentially sensitive source code and system metadata. The use of urllib to PUT data to presigned S3 URLs (trent_client.py) and the broad workspace scanning represent significant security risks if the third-party service is untrusted. Additionally, trent_client.py uses the insecure tempfile.mktemp() function.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description match the code and runtime instructions. The package collects OpenClaw metadata, packages workspace/skills, redacts common secret patterns, and uploads packages to Trent using a single API key (TRENT_API_KEY), which is expected for an external analysis service.
Instruction Scope
SKILL.md explicitly describes three phases (collect metadata, scan/package skills, upload with user confirmation, then deep analysis). The code limits reads to ~/.openclaw (or OPENCLAW_WORKSPACE), excludes .env/key files, redacts secrets, and observes size/symlink limits. Note: the skill relies on the agent/automation to obey the 'wait for user confirmation' step — if an agent ignores that instruction the tool can upload packaged code.
Install Mechanism
Instruction-only install (no external installer). All required functionality is bundled in the skill files; no downloads or external install steps are performed by the skill itself.
Credentials
Only TRENT_API_KEY is required (primary credential), plus optional endpoint/workspace overrides. No unrelated credentials or system secrets are requested. The code explicitly excludes common secret file types and applies regex-based redaction before uploading.
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously (platform default). Combined with its ability to package and upload workspace code, autonomous invocation increases risk if the agent acts without user approval — SKILL.md asks to prompt the user before uploading, but the platform does not enforce that.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install trentclaw - After installation, invoke the skill by name or use
/trentclaw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
- Phase 2 workflow improved: skill scanning now occurs before upload, with a clear preview of what will be sent and explicit user confirmation required.
- User messaging updated to clarify the exact data being uploaded and how secrets are redacted, including warnings about custom secret formats.
- Presentation of skill scan results enhanced with examples and tabular summaries.
- Initial phase summary and upload prompts adjusted to be more transparent and user-friendly.
- No code or functionality outside documentation changed.
v1.1.1
- Updated skill name, description, and tags to broaden applicability beyond AppSec and OpenClaw.
- Incremented version to 1.1.1.
- Updated documentation links and improved wording in SKILL.md for clarity.
- No functional changes to scripts or APIs; changes focused on metadata and documentation for better discoverability and onboarding.
v1.1.0
- Updated the description to support Agent deployments, broadening assessment coverage beyond OpenClaw.
- Bumped version to 1.1.0.
- No changes to usage instructions or API; all phases and guidance remain the same.
v1.0.2
- Skill renamed from trent-openclaw-security-assessment to trent-security-assessment.
- Version bumped from 1.0.1 to 1.0.2.
- No feature or instructional changes; documentation only updated to reflect new name and version.
v1.0.1
- Skill name updated to "trent-openclaw-security-assessment" for improved clarity.
- Description, tags, and metadata enhanced for discoverability and accuracy.
- Version bumped to 1.0.1.
- Documentation improvements: clearer purpose, more detailed tags, and updated instructions.
- No changes to functionality or audit workflow.
v1.0.0
Initial release of Trent OpenClaw Security Audit skill.
- Audits OpenClaw deployment for security risks via Trent AppSec Advisor.
- Detects misconfigurations, chained attack paths, and categorizes findings by severity with recommended fixes.
- Multi-phase workflow: configuration audit, skill code upload (with secret redaction), and deep skill analysis.
- User is shown exactly what data will be sent; dangerous files and secrets are excluded/redacted before upload.
- Results are grouped by severity and provide config diffs; system files are not modified directly.
- Includes utilities for reviewing system context and skill analysis data.
Metadata
Frequently Asked Questions
What is Trent OpenClaw Security Assessment?
Assess your Agent deployment against security risks using Trent. It is an AI Agent Skill for Claude Code / OpenClaw, with 358 downloads so far.
How do I install Trent OpenClaw Security Assessment?
Run "/install trentclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Trent OpenClaw Security Assessment free?
Yes, Trent OpenClaw Security Assessment is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Trent OpenClaw Security Assessment support?
Trent OpenClaw Security Assessment is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Trent OpenClaw Security Assessment?
It is built and maintained by trent-ai-release (@trent-ai-release); the current version is v1.2.0.
More Skills