← Back to Skills Marketplace
160
Downloads
1
Stars
0
Active Installs
9
Versions
Install in OpenClaw
/install mini-hids
Description
Real-time Linux log monitoring and AI-assisted detection of brute force attacks, web attacks, and webshells with automated IP blocking and whitelist support.
Usage Guidance
This skill appears coherent with its stated purpose, but take these precautions before installing or running it: 1) Review the included Python source yourself (or have a trusted reviewer do so) before running, because the code will execute on your host and may be run as root for firewall/log access. 2) Run initially in a safe environment (staging VM) and test with non-privileged settings (use a non-root firewall simulator or disable automatic banning) to confirm detection/false-positive behavior. 3) If you plan to enable the MCP server, only allow trusted local clients — MCP tools can ban/unban IPs. 4) Back up your firewall rules and whitelist your management IPs to avoid accidental lockout. 5) Prefer to obtain the project directly from the upstream GitHub link referenced in SKILL.md and verify the repository/commit history rather than relying solely on the registry package entry. If you want additional assurance, request provenance (upstream repository URL, release tag, or maintainer identity) and a quick audit of the last 100 lines of mini_hids.py (the provided copy was truncated) so I can re-check for any remaining unexpected behavior.
Capability Assessment
Purpose & Capability
Name/description, SKILL.md, README, and the Python modules are consistent: the project tails auth/web logs, runs regex-based detection, scans web roots for webshell patterns, persists bans in SQLite, and applies bans via iptables/nft/fail2ban. Required binaries/envs listed as none in registry are acceptable because the code detects firewall binaries at runtime; nothing requested is unrelated to the stated HIDS purpose.
Instruction Scope
SKILL.md and the code instruct the agent/operator to run the daemon and/or MCP server and to edit config.json. The runtime behavior is limited to local filesystem access (logs, web roots, /proc), SQLite and alert log writes, and invoking local firewall binaries. The MCP server exposes ban/unban and status tools — this is expected for an agent-callable HIDS, but it means any MCP client with access is privileged and can trigger firewall changes; the documentation itself warns about treating MCP clients as privileged.
Install Mechanism
There is no install spec (instruction-only for packaging), but the repository includes runnable Python scripts. This lowers supply-chain risk compared to arbitrary downloads, but running the included code — especially with sudo — still executes third-party code on the host. The SKILL.md references a GitHub repo URL; the registry 'source' is unknown and no package signing or release verification is provided.
Credentials
The skill requests no environment variables or external credentials. It does require access to local logs, firewall binaries, and (for enforcement) root privileges; those are proportionate to a host-based intrusion detection and blocking tool. There is no evidence of network exfiltration or unrelated credential access in the source.
Persistence & Privilege
The skill does not set always:true and uses normal agent invocation. However, the MCP stdio server exposes tools that can perform privileged actions (ban/unban). That is expected, but when integrated into an agent environment you must ensure only trusted MCP clients can connect; otherwise an agent (or a compromised client) can apply firewall changes.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mini-hids - After installation, invoke the skill by name or use
/mini-hids - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
**v1.2.0 summary:**
Major release adds agent-friendly MCP server and improves automation/documentation for small server use.
- Added `mcp_server.py`, providing a local MCP server so AI agents and tools can call Mini-HIDS directly.
- Included sample MCP config for Claude Desktop in `examples/claude_desktop_mcp.json`.
- Added LLM-oriented code/project map in `llms.txt`.
- Introduced visual architecture diagrams: `mini-hids-flow.svg` and `mini-hids-flow-zh.svg`.
- Expanded and restructured documentation to cover MCP integration, AI agent workflows, and practical deployment.
- All previous runtime and detection improvements remain; see the new architecture and feature summary for details.
v1.1.0
Version 1.1.0 (mini-hids)
- Introduced proper loading and merging of config.json with built-in defaults; users should now edit config.json.
- Daemon and CLI now fully share configuration, database, and firewall logic.
- Improved detection of the firewall backend, including accurate nftables recognition.
- Ban and unban operations are now idempotent, avoiding redundant firewall rules and ensuring database/path consistency.
- The daemon checks for ban expiry more frequently, with expired blacklist records cleaned up automatically.
- All runtime files (blacklist.db, hids_alert.log, mini_hids.pid) are now consistently created in the project directory if given relative paths.
v1.0.6
### mini-hids v1.0.6 Changelog
- Added new file: `hids_common.py` to the project.
- This update lays groundwork for shared functionality between modules or clarifies code organization.
v1.0.5
-Security & Privacy Declaration
To ensure effective host protection, this project operates with the following security considerations:
Privileged Access: Elevated (root) permissions are required to monitor /var/log/* and execute firewall commands (iptables/nftables) for threat mitigation.
Data Transmission: Security logs are only transmitted to the remote LLM endpoint if AI analysis is enabled by the user.
Credential Safety: It is highly recommended to use environment variables for API keys. Avoid hardcoding sensitive information directly into source files
Transparency: This is an open-source tool licensed under MIT-0; users are encouraged to audit the source code before deployment.
- Added new CLI tool: `hids_cli.py` for agent calls and command-line management.
- Updated documentation to reflect C/S architecture and usage of the CLI tool for actions such as status checks, alert retrieval, and manual IP ban/unban.
- Introduced detailed instructions and examples for using both the background daemon (`mini_hids.py`) and the CLI tool.
- Enhanced feature list and setup guidance to highlight command-line interface integration and dual-plane design.
v1.0.4
Security & Privacy Declaration
To ensure effective host protection, this project operates with the following security considerations:
Privileged Access: Elevated (root) permissions are required to monitor /var/log/* and execute firewall commands (iptables/nftables) for threat mitigation.
Data Transmission: Security logs are only transmitted to the remote LLM endpoint if AI analysis is enabled by the user.
Credential Safety: It is highly recommended to use environment variables for API keys. Avoid hardcoding sensitive information directly into source files.
Transparency: This is an open-source tool licensed under MIT-0; users are encouraged to audit the source code before deployment.
v1.0.3
- Documentation update only; no changes to code or functionality.
- SKILL.md was updated for clarity and detail, with no adjustments to configuration or logic.
-Security Statement
This skill requires root privileges to perform core security functions, including firewall rule management and system log analysis. All data processing is executed locally, and AI analysis is conducted through the user-defined LLM endpoint. Users are advised to manage their API credentials securely.
v1.0.2
- Improved documentation with a new project overview and a direct link to the GitHub repository.
- Enhanced feature summary emphasizing AI-driven detection and automated response.
- Restructured and clarified introduction and key feature sections for better readability.
- No code or logic changes; documentation update only.
v1.0.1
- Added a new "Security and Permissions" section to clarify root privileges, API key handling, and accessed system paths.
- Explained why root access is required for firewall management and log reading.
- Recommended using environment variables for API key storage to improve security.
- Listed specific log and system paths accessed for better transparency.
- No code or behavioral changes; documentation update only.
v1.0.0
Implement an automated agent to monitor firewall logs and network traffic for enhanced server protection.
Metadata
Frequently Asked Questions
What is Lightweight Host Intrusion Detection and Log Analysis System (Mini-HIDS)?
Real-time Linux log monitoring and AI-assisted detection of brute force attacks, web attacks, and webshells with automated IP blocking and whitelist support. It is an AI Agent Skill for Claude Code / OpenClaw, with 160 downloads so far.
How do I install Lightweight Host Intrusion Detection and Log Analysis System (Mini-HIDS)?
Run "/install mini-hids" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Lightweight Host Intrusion Detection and Log Analysis System (Mini-HIDS) free?
Yes, Lightweight Host Intrusion Detection and Log Analysis System (Mini-HIDS) is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Lightweight Host Intrusion Detection and Log Analysis System (Mini-HIDS) support?
Lightweight Host Intrusion Detection and Log Analysis System (Mini-HIDS) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Lightweight Host Intrusion Detection and Log Analysis System (Mini-HIDS)?
It is built and maintained by netkrxn (@netkr); the current version is v1.2.0.
More Skills