← Back to Skills Marketplace
tianjin-ren

Security Audit Tianjin

by tianjin-ren · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
315
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install security-audit-tianjin
Description
Comprehensive security auditing for Clawdbot deployments. Scans for exposed credentials, open ports, weak configs, and vulnerabilities. Auto-fix mode included.
Usage Guidance
This skill appears to implement a Clawdbot security audit, but take these precautions before installing/running it: - Expect to run the script with Node.js; the skill does not declare Node as a required binary — ensure Node is present or the run will fail. - Review the full scripts/audit.cjs source (the provided file was truncated) to confirm exactly what --fix does (which files are modified, exact permission changes, any writes). Back up the target directories first. - The script uses hard-coded paths under /root/clawd and '/root/clawd/skills/.env'. Only run it on a system where those paths are the intended target; otherwise edit the script or run it in a controlled environment. - Run the audit in read-only mode (no --fix) first to inspect findings. If you consider using --fix, run it in an isolated test environment or container and review changes afterwards. - The code uses child_process.execSync (ss/netstat, git). That is expected for port/git checks but increases the blast radius — avoid running as root unless necessary. - Confirm the skill source/owner is trusted (metadata mismatch observed). If provenance is uncertain, prefer manual review or use in an isolated sandbox.
Capability Analysis
Type: OpenClaw Skill Name: security-audit-tianjin Version: 1.0.1 The skill performs security audits by scanning for credentials, open ports, and configuration flaws in 'Clawdbot' deployments. It utilizes high-risk capabilities including shell command execution (ss, netstat, git) via child_process.execSync and broad file system access to read sensitive files like private keys and .env files. While these actions in scripts/audit.cjs are aligned with the stated purpose in SKILL.md and no evidence of data exfiltration was found, the inherent risk of these operations qualifies the bundle as suspicious under the provided criteria.
Capability Assessment
Purpose & Capability
The name/description (Clawdbot security audit) aligns with the script's behaviors: recursive file scans, port checks, Docker/Git checks and credential pattern matching under a Clawdbot directory. However, the script hard-codes paths under /root/clawd and a CONFIG_DIR '/root/clawd/skills/.env' which is very specific and could be incorrect or overly broad for other installs. Also _meta.json ownerId differs from registry ownerId (metadata mismatch).
Instruction Scope
SKILL.md instructs to run node skills/security-audit/scripts/audit.cjs with flags and promises scanning of 'tokens in command history' and an 'auto-fix' mode. The included script shows many read/scan operations and execSync usage (ss/netstat, git), but the provided file is truncated so the full auto-fix implementation and any reads of shell history are not visible. The instructions give the agent permission to run code that reads many files and may modify filesystem state; the exact modification behavior (what --fix changes) is not fully verifiable from the truncated code.
Install Mechanism
There is no install spec (instruction-only style), but SKILL.md commands invoke node. The registry metadata lists no required binaries. That is an inconsistency: the script requires Node.js to run but the skill does not declare Node as a required binary or runtime. Running without Node will fail; running with Node will execute the bundled code. Lack of declared runtime is a mismatch the user should note.
Credentials
The skill declares no environment variables or external credentials (consistent). The script reads many files under /root/clawd (configs, .env, Dockerfile, .git, code files) which is proportionate to auditing Clawdbot, but because the path is hard-coded to /root it will access root-owned files if run as a privileged user. The audit's read-only checks are expected, but the auto-fix option implies write operations (e.g., setting permissions, creating .gitignore) which require filesystem write privileges and increase risk if run on a system with unrelated sensitive files.
Persistence & Privilege
The skill is not always-enabled and the default autonomous invocation is allowed (platform default). There are no indications it attempts to persist itself or modify other skills. However, the auto-fix behavior can change file permissions and create files in the audited tree — this is expected for an auto-fix feature but is higher privilege than a pure scanner and should be used cautiously.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install security-audit-tianjin
  3. After installation, invoke the skill by name or use /security-audit-tianjin
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Updated metadata in _meta.json; no functional or documentation changes. - All skill usage, setup, and audit instructions remain the same.
v1.0.0
Initial release of the Security Audit skill for Clawdbot: - Runs comprehensive security audits for Clawdbot deployments, checking for exposed credentials, open ports, weak configurations, and vulnerabilities. - Supports quick, full, and targeted audits via command-line options. - Includes auto-fix mode to automatically remediate common security issues. - Generates detailed reports with actionable severity ratings (Critical, High, Medium, Info). - No external dependencies required; uses native system tools. - Offers specific checks for credentials, ports, configuration, file permissions, and Docker security settings.
Metadata
Slug security-audit-tianjin
Version 1.0.1
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is Security Audit Tianjin?

Comprehensive security auditing for Clawdbot deployments. Scans for exposed credentials, open ports, weak configs, and vulnerabilities. Auto-fix mode included. It is an AI Agent Skill for Claude Code / OpenClaw, with 315 downloads so far.

How do I install Security Audit Tianjin?

Run "/install security-audit-tianjin" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Security Audit Tianjin free?

Yes, Security Audit Tianjin is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Security Audit Tianjin support?

Security Audit Tianjin is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Security Audit Tianjin?

It is built and maintained by tianjin-ren (@tianjin-ren); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments