← 返回 Skills 市场
msaad00

agent-bom runtime

作者 Agent Bom · GitHub ↗ · v0.82.3 · MIT-0
darwinlinuxwindows ⚠ suspicious
755
总下载
0
收藏
1
当前安装
35
版本数
在 OpenClaw 中安装
/install agent-bom-runtime
功能描述
AI runtime security monitoring — context graph analysis, runtime audit log correlation with CVE findings, and vulnerability analytics queries. Use when the u...
使用说明 (SKILL.md)

agent-bom-runtime — AI Runtime Security Monitoring

Context graph analysis, runtime audit log correlation with CVE findings, and vulnerability analytics queries.

Install

pipx install agent-bom

Tools (3)

Tool Description
context_graph Agent context graph with lateral movement analysis
analytics_query Query vulnerability trends, posture history, and runtime events
runtime_correlate Cross-reference runtime audit logs with CVE findings

Example Workflows

# Build context graph from scan results
context_graph()

# Correlate runtime audit with CVE data
runtime_correlate(audit_file="proxy-audit.jsonl")

# Query analytics
analytics_query(query="top_cves", days=30)

Privacy & Data Handling

Operates on scan results already in memory and user-provided audit log files. No automatic file discovery. No network calls unless you configure an optional ClickHouse endpoint for persistent analytics.

Verification

  • Source: github.com/msaad00/agent-bom (Apache-2.0)
  • 7,100+ tests with CodeQL + OpenSSF Scorecard
  • No telemetry: Zero tracking, zero analytics
安全使用建议
This SKILL.md reads like documentation for an external Python package rather than a self-contained skill. Before installing or enabling it: 1) Inspect the referenced PyPI/GitHub package (https://github.com/msaad00/agent-bom and PyPI page) to verify source code, release artifacts, and what env vars it actually uses (especially ClickHouse and kubectl integrations). 2) Confirm how the agent will obtain the package—automatic pip installs run arbitrary package code at install time; prefer installing into an isolated environment (pipx or a virtualenv) and reviewing package contents first. 3) If you plan to provide audit logs or a ClickHouse endpoint, make sure credentials are scoped and stored safely (do not expose cluster-wide kubeconfigs or broad DB credentials). 4) Ask the skill author (or check repo) for explicit env var names and a clear install manifest; if those are added (or the skill bundles its implementation), reassess. Given the current mismatch between claimed tools and the lack of bundled code/install spec, proceed cautiously.
功能分析
Type: OpenClaw Skill Name: agent-bom-runtime Version: 0.82.3 The skill bundle contains metadata and documentation for 'agent-bom-runtime', a tool designed for AI runtime security monitoring and audit log correlation. The SKILL.md file describes legitimate security analysis functions (context graphs, CVE correlation) and explicitly outlines a privacy-conscious data flow with no telemetry or unauthorized network access. No malicious instructions, prompt injection attempts, or suspicious obfuscation were found in the provided documentation.
能力评估
Purpose & Capability
The name/description (runtime security monitoring, context graphs, audit correlation) aligns with the declared capabilities. However, the SKILL.md repeatedly references an external Python package (agent-bom) and callable tools (context_graph, runtime_correlate, analytics_query) while the registry entry provides no code files and no install spec—so the skill is only documentation describing capabilities that depend on an external package.
Instruction Scope
Instructions say the tool operates only on in-memory scan results and user-provided audit log files (JSONL) and claims 'no automatic file discovery' which is good. But the SKILL.md also instructs installing the agent-bom package via pipx/pip and shows function-like invocations (context_graph(), runtime_correlate(...)). Because there is no bundled implementation, it's unclear whether the agent is expected to import/run external code, install packages, or simply follow high-level guidance. The agent could attempt network installs or run code not present in the skill, which expands the runtime scope beyond the skill's contents.
Install Mechanism
There is no formal install spec; the document suggests installing via pipx or pip (and lists a PyPI URL). That is a legitimate, common pattern, but the registry lacks an automated install entry. This mismatch means the agent or user must perform an installation step outside the skill—if done automatically it would fetch code from PyPI/GitHub (network download). The absence of an explicit install manifest in the skill is an integrity/traceability gap.
Credentials
The skill declares 'Zero credentials required' and lists no required env vars, which is consistent with the description. However, it refers to an optional ClickHouse endpoint and optional kubectl usage without declaring the env var names or how credentials would be supplied. That omission makes it unclear what secrets (ClickHouse URL, DB creds, kubeconfig access) the package might request when actually installed and configured.
Persistence & Privilege
Skill metadata shows always: false and autonomous_invocation restricted. The skill declares no persistence, no telemetry, and no privilege escalation. There's no indication it would demand permanent presence or system-wide configuration changes.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install agent-bom-runtime
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /agent-bom-runtime 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.82.3
Release v0.82.3
v0.82.2
Release v0.82.2
v0.81.3
Release v0.81.3
v0.81.1
Release v0.81.1
v0.81.0
Release v0.81.0
v0.80.1
Release v0.80.1
v0.78.1
Release v0.78.1
v0.76.4
Release v0.76.4
v0.76.2
Release v0.76.2
v0.76.1
Release v0.76.1
v0.76.0
Release v0.76.0
v0.75.15
Release v0.75.15
v0.75.14
Release v0.75.14
v0.75.13
Release v0.75.13
v0.75.11
Release v0.75.11
v0.75.10
Release v0.75.10
v0.75.9
Release v0.75.9
v0.75.8
Release v0.75.8
v0.75.7
Release v0.75.7
v0.75.6
Release v0.75.6
元数据
Slug agent-bom-runtime
版本 0.82.3
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 35
常见问题

agent-bom runtime 是什么?

AI runtime security monitoring — context graph analysis, runtime audit log correlation with CVE findings, and vulnerability analytics queries. Use when the u... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 755 次。

如何安装 agent-bom runtime?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install agent-bom-runtime」即可一键安装,无需额外配置。

agent-bom runtime 是免费的吗?

是的,agent-bom runtime 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

agent-bom runtime 支持哪些平台?

agent-bom runtime 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, windows)。

谁开发了 agent-bom runtime?

由 Agent Bom(@msaad00)开发并维护,当前版本 v0.82.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论