← 返回 Skills 市场
Arc Sentinel
作者
arc-claw-bot
· GitHub ↗
· v1.0.0
1770
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install arc-sentinel
功能描述
Security monitoring and infrastructure health checks for OpenClaw agents. Run breach monitoring (HaveIBeenPwned), SSL certificate expiry checks, GitHub security audits, credential rotation tracking, secret scanning, git hygiene, token watchdog, and permission audits. Use when performing security scans, checking credential rotation status, auditing repos for leaked secrets, or monitoring SSL certificates and infrastructure health.
使用说明 (SKILL.md)
Arc Sentinel
Security monitoring toolkit for OpenClaw agents. Runs automated checks against your infrastructure and reports issues.
Configuration
Before first use, create sentinel.conf in the skill directory:
cp sentinel.conf.example sentinel.conf
Edit sentinel.conf with your values:
- DOMAINS — Space-separated list of domains to check SSL certificates
- GITHUB_USER — GitHub username for repo audits
- KNOWN_REPOS — Space-separated list of expected repo names (unexpected repos trigger warnings)
- MONITOR_EMAIL — Email address for HaveIBeenPwned breach checks
- HIBP_API_KEY — Optional; HIBP v3 API key ($3.50/mo) for automated breach lookups
Also customize credential-tracker.json with your own credentials and rotation policies. A template is provided.
Quick Start
Full scan
cd \x3Cskill-dir>
bash sentinel.sh
Output
- Formatted report to stdout with color-coded severity
- JSON report saved to
reports/YYYY-MM-DD.json - Exit codes:
0= all clear,1= warnings,2= critical
Checks
1. SSL Certificate Expiry
Check certificate expiry for configured domains. Warns at \x3C30 days, critical at \x3C14 days.
2. GitHub Security
- List repos and check Dependabot/vulnerability alert status
- Review recent account activity for anomalies
- Flag unexpected repositories
3. Breach Monitoring (HaveIBeenPwned)
- Query HIBP API for breached accounts (requires API key)
- Falls back to manual check URL if no key is set
4. Credential Rotation Tracking
Read credential-tracker.json and flag credentials that are overdue, approaching expiry, or never rotated. Supports policies: quarterly (90d), 6_months (180d), annual (365d), auto.
Additional Scripts
| Script | Purpose |
|---|---|
scripts/secret-scanner.sh |
Scan repos/files for leaked secrets and API keys |
scripts/git-hygiene.sh |
Audit git history for security issues |
scripts/token-watchdog.sh |
Monitor token validity and expiry |
scripts/permission-auditor.sh |
Audit file and access permissions |
scripts/skill-auditor.sh |
Audit installed skills for security |
scripts/full-audit.sh |
Run all scripts in sequence |
Agent Usage
During heartbeats or on request:
- Run
bash sentinel.shfrom the skill directory - Review output for WARN or CRITICAL items
- Report findings to the human if anything needs attention
- Update
credential-tracker.jsonwhen credentials are rotated
Cron Setup
# Weekly Monday 9am
0 9 * * 1 cd /path/to/arc-sentinel && bash sentinel.sh >> reports/cron.log 2>&1
Requirements
openssl(SSL checks)ghCLI authenticated (GitHub checks)curl(HIBP)python3(JSON processing)
安全使用建议
Arc Sentinel implements a broad set of local checks and contains many scripts that will read sensitive files (SSH keys, AWS credentials, Docker/NPM/Kube configs, other skills' code), and it will write findings — including matched secret strings — into stdout and report files. Before running it: (1) review the bundled scripts yourself (they are included) to confirm you accept their behavior; (2) do not run as root — run with least privilege or inside an isolated environment (container/VM) to limit exposure; (3) remove or sanitize any real credentials in credential-tracker.json before use and avoid putting API keys/secrets into sentinel.conf unless you understand where reports will be stored/transmitted; (4) note the registry metadata does not list required binaries or env vars even though SKILL.md and the scripts require openssl, gh, curl, python3 and access to many config paths — ask the publisher to correct metadata; (5) if you plan to run it on a machine with sensitive secrets, consider running first in a throwaway VM and inspect generated reports to ensure they are stored only where you expect. If you want me to, I can point out exact lines where each sensitive path is accessed or produce a checklist of files this skill will read.
功能分析
Type: OpenClaw Skill
Name: arc-sentinel
Version: 1.0.0
The OpenClaw AgentSkills bundle 'arc-sentinel' is designed for security monitoring and auditing. It accesses sensitive files (e.g., `~/.ssh`, `~/.aws/credentials`, `~/.config/fulcra/token.json`, `~/.kube/config`) and performs system checks (e.g., `lsof`, `LaunchAgents` review). While these actions are aligned with its stated purpose of security auditing, the `SKILL.md` explicitly instructs the AI agent to `Update credential-tracker.json when credentials are rotated`. This instruction grants the agent file modification capabilities, which, although intended for a benign purpose, represents a risky capability that could be abused if the agent were compromised or given malicious instructions. Additionally, the `sentinel.sh` script makes an external network call to `https://haveibeenpwned.com/api/v3/breachedaccount/` using the configured `MONITOR_EMAIL` and `HIBP_API_KEY`, which is a legitimate security check but involves sending user data to an external service. The `skill-auditor.sh` script, while designed to detect malicious behavior in *other* skills, demonstrates the skill's ability to scan and analyze code across the agent's environment, which is a powerful and potentially risky capability.
能力评估
Purpose & Capability
The name/description (arc-sentinel — SSL, breach checks, GitHub audits, secret scanning, token watchdog, permission audits) match the included scripts, which implement those checks. However registry metadata (no required binaries, no env vars listed) does not declare dependencies that SKILL.md and the scripts explicitly require (openssl, gh, curl, python3). This metadata mismatch is unexpected and should be corrected.
Instruction Scope
Runtime instructions tell the agent to run sentinel.sh which executes multiple scanners that read many sensitive locations (e.g., ~/.ssh, ~/.aws/credentials, ~/.docker/config.json, ~/.kube/config, ~/.config/fulcra/token.json, LaunchAgents, other skills under ~/.openclaw/workspace/skills). The scanners also grep repository contents and git history and will write findings (including matched secret strings) to stdout and JSON/text reports in reports/YYYY-MM-DD.json. There are no explicit steps that upload findings to remote endpoints inside these scripts, but the practice of collecting and saving secrets in local report files is a privacy/exfiltration risk if those reports are later transmitted or accessible. The skill-auditor script will scan other installed skills (reads other skills' files) which is reasonable for an auditor but is broad and should be consented to.
Install Mechanism
No install spec — instruction-only with bundled scripts. This lowers supply-chain risk (nothing downloaded at install time). All code is present in the package, so reviewable before execution.
Credentials
Registry metadata declares no required environment variables or primary credential, yet the code reads environment and configuration (HOME, AWS_ACCESS_KEY_ID, KUBECONFIG, and many files under $HOME). SKILL.md documents HIBP API key as optional, but this (and other credentials) are not declared in the skill metadata. The scripts access many sensitive config paths and may include secret values in reports; requiring explicit declaration of which credentials/configs are needed and why would be expected for a security tool.
Persistence & Privilege
always:false (not force-included) and default model invocation settings are used. The skill does not request to modify other skills' configs or set always:true. It will, however, by default scan the skills directory (~/.openclaw/workspace/skills) which reads other skills' files — that is a privileged read action but appears consistent with its auditing purpose and is not the same as persisting or escalating privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install arc-sentinel - 安装完成后,直接呼叫该 Skill 的名称或使用
/arc-sentinel触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: SSL monitoring, GitHub security audits, breach detection, credential rotation tracking
元数据
常见问题
Arc Sentinel 是什么?
Security monitoring and infrastructure health checks for OpenClaw agents. Run breach monitoring (HaveIBeenPwned), SSL certificate expiry checks, GitHub security audits, credential rotation tracking, secret scanning, git hygiene, token watchdog, and permission audits. Use when performing security scans, checking credential rotation status, auditing repos for leaked secrets, or monitoring SSL certificates and infrastructure health. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1770 次。
如何安装 Arc Sentinel?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install arc-sentinel」即可一键安装,无需额外配置。
Arc Sentinel 是免费的吗?
是的,Arc Sentinel 完全免费(开源免费),可自由下载、安装和使用。
Arc Sentinel 支持哪些平台?
Arc Sentinel 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Arc Sentinel?
由 arc-claw-bot(@arc-claw-bot)开发并维护,当前版本 v1.0.0。
推荐 Skills