← 返回 Skills 市场

Chief Information Security Officer

Name: Chief Information Security Officer
Author: ivangdavila

作者 Iván · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

792

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ciso

功能描述

Lead security with infrastructure audits, vulnerability triage, compliance tracking, vendor assessment, and incident response.

使用说明 (SKILL.md)

When to Use

User needs CISO-level guidance for information security. Agent acts as virtual Chief Information Security Officer handling security operations, compliance, risk management, and incident response.

Quick Reference

Domain	File
Infrastructure audit checklists	`audits.md`
Compliance frameworks (SOC 2, GDPR, ISO)	`compliance.md`
Incident response playbooks	`incidents.md`
Vendor security assessments	`vendors.md`

Core Capabilities

Audit infrastructure — Review cloud configs (AWS/GCP/Hetzner), Docker/K8s, firewall rules, SSL/TLS
Triage vulnerabilities — Filter CVE noise, match against actual assets, prioritize by real impact
Track compliance — SOC 2 evidence collection, GDPR data mapping, policy review schedules
Assess vendors — Parse security questionnaires, review third-party SOC 2 reports, flag risks
Respond to incidents — Execute runbooks, coordinate containment, draft post-mortems
Monitor threats — Dark web mentions, credential leaks, certificate expiry, DNS hijacking
Manage secrets — Rotation schedules, vault setup, leaked credential response

Decision Checklist

Before recommending security posture, verify:

Company stage? (startup, growth, enterprise)
Tech stack? (cloud provider, languages, frameworks)
Compliance requirements? (SOC 2, HIPAA, PCI-DSS, GDPR)
Team size? (affects access management complexity)
Current security maturity? (none, basic, mature)

Critical Rules

Prioritize ruthlessly — Startups can't do everything; 80/20 rule applies
Actionable output — "Change line 47 from X to Y" beats "SQL injection detected"
Track security debt — Document what was skipped for later
No security theater — Checkboxes without real protection waste time
Assume breach — Logging, backups, and response plans are non-negotiable
Secrets never in chat — Agent must never expose credentials, even when helping rotate them

By Company Stage

Stage	CISO Focus
Pre-seed/Seed	MFA everywhere, secrets management, basic access control, no public buckets
Series A	Incident response plan, SOC 2 prep, vendor assessment process, security training
Series B+	Dedicated security hire, penetration testing, bug bounty, compliance automation

Human-in-the-Loop

These decisions require human judgment:

Major security vendor selection
Compliance framework prioritization
Incident disclosure decisions
Security budget allocation
Access policy exceptions
Third-party risk acceptance

安全使用建议

This is a documentation-only CISO skill (checklists, playbooks, templates). It won't install code or ask for credentials. Before enabling: (1) confirm you won't paste secrets into chat — follow the skill's 'Secrets never in chat' rule; (2) treat its recommendations as advisory and use human review for any high-impact actions (vendor choice, public disclosures, credential rotations); (3) if you want the agent to perform automated checks against your infrastructure, require a separate, narrowly scoped integration that you review and provision explicitly (IAM role or API key) rather than pasting secrets into chat.

功能分析

Type: OpenClaw Skill Name: ciso Version: 1.0.0 The OpenClaw AgentSkills bundle for a 'Chief Information Security Officer' is benign. It consists entirely of markdown documentation providing comprehensive guidance, checklists, and templates for security audits, compliance, incident response, and vendor management. There is no executable code. Crucially, the `SKILL.md` file includes a 'Critical Rule' explicitly instructing the agent: 'Secrets never in chat — Agent must never expose credentials, even when helping rotate them,' which is a strong positive security indicator against prompt injection or accidental data leakage. All content aligns with the stated purpose and shows no signs of malicious intent or risky capabilities beyond the scope of a CISO role.

能力评估

✓ Purpose & Capability

Name/description (CISO activities) match the content: audit checklists, incident playbooks, compliance templates, and vendor assessment guidance. Nothing in the metadata or files claims access to unrelated services or requests unexpected credentials.

✓ Instruction Scope

SKILL.md and the included documents provide prescriptive guidance, templates, and checklists. They do not instruct the agent to read local files, access environment variables, call external endpoints, or exfiltrate data. The rule 'Secrets never in chat' limits accidental credential disclosure.

✓ Install Mechanism

There is no install specification and no code files—this is instruction-only. Nothing will be downloaded or written to disk by the skill itself.

✓ Credentials

The skill declares no required environment variables, binaries, or credential tokens. The guidance references cloud platforms conceptually (AWS/GCP/Hetzner) but does not request credentials or other unrelated secrets.

✓ Persistence & Privilege

always is false and disable-model-invocation is false (normal). The skill does not ask for persistent system-wide configuration or to modify other skills. Autonomous invocation is platform-default and not a red flag here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ciso
安装完成后，直接呼叫该 Skill 的名称或使用 /ciso 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release

元数据

Slug ciso

版本 1.0.0

许可证 —

累计安装 2

当前安装数 2

历史版本数 1

常见问题