← 返回 Skills 市场
qinjianfenghzau-wq

clawSecurityTest

作者 qinjianfenghzau-wq · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
131
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install clawprepub
功能描述
Install and configure the security-related plugins required by OpenClaw, including the `ai-assistant-security-openclaw` plugins. Use this skill when you want...
使用说明 (SKILL.md)

ClawSentry

Script Functionality

The bundled script (bundle.cjs) performs the following operations:

  1. Plugin Installation: Installs the ai-assistant-security-openclaw plugin for OpenClaw.
  2. Device Fingerprinting: Collects machine identifiers using the node-machine-id library to generate a device fingerprint.
  3. Login Token Creation: Communicates with the authorization API to create a login token.
  4. Login URL Generation: Generates a unique login URL based on the login token.
  5. Local Storage: Stores the login URL, token, and device fingerprint in {baseDir}/.state/login_state.json.
  6. Background Monitoring: Spawns a detached child process to monitor login status for up to 10 minutes.
  7. Configuration Update: Updates OpenClaw plugin configuration with encrypted API keys upon successful login.

Network Endpoints

The script communicates with the following API endpoints:

  • Login Token Creation: /OpenTOP/V1/Console/CreateLoginToken
  • Login Status Check: /OpenTOP/V1/Console/GetLoginTokenIdentity

All communications are conducted over HTTPS.

Local File Operations

The script reads from and writes to the following files:

  • Reads: Machine identifiers via the node-machine-id library
  • Writes:
    • {baseDir}/.state/login_state.json (stores login URL, token, and device fingerprint)
    • {baseDir}/.state/poll_login.log (logs monitoring activity)
    • OpenClaw plugin configuration (updates with encrypted API keys)

Data Collection

The script collects the following data:

  • Device Fingerprint: Generated from machine identifiers for device-binding purposes
  • Login Status: Monitored to determine when the user completes the login process

Install Mechanism

Installation Method

The skill uses a bundled CommonJS script (bundle.cjs) for installation. This script is executed directly to install and configure the ai-assistant-security-openclaw plugin.

Script Source

The bundled script is generated from the source code in the ClawSentry repository. It includes the following third-party libraries:

  • node-machine-id: Used to generate device fingerprints
  • child_process: Used by node-machine-id to query system information

Risk Considerations

  • Bundled Code: The script includes bundled third-party libraries, which may execute system-level operations.
  • System Queries: The script uses node-machine-id library, which may use child_process to query system information.
  • Network Access: The script communicates with remote API endpoints for authentication.
  • Arbitrary Code Execution: Running bundled scripts from unknown sources can execute arbitrary code on your system.

Security Measures

  • HTTPS Communication: All network requests are conducted over HTTPS to ensure data encryption.
  • Encrypted Storage: Sensitive information (such as API keys) is encrypted before storage.
  • Limited Scope: The script only modifies OpenClaw plugin configurations and creates temporary files in the .state directory.
  • Transparent Operations: All script operations are documented in this file for transparency.

Verification Steps

Before executing the script, you should:

  1. Review Full Script: Examine the complete script code to understand its functionality
  2. Verify Integrity: Check the script's file integrity using a hash if provided
  3. Monitor Execution: Run the script in a controlled environment and monitor its output
  4. Ensure Trust: Only run the script if you trust the source of this skill
  5. Check Permissions: Ensure the script has appropriate file permissions

Alternative Installation

If you prefer a more controlled installation, you can:

  • Manually install the ai-assistant-security-openclaw plugin
  • Configure the plugin settings through the OpenClaw configuration system
  • Follow the manual setup instructions provided in the plugin documentation

Use Cases

  • Use this skill when you need to install and prepare the ai-assistant-security-openclaw plugins for the OpenClaw environment on the current machine.
  • Trigger this skill when the user mentions requirements such as "install clawSentry / ai-assistant-security-openclaw plugin / 帮我安装clawSentry技能 / 安装clawSentry技能".

Steps

1. Verify Node.js is installed:

Ensure Node.js (version 14 or higher) is installed on the system. You can check with:

node --version

2. Execute the combined script to install plugin and generate login link:

node {baseDir}/scripts/bundle.cjs

After the script completes:

  • The script will display the login URL directly. You can also extract it from the output by looking for the line that starts with [LOGIN_URL]:
  • You can also read the login URL from {baseDir}/.state/login_state.json file (look for the loginUrl field). If the file doesn't exist, try reading it again after a few seconds. If you can't find the files, try looking in .openclaw/skills/ClawSentry/scripts/ directory.
  • Send the login URL to the user along with this message: "After completing login, if you want to check if the installation was successful, please wait one minute and then ask me such as 'view all plugin list / 查看我的本地插件 '"
安全使用建议
This skill reasonably matches its stated goal (installing a security plugin with an auth flow), but it runs an included Node script that: (1) collects machine identifiers by invoking system commands, (2) spawns a detached background process, (3) stores login tokens and encrypted API keys locally, and (4) communicates with remote auth endpoints whose hostnames are not specified in SKILL.md. Before running it: review the full bundle.cjs source line-by-line (or have a trusted reviewer do so); confirm the remote service hostname(s) and verify TLS endpoints; verify how encryption keys are derived and where decrypted secrets are stored; run the script in an isolated sandbox or VM first; avoid running as an administrative user; and ensure you trust the skill author/source. If you cannot review the code or confirm the endpoints and encryption details, treat this skill as high-risk and do not run it on production or sensitive machines.
功能分析
Type: OpenClaw Skill Name: clawprepub Version: 1.0.0 The ClawSentry skill bundle is a legitimate installer for a security monitoring plugin associated with Volcengine (ByteDance). The bundled script `bundle.cjs` performs machine fingerprinting using the `node-machine-id` library, communicates with official endpoints (clawsentry.cn) to facilitate a login flow, and automatically updates the OpenClaw configuration with retrieved API keys. While the script utilizes high-privilege operations such as spawning detached background processes and executing CLI commands to restart the gateway, these actions are transparently documented in `SKILL.md` and are strictly aligned with the stated purpose of automated plugin setup and configuration.
能力评估
Purpose & Capability
The stated purpose (install and configure a security plugin and perform an auth/login flow) matches the script's actions: plugin installation, generation of a login token/URL, device-binding via machine id, and updating plugin configuration. Collecting a device fingerprint for 'device-binding' is plausible for this purpose, but the SKILL.md does not document where the remote service is hosted or how encryption keys are derived/managed, which is an important missing justification.
Instruction Scope
Runtime instructions tell the agent/operator to execute the included bundle.cjs directly. The script executes system commands (via node-machine-id using child_process.exec/execSync), writes login state and logs into a .state directory, spawns a detached background monitoring process for up to 10 minutes, and performs network requests to authentication endpoints. These operations are within the broad goal but are sensitive (machine identifiers, token storage, background process). The SKILL.md lacks details about the remote host(s) used, what exact data is sent, and how long the background process runs/what it can do beyond polling.
Install Mechanism
There is no package-manager install; the skill bundles an executable CommonJS script (bundle.cjs) and instructs running it. Executing a non-reviewed bundled script from an unknown source is higher risk because it can run arbitrary code on the host. The bundle does include third-party code (node-machine-id) and uses child_process; that pattern is expected for machine-id collection but still elevates risk when the bundle origin is unknown.
Credentials
The skill declares no required env vars or credentials, which is consistent with a browser-based auth flow returning a token. However, it collects device identifiers (potentially sensitive), stores tokens and encrypted API keys locally, and updates plugin configuration without declaring how encryption keys are derived or protected. The lack of declared endpoints/hosts and missing explanation for encryption key management are notable omissions.
Persistence & Privilege
The skill does not request always:true and does not claim permanent system-wide changes. It writes files under a .state directory and spawns a detached background monitor for a short duration (claimed up to 10 minutes). Modifying the plugin's own configuration is expected for installation. Still, the background process behavior should be reviewed (what it can do beyond simple polling).
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install clawprepub
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /clawprepub 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
ClawSentry 1.0.0 - Initial release - Installs and configures the `ai-assistant-security-openclaw` plugin for OpenClaw in a single step. - Generates a device fingerprint using machine identifiers for secure device binding. - Handles secure login flow: creates a login token, generates a unique login URL, and stores authentication state locally. - Monitors login status in the background for up to 10 minutes, updating plugin configuration with encrypted API keys on success. - All operations and network communications are documented for transparency and security.
元数据
Slug clawprepub
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

clawSecurityTest 是什么?

Install and configure the security-related plugins required by OpenClaw, including the `ai-assistant-security-openclaw` plugins. Use this skill when you want... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 131 次。

如何安装 clawSecurityTest?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawprepub」即可一键安装,无需额外配置。

clawSecurityTest 是免费的吗?

是的,clawSecurityTest 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

clawSecurityTest 支持哪些平台?

clawSecurityTest 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 clawSecurityTest?

由 qinjianfenghzau-wq(@qinjianfenghzau-wq)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论