← 返回 Skills 市场
ClawSentry
作者
volcengine-skills
· GitHub ↗
· v1.1.2
· MIT-0
344
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install clawsentry
功能描述
Install and configure the security-related plugins required by OpenClaw, including the `ai-assistant-security-openclaw` plugins. Use this skill when you want...
使用说明 (SKILL.md)
ClawSentry
Script Functionality
The bundled script (bundle.cjs) performs the following operations:
- Plugin Installation: Installs the
ai-assistant-security-openclawplugin for OpenClaw. - Device Fingerprinting: Collects machine identifiers using the
node-machine-idlibrary to generate a device fingerprint. - Login Token Creation: Communicates with the authorization API to create a login token.
- Login URL Generation: Generates a unique login URL based on the login token.
- Local Storage: Stores the login URL, token, and device fingerprint in
{baseDir}/.state/login_state.json. - Background Monitoring: Spawns a detached child process to monitor login status for up to 10 minutes.
- Configuration Update: Updates OpenClaw plugin configuration with encrypted API keys upon successful login.
Network Endpoints
The script communicates with the following API endpoints:
- Login Token Creation:
/OpenTOP/V1/Console/CreateLoginToken - Login Status Check:
/OpenTOP/V1/Console/GetLoginTokenIdentity
All communications are conducted over HTTPS.
Local File Operations
The script reads from and writes to the following files:
- Reads: Machine identifiers via the
node-machine-idlibrary - Writes:
{baseDir}/.state/login_state.json(stores login URL, token, and device fingerprint){baseDir}/.state/poll_login.log(logs monitoring activity)- OpenClaw plugin configuration (updates with encrypted API keys)
Data Collection
The script collects the following data:
- Device Fingerprint: Generated from machine identifiers for device-binding purposes
- Login Status: Monitored to determine when the user completes the login process
Install Mechanism
Installation Method
The skill uses a bundled CommonJS script (bundle.cjs) for installation. This script is executed directly to install and configure the ai-assistant-security-openclaw plugin.
Script Source
The bundled script is generated from the source code in the ClawSentry repository. It includes the following third-party libraries:
- node-machine-id: Used to generate device fingerprints
- child_process: Used by node-machine-id to query system information
Risk Considerations
- Bundled Code: The script includes bundled third-party libraries, which may execute system-level operations.
- System Queries: The script uses
node-machine-idlibrary, which may usechild_processto query system information. - Network Access: The script communicates with remote API endpoints for authentication.
- Arbitrary Code Execution: Running bundled scripts from unknown sources can execute arbitrary code on your system.
Security Measures
- HTTPS Communication: All network requests are conducted over HTTPS to ensure data encryption.
- Encrypted Storage: Sensitive information (such as API keys) is encrypted before storage.
- Limited Scope: The script only modifies OpenClaw plugin configurations and creates temporary files in the
.statedirectory. - Transparent Operations: All script operations are documented in this file for transparency.
Verification Steps
Before executing the script, you should:
- Review Full Script: Examine the complete script code to understand its functionality
- Verify Integrity: Check the script's file integrity using a hash if provided
- Monitor Execution: Run the script in a controlled environment and monitor its output
- Ensure Trust: Only run the script if you trust the source of this skill
- Check Permissions: Ensure the script has appropriate file permissions
Alternative Installation
If you prefer a more controlled installation, you can:
- Manually install the
ai-assistant-security-openclawplugin - Configure the plugin settings through the OpenClaw configuration system
- Follow the manual setup instructions provided in the plugin documentation
Use Cases
- Use this skill when you need to install and prepare the
ai-assistant-security-openclawplugins for the OpenClaw environment on the current machine. - Trigger this skill when the user mentions requirements such as "install clawSentry / ai-assistant-security-openclaw plugin / 帮我安装clawSentry技能 / 安装clawSentry技能".
Steps
1. Verify Node.js is installed:
Ensure Node.js (version 14 or higher) is installed on the system. You can check with:
node --version
2. Execute the combined script to install plugin and generate login link:
node {baseDir}/scripts/bundle.cjs
After the script completes:
- The script will display the login URL directly. You can also extract it from the output by looking for the line that starts with
[LOGIN_URL]: - You can also read the login URL from
{baseDir}/.state/login_state.jsonfile (look for theloginUrlfield). If the file doesn't exist, try reading it again after a few seconds. If you can't find the files, try looking in.openclaw/skills/ClawSentry/scripts/directory. - Send the login URL to the user along with this message: "After completing login, if you want to check if the installation was successful, please wait one minute and then ask me such as 'view all plugin list / 查看我的本地插件 '"
安全使用建议
This skill bundles and executes a Node.js installer (bundle.cjs) that fingerprints your machine, contacts remote authentication endpoints, spawns a detached monitor, stores tokens and updates plugin config. Before installing: (1) Inspect bundle.cjs fully to confirm the exact remote host(s) contacted and that there are no hidden/exfiltration behaviors; (2) Verify the code that performs the HTTPS calls (check for hard-coded domains, certificates, or redirects) and the encryption scheme used for stored keys; (3) Test in an isolated VM or non-production environment first; (4) Back up any OpenClaw configuration the script might modify; (5) If you cannot fully verify the script or the remote service, do not run it on machines with sensitive data. If you want, I can extract and summarize the network-host and filesystem operations from the full bundle.cjs for more precise advice.
功能分析
Type: OpenClaw Skill
Name: clawsentry
Version: 1.1.2
The skill performs several high-risk operations including device fingerprinting via 'node-machine-id', spawning a detached background process for remote polling, and programmatically modifying the OpenClaw system configuration using shell commands. While these actions are documented as part of an installation flow for a security plugin, the use of the domain 'omini-shield.com' (a potential typo of 'omni-shield') and the automated injection of API keys into the local environment are characteristic of supply-chain risks. These behaviors are primarily located in 'bundle.cjs' and are triggered by instructions in 'SKILL.md'.
能力评估
Purpose & Capability
The name and description claim to install and configure security plugins for OpenClaw; the script's actions (install plugin, create login token, update plugin configuration) are consistent with that purpose. Items to verify: the SKILL.md lists API endpoints but no host/domain (endpoints are relative paths), so the actual remote service being contacted is not documented here — check bundle.cjs to confirm the destination. Device fingerprinting and automated uploading of tokens are plausible for account-binding but are sensitive and should be justified.
Instruction Scope
Instructions tell the agent to run the bundled CommonJS script (node scripts/bundle.cjs), which will read machine identifiers (node-machine-id), create login tokens via network calls, write login_state.json and poll_login.log under a .state directory, spawn a detached background process for up to 10 minutes, and update OpenClaw plugin config with encrypted keys. Those steps are within installer scope, but device fingerprint collection, long-running background monitoring, and automatic config updates are broader-scope actions that warrant user review and consent.
Install Mechanism
There is no separate install spec, but the bundle.cjs file included with the skill is executed directly — that is arbitrary code execution on the host. While the bundle uses well-known libraries (node-machine-id), running an opaque bundled script from an unknown/unstated source is a high-risk operation. The SKILL.md itself warns of arbitrary code execution risk; follow its own verification steps (inspect the script) before running.
Credentials
The skill requests no environment variables or external credentials in the registry metadata, which aligns with the installer role. However, it will locally generate/store tokens and device fingerprints and contact remote auth endpoints — make sure you understand which remote host will receive this data and why those artifacts are needed.
Persistence & Privilege
The skill does not request to be always-enabled and has no special platform privileges, which is appropriate. It does modify OpenClaw plugin configuration (expected for an installer) and spawns a temporary detached process to poll login status (runs up to 10 minutes). That temporary background activity and the ability to write plugin configuration and encrypted API keys are powerful actions — verify the scope and contents of those writes before running.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install clawsentry - 安装完成后,直接呼叫该 Skill 的名称或使用
/clawsentry触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.2
- Switched the bundled install script from `bundle.js` to `bundle.cjs` with updated instructions.
- Added a detailed security section describing network communications, local file operations, data collection, risks, and verification steps.
- Expanded documentation to clarify third-party dependencies (`node-machine-id`, `child_process`) and their security implications.
- Updated user guidance for installation, login, and post-login verification steps.
- Removed legacy documentation and monitoring steps related to the previous script.
v1.1.0
ClawSentry 1.1.0
- Updated: Refactored or modified the main script at scripts/bundle.js.
- Removed: README.md has been deleted.
- No changes to usage steps or agent rules. User guidance remains the same.
- Housekeeping update, clarifying or streamlining code and documentation structure.
v1.0.0
Initial release of ClawSentry skill.
- Installs and configures security-related plugins required by OpenClaw, including `ai-assistant-security-openclaw`.
- Guides step-by-step process: verifies Node.js, runs install script, obtains login URL, and instructs user to confirm login.
- Monitors login process for 10 minutes, checking process status and handling restarts if needed.
- Designed for easy, one-step setup of OpenClaw security environment.
v0.0.0
Initial release of ClawSentry.
- Installs and configures security-related plugins required by OpenClaw, including ai-assistant-security-openclaw.
- Provides a step-by-step process for script execution, login URL extraction, and user notification.
- Includes a 10-minute monitoring protocol for the plugin’s login process.
- Ensures strict order and verification for installation and setup steps.
元数据
常见问题
ClawSentry 是什么?
Install and configure the security-related plugins required by OpenClaw, including the `ai-assistant-security-openclaw` plugins. Use this skill when you want... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 344 次。
如何安装 ClawSentry?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawsentry」即可一键安装,无需额外配置。
ClawSentry 是免费的吗?
是的,ClawSentry 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
ClawSentry 支持哪些平台?
ClawSentry 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ClawSentry?
由 volcengine-skills(@volcengine-skills)开发并维护,当前版本 v1.1.2。
推荐 Skills