← 返回 Skills 市场
90
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install cloudguard
功能描述
Cloud infrastructure & IaC security scanner -- detects insecure Terraform, open S3 buckets, permissive IAM, missing encryption, exposed ports, and cloud misc...
使用说明 (SKILL.md)
\r \r
CloudGuard -- Cloud Infrastructure & IaC Security Scanner\r
\r CloudGuard scans codebases for insecure cloud infrastructure patterns including Terraform misconfigurations, open S3 buckets, overly permissive IAM policies, missing encryption at rest, exposed ports, absent logging and monitoring, and general cloud compliance gaps. It uses 90 regex-based patterns across 6 security categories, produces severity-graded reports with actionable remediation, and integrates with git hooks via lefthook. 100% local. Zero telemetry.\r \r
Commands\r
\r
Free Tier (No license required)\r
\r
cloudguard scan [file|directory]\r
One-shot cloud security scan of infrastructure-as-code files or directories.\r \r How to execute:\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Discovers all IaC and configuration files (Terraform .tf, CloudFormation .yml/.yaml/.json, Dockerfiles, Kubernetes manifests, cloud config files)\r
3. Runs 30 cloud security patterns against each file (free tier limit)\r
4. Skips .git, node_modules, .terraform, vendor, and other non-IaC directories\r
5. Respects .gitignore and allowlist files\r
6. Calculates a cloud security score (0-100) per file and overall\r
7. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (\x3C60)\r
8. Outputs findings with: file, line number, check ID, severity, category, description, recommendation\r
9. Exit code 0 if score >= 70, exit code 1 if score \x3C 70 (too many misconfigurations)\r
10. Free tier limited to first 30 of 90 patterns\r
\r
**Example usage scenarios:**\r
- "Scan my Terraform for security issues" -> runs `cloudguard scan .`\r
- "Check my cloud config for misconfigurations" -> runs `cloudguard scan infra/`\r
- "Audit my AWS infrastructure code" -> runs `cloudguard scan terraform/`\r
- "Find open S3 buckets in my IaC" -> runs `cloudguard scan .`\r
\r
### Pro Tier ($19/user/month -- requires CLOUDGUARD_LICENSE_KEY)\r
\r
#### `cloudguard scan [file|directory]` (Pro -- 60 patterns)\r
Full scan with 60 of 90 patterns unlocked covering all 6 categories in depth.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro\r
```\r
\r
#### `cloudguard hooks install`\r
Install git pre-commit hooks that scan staged IaC files for cloud security issues before every commit.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" hooks install\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Copies lefthook config to project root\r
3. Installs lefthook pre-commit and pre-push hooks\r
4. On every commit: scans all staged IaC files for cloud misconfigurations, blocks commit if critical/high findings, shows remediation advice\r
\r
#### `cloudguard hooks uninstall`\r
Remove CloudGuard git hooks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" hooks uninstall\r
```\r
\r
#### `cloudguard report [directory]`\r
Generate a markdown cloud security report with findings, severity breakdown, category analysis, and remediation steps.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format text report\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs full scan of the directory with 60 patterns\r
3. Generates a formatted markdown report from template\r
4. Includes per-category breakdowns, cloud security score, remediation priority\r
5. Output suitable for security reviews and compliance audits\r
\r
#### `cloudguard audit [directory]`\r
Deep cloud security audit across all categories.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] audit\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs comprehensive scan with extended pattern set\r
3. Provides per-category severity analysis\r
4. Reports compliance gaps across S3, IAM, networking, encryption, logging, and configuration\r
\r
### Team Tier ($39/user/month -- requires CLOUDGUARD_LICENSE_KEY with team tier)\r
\r
#### `cloudguard scan [file|directory]` (Team -- all 90 patterns)\r
Full scan with all 90 patterns unlocked.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier team\r
```\r
\r
#### `cloudguard scan --format json [directory]`\r
JSON output for CI/CD pipeline integration.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs full scan with all 90 patterns\r
3. Outputs findings in structured JSON format\r
4. Compatible with CI/CD pipelines, dashboards, and automated tooling\r
5. Includes rule definitions, severity mappings, and category breakdowns\r
\r
#### `cloudguard scan --format html [directory]`\r
HTML report output for stakeholder sharing.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html\r
```\r
\r
#### `cloudguard scan --category [category] [directory]`\r
Category-filtered scan for focused audits.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category S3\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs only the patterns for the specified category\r
3. Available categories: S3, IM, NW, EN, LG, CF\r
4. Useful for targeted compliance checks\r
\r
#### `cloudguard status`\r
Show license and configuration information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" status\r
```\r
\r
## Check Categories\r
\r
CloudGuard detects 90 cloud security patterns across 6 categories:\r
\r
| Category | Code | Patterns | Examples | Severity Range |\r
|----------|------|----------|----------|----------------|\r
| **Storage Security** | S3 | 15 | Public S3 buckets, missing encryption, no versioning, overly permissive bucket policies, missing access logging, no lifecycle rules | Critical/High/Medium |\r
| **IAM & Permissions** | IM | 15 | Wildcard IAM policies, AdministratorAccess, overly broad assume role, missing MFA, root account usage, no least privilege | Critical/High/Medium |\r
| **Network Security** | NW | 15 | Open security groups (0.0.0.0/0), exposed ports (22, 3389, 3306), missing VPC, no network ACLs, public subnets without NAT, SSH open to world | Critical/High/Medium |\r
| **Encryption** | EN | 15 | Missing encryption at rest, no KMS key rotation, unencrypted EBS volumes, missing SSL/TLS, no transit encryption, weak cipher suites | Critical/High/Medium/Low |\r
| **Logging & Monitoring** | LG | 15 | Missing CloudTrail, no VPC flow logs, disabled GuardDuty, missing alarm configurations, no SNS notifications, absent audit logs | High/Medium/Low |\r
| **Configuration & Compliance** | CF | 15 | Missing tags, no resource naming convention, hardcoded regions, missing backups, no disaster recovery, drift detection gaps | Medium/Low |\r
\r
## Severity Levels\r
\r
| Level | Points Deducted | Meaning | Action Required |\r
|-------|----------------|---------|-----------------|\r
| **Critical** | 25 | Immediate infrastructure compromise risk (open to internet, no auth, wildcard admin) | Fix immediately; block deployment |\r
| **High** | 15 | Significant security gap that could be exploited (missing encryption, overly permissive policies) | Fix within current sprint |\r
| **Medium** | 8 | Security best practice violation that increases attack surface | Plan remediation within 30 days |\r
| **Low** | 3 | Informational finding, minor hygiene issue, or hardening recommendation | Address when convenient |\r
\r
## Scoring System\r
\r
CloudGuard uses a 0-100 scoring system:\r
\r
- **Starting score:** 100 (perfect, no findings)\r
- **Deductions:** Each finding deducts points based on severity\r
- **Floor:** Score cannot go below 0\r
- **Pass threshold:** 70 (exit code 0)\r
- **Fail threshold:** Below 70 (exit code 1)\r
\r
### Grade Scale\r
\r
| Grade | Score Range | Meaning |\r
|-------|------------|---------|\r
| **A** | 90-100 | Excellent -- minimal or no cloud security issues |\r
| **B** | 80-89 | Good -- minor issues that should be addressed |\r
| **C** | 70-79 | Acceptable -- passing but needs improvement |\r
| **D** | 60-69 | Poor -- significant security gaps requiring attention |\r
| **F** | Below 60 | Failing -- critical misconfigurations must be fixed immediately |\r
\r
## Tier-Based Pattern Access\r
\r
| Tier | Patterns Available | Categories |\r
|------|-------------------|------------|\r
| **Free** | 30 patterns | First 5 patterns per category |\r
| **Pro** | 60 patterns | First 10 patterns per category |\r
| **Team** | 90 patterns (all) | All 15 patterns per category |\r
| **Enterprise** | 90 patterns (all) | All 15 patterns per category + priority support |\r
\r
## Configuration\r
\r
Users can configure CloudGuard in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
"skills": {\r
"entries": {\r
"cloudguard": {\r
"enabled": true,\r
"apiKey": "YOUR_LICENSE_KEY_HERE",\r
"config": {\r
"severityThreshold": "high",\r
"ignorePatterns": ["**/test/**", "**/examples/**", "**/fixtures/**"],\r
"ignoreChecks": [],\r
"reportFormat": "text",\r
"categories": ["S3", "IM", "NW", "EN", "LG", "CF"]\r
}\r
}\r
}\r
}\r
}\r
```\r
\r
## Supported File Types\r
\r
CloudGuard scans the following file types for cloud security patterns:\r
\r
| File Type | Extensions | Use Case |\r
|-----------|------------|----------|\r
| Terraform | `.tf`, `.tfvars` | HashiCorp Terraform IaC definitions |\r
| CloudFormation | `.yml`, `.yaml`, `.json`, `.template` | AWS CloudFormation templates |\r
| Kubernetes | `.yml`, `.yaml` | Kubernetes manifests and Helm charts |\r
| Docker | `Dockerfile`, `docker-compose.yml` | Container configurations |\r
| Ansible | `.yml`, `.yaml` | Ansible playbooks and roles |\r
| General Config | `.conf`, `.cfg`, `.ini`, `.toml`, `.hcl` | Infrastructure configuration files |\r
| Scripts | `.sh`, `.bash`, `.ps1`, `.py` | Deployment and provisioning scripts |\r
| Policy | `.json`, `.rego` | IAM policies, OPA Rego rules |\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration\r
- **All scanning happens locally** -- no code is sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Pattern matching only -- no AST parsing, no external dependencies beyond bash and grep\r
- Supports scanning all IaC file types in a single pass\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = pass (score >= 70), 1 = fail (score \x3C 70, for CI/CD integration)\r
- Category-level breakdown shows exactly where security gaps exist\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries `hooks install`, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://cloudguard.pages.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no scannable IaC files found in target, report clean scan with info message\r
- If invalid category specified with --category, show available categories\r
- If grep does not support -E flag (rare), fall back gracefully with error message\r
\r
## When to Use CloudGuard\r
\r
The user might say things like:\r
- "Scan my Terraform for security issues"\r
- "Check my cloud infrastructure code"\r
- "Find open S3 buckets in my IaC"\r
- "Audit my AWS configuration"\r
- "Check for missing encryption in my infrastructure"\r
- "Find overly permissive IAM policies"\r
- "Scan for exposed ports in my security groups"\r
- "Are my CloudFormation templates secure?"\r
- "Check my Kubernetes manifests for security"\r
- "Run a cloud security audit"\r
- "Find missing CloudTrail in my Terraform"\r
- "Detect VPC misconfigurations"\r
- "Scan for hardcoded regions in my IaC"\r
- "Check if my EBS volumes are encrypted"\r
- "Find missing tags in my cloud resources"\r
- "Set up pre-commit hooks for cloud security"\r
- "Generate a cloud security report for my team"\r
安全使用建议
This skill appears to do what it claims: a local regex-based IaC scanner with an offline license. Before installing, consider: 1) review the included scripts (analyzer.sh, dispatcher.sh, patterns.sh, license.sh) yourself—they will be sourced/executed locally. 2) the scanner will read many file types (including .env and scripts) in the target path, so avoid scanning folders with sensitive runtime secrets you don't want processed even locally. 3) Pro/Team features require a license key stored either in CLOUDGUARD_LICENSE_KEY or ~/.openclaw/openclaw.json — treat that key like any other secret in your environment/CI. 4) Installing hooks will modify or create lefthook.yml in your repo and run lefthook install; inspect the file changes before committing. If you have low trust, run the tool in an isolated environment or container and inspect outputs first.
功能分析
Type: OpenClaw Skill
Name: cloudguard
Version: 1.0.1
CloudGuard is a legitimate cloud infrastructure and IaC security scanner designed to detect misconfigurations in Terraform, CloudFormation, Kubernetes, and Docker files. It operates entirely locally using POSIX-compatible regex patterns defined in `patterns.sh` and an analysis engine in `analyzer.sh`. The skill includes documented features for generating security reports and installing git hooks via `lefthook` to prevent insecure commits. License validation is performed offline using JWT decoding in `license.sh`, and no evidence of data exfiltration, unauthorized network activity, or malicious prompt injection was found.
能力标签
能力评估
Purpose & Capability
Name/description (IaC/cloud misconfiguration scanner) aligns with the provided files. Required binaries (git, bash, python3, jq) are reasonable for a shell-based scanner that reads JSON and decodes JWTs. The single primary credential (CLOUDGUARD_LICENSE_KEY) matches the documented Pro/Team licensing model.
Instruction Scope
Runtime instructions and scripts scan repository files (Terraform, CloudFormation, k8s, Dockerfiles and other text files) and respect .gitignore and common skip folders. This is appropriate for an IaC scanner, but the scanner will read any scanned file it deems IaC (including .env and script files), so it will process files that may contain secrets locally. The code does not contain obvious network/transmission steps (license validation is documented as offline).
Install Mechanism
Install spec uses a brew formula to install lefthook (git hooks manager) — a reasonable, low-risk dependency. The skill ships its own shell scripts which will be sourced/executed locally; there are no downloads from arbitrary URLs or extractor steps in the skill bundle.
Credentials
Only one required credential is declared (CLOUDGUARD_LICENSE_KEY) and the code explicitly reads that env var or a key in ~/.openclaw/openclaw.json. The license module will optionally consult CLAWHUB_JWT_SECRET to verify signatures if set — that env var is referenced but not declared in requires.env (it is optional and used only for local signature verification). No unrelated cloud credentials (AWS keys, etc.) are requested.
Persistence & Privilege
always:false and the skill does not request elevated system privileges. The 'hooks install' command will write/append a lefthook.yml into a git repo and run lefthook install — this is expected behavior for pre-commit integration and limited to the repository where the user runs the command.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cloudguard - 安装完成后,直接呼叫该 Skill 的名称或使用
/cloudguard触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Fix: declare all deps, JWT verification, configPaths
元数据
常见问题
cloudguard 是什么?
Cloud infrastructure & IaC security scanner -- detects insecure Terraform, open S3 buckets, permissive IAM, missing encryption, exposed ports, and cloud misc... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 90 次。
如何安装 cloudguard?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cloudguard」即可一键安装,无需额外配置。
cloudguard 是免费的吗?
是的,cloudguard 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
cloudguard 支持哪些平台?
cloudguard 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。
谁开发了 cloudguard?
由 suhteevah(@suhteevah)开发并维护,当前版本 v1.0.1。
推荐 Skills