← 返回 Skills 市场
suhteevah

configsafe

作者 suhteevah · GitHub ↗ · v1.0.2 · MIT-0
darwinlinuxwin32 ⚠ suspicious
69
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install configsafe
功能描述
Infrastructure configuration auditor — scans Dockerfiles, K8s manifests, Terraform, and CI/CD pipelines for security misconfigurations
使用说明 (SKILL.md)

\r \r

ConfigSafe — Infrastructure Configuration Auditor\r

\r ConfigSafe scans infrastructure configuration files for security misconfigurations across Dockerfiles, docker-compose, Kubernetes manifests, Terraform, CI/CD pipelines, and web server configs. It uses regex-based pattern matching against 80+ misconfiguration patterns, lefthook for git hook integration, and produces markdown security reports with CIS benchmark mapping.\r \r

Commands\r

\r

Free Tier (No license required)\r

\r

configsafe scan [file|directory]\r

One-shot configuration security scan of files or directories.\r \r How to execute:\r

bash "\x3CSKILL_DIR>/scripts/configsafe.sh" scan [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Auto-detects configuration types (Dockerfile, docker-compose, Kubernetes, Terraform, CI/CD, Nginx/Apache)\r
3. Finds all config files matching known patterns\r
4. Runs 80+ misconfiguration patterns against each file\r
5. Calculates a security score (0-100) per file and overall\r
6. Outputs findings with: file, line number, check ID, severity, description, recommendation\r
7. Exit code 0 if secure (score >= 70), exit code 1 if issues found\r
8. Free tier limited to 5 config files per scan\r
\r
**Example usage scenarios:**\r
- "Scan my infrastructure configs for security issues" -> runs `configsafe scan .`\r
- "Check this Dockerfile for misconfigurations" -> runs `configsafe scan Dockerfile`\r
- "Audit my Kubernetes manifests" -> runs `configsafe scan k8s/`\r
- "Is my Terraform config secure?" -> runs `configsafe scan terraform/`\r
\r
### Pro Tier ($19/user/month -- requires CONFIGSAFE_LICENSE_KEY)\r
\r
#### `configsafe hooks install`\r
Install git pre-commit hooks that scan staged config files before every commit.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" hooks install\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Copies lefthook config to project root\r
3. Installs lefthook pre-commit hook\r
4. On every commit: scans all staged config files for misconfigurations, blocks commit if critical/high findings, shows remediation advice\r
\r
#### `configsafe hooks uninstall`\r
Remove ConfigSafe git hooks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" hooks uninstall\r
```\r
\r
#### `configsafe report [directory]`\r
Generate a markdown security report with findings, severity breakdown, and remediation steps.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" report [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs full scan of the directory\r
3. Generates a formatted markdown report from template\r
4. Includes per-file breakdowns, security scores, CIS benchmark references\r
5. Output suitable for security reviews and compliance audits\r
\r
#### `configsafe benchmark [directory]`\r
Run CIS benchmark checks against infrastructure configurations.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" benchmark [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Maps findings to CIS Docker Benchmark, CIS Kubernetes Benchmark, and CIS AWS Foundations\r
3. Reports pass/fail status for each benchmark check\r
4. Outputs overall compliance percentage\r
\r
### Team Tier ($39/user/month -- requires CONFIGSAFE_LICENSE_KEY with team tier)\r
\r
#### `configsafe policy [directory]`\r
Enforce organization-specific security policies on infrastructure configurations.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" policy [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Loads custom policies from ~/.openclaw/openclaw.json (configsafe.config.customPolicies)\r
3. Enforces organization-specific rules (e.g., required labels, forbidden images, mandatory resource limits)\r
4. Combines custom policies with built-in patterns for comprehensive scanning\r
5. Outputs SARIF-compatible results\r
\r
#### `configsafe compliance [directory]`\r
Generate a full compliance report covering CIS and NIST frameworks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" compliance [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs full scan with all patterns\r
3. Maps findings to CIS Docker Benchmark, CIS Kubernetes Benchmark, CIS AWS Foundations, and NIST 800-190\r
4. Generates comprehensive compliance report with pass/fail per control\r
5. Includes executive summary, detailed findings, and remediation roadmap\r
\r
#### `configsafe status`\r
Show license and configuration information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/configsafe.sh" status\r
```\r
\r
## Detected Misconfigurations\r
\r
ConfigSafe detects 80+ misconfiguration patterns across 6 config types:\r
\r
| Category | Examples | Severity |\r
|----------|----------|----------|\r
| **Dockerfile** | Running as root, `latest` tag, ADD vs COPY, exposed sensitive ports, missing health checks, secrets in ENV, curl pipe bash, chmod 777, missing multi-stage builds | Critical/High |\r
| **docker-compose** | privileged: true, host network, Docker socket mount, missing resource limits, plaintext secrets, unbound ports, missing restart policy | Critical/High |\r
| **Kubernetes** | Running as root, privileged containers, missing security context, missing resource limits, hostPath volumes, default namespace, missing probes, allowPrivilegeEscalation | Critical/High |\r
| **Terraform** | Hardcoded credentials, missing encryption, public S3 buckets, open security groups (0.0.0.0/0), missing logging, overly permissive IAM, default VPC | Critical/High |\r
| **CI/CD Pipelines** | Plaintext secrets, PR trigger with write perms, unpinned actions, missing timeout, unrestricted self-hosted runners, artifact upload without expiry | High/Medium |\r
| **Nginx/Apache** | Missing security headers, server tokens enabled, SSL/TLS misconfig, open proxy, missing rate limiting, directory listing enabled | Medium/High |\r
\r
## Configuration\r
\r
Users can configure ConfigSafe in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
  "skills": {\r
    "entries": {\r
      "configsafe": {\r
        "enabled": true,\r
        "apiKey": "YOUR_LICENSE_KEY_HERE",\r
        "config": {\r
          "severityThreshold": "high",\r
          "customPolicies": [],\r
          "excludePatterns": ["**/test/**", "**/examples/**"],\r
          "reportFormat": "markdown"\r
        }\r
      }\r
    }\r
  }\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration\r
- **All scanning happens locally** -- no code or configs are sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Pattern matching only -- no AST parsing, no external dependencies\r
- Supports scanning multiple config types in a single pass\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = secure (score >= 70), 1 = issues found (for CI/CD integration)\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries `hooks install`, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://configsafe.pages.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no config files found in target, report clean scan with info message\r
- If config type cannot be determined, skip the file gracefully\r
\r
## When to Use ConfigSafe\r
\r
The user might say things like:\r
- "Scan my Dockerfile for security issues"\r
- "Check my Kubernetes manifests for misconfigurations"\r
- "Audit my Terraform configs"\r
- "Is my docker-compose file secure?"\r
- "Check my CI/CD pipeline for security problems"\r
- "Generate a security report for my infrastructure"\r
- "Run CIS benchmark checks"\r
- "Set up pre-commit hooks for config scanning"\r
- "Check if my containers are running as root"\r
- "Scan for open security groups in Terraform"\r
- "Are there any hardcoded secrets in my configs?"\r
- "Check my nginx config for security headers"\r
安全使用建议
ConfigSafe otherwise looks coherent for an offline config scanner, but exercise caution before installing: 1) The license-validation code embeds JWT payloads directly into shell-invoked python/node commands — if an attacker can supply or modify your license key or ~/.openclaw/openclaw.json this could allow code injection during license checks. 2) Hooks install will run the skill's shell scripts on every commit (normal for linters/scanners but remember hooks execute code locally). Recommended actions before installing or enabling hooks: inspect ~/.openclaw/openclaw.json and any license keys you provide; run the skill in an isolated environment (e.g., VM or disposable container) first; consider patching license.sh to parse JSON safely (e.g., pass the payload on stdin to python or use jq with a filename, avoid inlining unescaped JSON into -c strings). If you cannot verify the license source or config file integrity, treat the skill as potentially hazardous and avoid enabling automated hooks on sensitive repos.
功能分析
Type: OpenClaw Skill Name: configsafe Version: 1.0.2 ConfigSafe is an infrastructure configuration auditor that scans Dockerfiles, Kubernetes manifests, Terraform, and CI/CD pipelines for security misconfigurations using local regex-based pattern matching. The skill bundle contains standard shell scripts (analyzer.sh, configsafe.sh) and a comprehensive set of detection patterns (patterns.sh) aligned with its stated purpose. It features offline license validation via JWT (license.sh) and integrates with git hooks using lefthook, with no evidence of data exfiltration, unauthorized network calls, or malicious intent.
能力标签
cryptorequires-walletrequires-sensitive-credentials
能力评估
Purpose & Capability
Name/description, required binaries (git, bash, python3, jq), CLI surface, and files (bash scripts + pattern definitions) align with an offline configuration scanner that offers scans, reports, and git-hook integration. Requested primary credential CONFIGSAFE_LICENSE_KEY is appropriate for Pro/Team features.
Instruction Scope
Runtime instructions and scripts are local and focused on scanning configs and installing lefthook pre-commit hooks. Hooks will run the skill's shell scripts from the skill directory on each commit (expected for a pre-commit scanner) — remember that any pre-commit hook executes arbitrary code during commits, which is normal but worth noting.
Install Mechanism
Install spec only installs the well-known 'lefthook' brew formula, which is a reasonable, low-risk choice for hook management. No archived downloads or unusual external installers are used.
Credentials
The single declared credential (CONFIGSAFE_LICENSE_KEY) is appropriate, but the code reads ~/.openclaw/openclaw.json and will attempt to parse it (SKILL.md lists that config path). The registry metadata above listed 'Required config paths: none', which is inconsistent with the SKILL.md. More importantly, license.sh embeds decoded JWT JSON directly into inline python/node -c commands (and into jq expressions) without safe escaping; a malicious or crafted license value or a tampered ~/.openclaw/openclaw.json could cause command execution or syntax injection during license validation.
Persistence & Privilege
always:false and user-invocable:true. The skill installs lefthook config into repositories when requested and sources its own scripts; it does not request permanent system-wide privileges or modify other skills' configs. Pre-commit hooks will run on commit, which is expected for this functionality.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install configsafe
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /configsafe 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Fix: POSIX ERE regex compliance, declare all deps, JWT verification
元数据
Slug configsafe
版本 1.0.2
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

configsafe 是什么?

Infrastructure configuration auditor — scans Dockerfiles, K8s manifests, Terraform, and CI/CD pipelines for security misconfigurations. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 69 次。

如何安装 configsafe?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install configsafe」即可一键安装,无需额外配置。

configsafe 是免费的吗?

是的,configsafe 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

configsafe 支持哪些平台?

configsafe 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。

谁开发了 configsafe?

由 suhteevah(@suhteevah)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论