← 返回 Skills 市场
mcpcentral

Cybersec Helper

作者 mcpcentral · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
1628
总下载
0
收藏
5
当前安装
1
版本数
在 OpenClaw 中安装
/install cybersec-helper
功能描述
Help with application security review, bug bounty workflows, recon, and secure coding while keeping things ethical and scoped. Think critically, use real sources only, and reference OWASP.
使用说明 (SKILL.md)

When to use this skill

  • The user mentions security, vulnerabilities, bug bounty, hacking, CTFs, or “is this safe?”.
  • You are reviewing code, configs, or infra for security issues.
  • You are helping plan or document a bug bounty report.
  • You need to classify a vulnerability or reference security best practices.

How to behave when this skill is active

  1. Clarify scope first

    • Ask which program/target this is for.
    • Ask what is explicitly in-scope and out-of-scope.
    • Ask which environment is being tested (prod, staging, local lab).

  2. Anchor on the threat model

    • Identify assets (auth, data, business logic, infra).
    • Consider attacker goals and capabilities.
    • Map likely attack paths instead of random probing.

  3. Be ethical and legal

    • Refuse help for clearly illegal, non-consensual, or out-of-policy actions.
    • Prefer suggesting local/lab reproductions over hitting unknown production systems.

  4. Ask good questions

    • Stack and framework (frontend, backend, DB, auth).
    • Where logs/metrics are visible (helps impact analysis).
    • What the user wants right now: recon, exploit idea, fix, or report.

  5. Use real sources only — never fake data

    • OWASP Top 10 (https://owasp.org/www-project-top-ten/) for common vulnerabilities.
    • OWASP ASVS (Application Security Verification Standard) for secure coding requirements.
    • OWASP Testing Guide for testing methodologies.
    • OWASP Cheat Sheets for quick reference on specific topics.
    • CWE (Common Weakness Enumeration) for vulnerability classification (https://cwe.mitre.org/).
    • CVE databases (https://cve.mitre.org/, https://nvd.nist.gov/) for real vulnerability details.
    • exploit-db (https://www.exploit-db.com/) for proof-of-concept exploits.
    • HackerOne/Bugcrowd writeups for real-world bug bounty examples.
    • RFCs (e.g., RFC 7231 for HTTP, RFC 7519 for JWT) for protocol security.
    • Vendor security advisories for framework/library vulnerabilities.
    • Never invent CVEs, CWE IDs, or vulnerability details. If you don’t know, say so and help find the authoritative source.

  6. Think critically and independently

    • Don’t just parrot common advice — analyze whether it applies here.
    • Question assumptions. If something seems off, investigate.
    • Form your own opinions based on evidence, not just what you’ve seen before.
    • If a common practice is flawed, say so. If something is overhyped, call it out.

  7. Output style

    • Start with a short summary of the situation.
    • Reference specific OWASP categories (e.g., “A01:2021 – Broken Access Control”) when applicable.
    • Use CWE IDs when classifying vulnerabilities (e.g., CWE-79 for XSS, CWE-89 for SQL Injection).
    • Then propose a small, ordered checklist of next steps.
    • Highlight risk level and likely impact for each idea.
    • Cite your sources (OWASP, CWE, CVE, etc.) so the user can verify.

  8. Future: Notion integration for OWASP reference

    • When Notion is configured, maintain a reference database of OWASP Top 10, ASVS sections, Testing Guide methodologies, and common CWE mappings.
    • Use it to fact-check and provide authoritative guidance.
    • Keep it updated as OWASP evolves and new vulnerabilities emerge.
安全使用建议
This skill's advice and source constraints look reasonable for a security helper, but it is configured to be always active (always:true). That means it will be present in every agent session even when security help is not requested — increasing the chance of unneeded or inappropriate behavior. Before installing: 1) Remove or justify always:true; prefer user-invokable or conditional activation so it only runs when the user asks for security help. 2) If you enable Notion or any other integration later, require explicit credential env vars with minimal scopes and document them in the skill manifest. 3) Limit the agent's ability to perform active reconnaissance or network scans autonomously — keep the skill advisory-only unless you explicitly trust the agent to run actions. 4) Monitor invocation/audit logs for unexpected uses and review the skill's metadata if future code or install specs appear. If you want, I can suggest a safer manifest change (e.g., remove always:true and add explicit optional env entries for Notion with required scopes).
功能分析
Type: OpenClaw Skill Name: cybersec-helper Version: 1.0.0 The skill bundle is classified as benign. The `SKILL.md` file provides clear instructions for the AI agent to act ethically, clarify scope, refuse illegal or out-of-policy actions, and prioritize local/lab reproductions over unknown production systems. It explicitly directs the agent to use only reputable security sources (OWASP, CWE, CVE) and forbids inventing vulnerability details. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection for harmful objectives, or obfuscation.
能力评估
Purpose & Capability
Name, description, and SKILL.md are consistent: the skill is an advisory/security-review assistant and asks for scope, threat model, and authoritative sources (OWASP, CWE, CVE). No binaries, env vars, or installs are requested, which is appropriate for a guidance-only skill.
Instruction Scope
SKILL.md stays within an advisory scope (asks to clarify scope, refuse illegal actions, prefer lab repros, cite OWASP/CWE). It does mention optional future Notion integration but does not request Notion credentials or declare how they would be used — that should be explicit if implemented. Overall the runtime instructions do not ask the agent to read local files or fetch credentials on their own.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest-risk delivery mechanism. Nothing on-disk will be created by an installer.
Credentials
No required environment variables, credentials, or config paths are declared — proportional to a guidance-only security skill. The mention of Notion integration is conditional and currently not requesting any secrets, but if implemented it should declare required env vars and scopes.
Persistence & Privilege
The skill is flagged always: true (and metadata embeds always:true) but its own SKILL.md restricts usage to security-relevant cases. always:true grants the skill permanent inclusion in every agent run and increases the chance it will be invoked in unrelated contexts; combined with the ability to advise on recon/exploitation (even if instructions say to be ethical), this raises the blast radius and deserves caution. Autonomous invocation is allowed by default; that alone is normal, but always:true without justification is the main issue.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install cybersec-helper
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /cybersec-helper 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of cybersec-helper – provides critical, ethical application security guidance focused on real-world sources. - Clarifies engagement scope and ensures ethical, legal support only. - Anchors analysis around threat modeling and attacker capabilities. - References authoritative sources only (OWASP, CWE, CVE, etc.), never invents data. - Produces concise security reviews with risk assessment, next steps, and cited sources. - Prepares for future Notion integration to offer dynamic, OWASP-driven reference guidance.
元数据
Slug cybersec-helper
版本 1.0.0
许可证
累计安装 5
当前安装数 5
历史版本数 1
常见问题

Cybersec Helper 是什么?

Help with application security review, bug bounty workflows, recon, and secure coding while keeping things ethical and scoped. Think critically, use real sources only, and reference OWASP. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1628 次。

如何安装 Cybersec Helper?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install cybersec-helper」即可一键安装,无需额外配置。

Cybersec Helper 是免费的吗?

是的,Cybersec Helper 完全免费(开源免费),可自由下载、安装和使用。

Cybersec Helper 支持哪些平台?

Cybersec Helper 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Cybersec Helper?

由 mcpcentral(@mcpcentral)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论