← 返回 Skills 市场
Eskills
作者
xpany37-max
· GitHub ↗
· v3.2.1
· MIT-0
218
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install esr-openclaw-checklist
功能描述
运行 ESR OpenClaw 主机安全检查脚本并完整展示结果。用于用户要求“运行ESR安全检查”、“执行 ESR 安全审计”、“检查 OpenClaw 主机安全配置”、“查看 ESR 安全检查结果”或需要调用该 skill 的脚本 `/home/may/.openclaw/skills/ESR_openclaw...
使用说明 (SKILL.md)
ESR OpenClaw 安全检查
执行 ESR 提供的安全检查脚本,并把脚本输出完整呈现给用户。
执行方式
- 手动执行时,运行:
python3 {baseDir}/scripts/openclaw_checklist.py
- 如果用户明确要求定时任务脚本,再运行:
python3 {baseDir}/scripts/openclaw_checklist_scheduled.py
工作要求
- 完整显示 Python 脚本输出,不截断、不改写检查项含义。
- 基于输出总结风险点,但不要替代原始输出。
- 不要自动修改系统配置。
- 如果发现需要修复的问题,先说明风险和建议,再征求用户确认。
检查重点
脚本会覆盖以下 8 项检查:
- 默认端口使用情况
- 服务监听地址检查
- 内网穿透工具检测
- Node.js 版本检查
- 密码登录模式检查
- Skill 数量及官方来源检查
- 配置文件权限检查
- OpenClawd 深度安全审计
输出后处理
- 先给出原始结果。
- 再用简洁语言总结:
- 总体是否安全
- 发现了几项风险
- 每项风险的修复建议
- 若用户要求修复,再逐项执行,并在修改前再次确认。
安全使用建议
This package is internally consistent with a host security-audit tool. Before running or scheduling it: (1) review scripts/openclaw_checklist.py yourself (it will run shell commands and read ~/.openclaw/openclaw.json and your skills directory); (2) verify config.json.dingtalk_group_id and your OpenClaw messaging/cron configuration so you know where audit reports will be sent; (3) run the script manually first (python3 scripts/openclaw_checklist.py) to inspect output and produced JSON files; (4) do not enable scheduled automatic runs or message-sending until you accept that the audit output (which can include host and inventory details) will be transmitted to the configured DingTalk channel; (5) run as a non-root user where possible and back up ~/.openclaw/openclaw.json before applying any automated fixes.
功能分析
Type: OpenClaw Skill
Name: esr-openclaw-checklist
Version: 3.2.1
The skill bundle is a security auditing tool designed to collect system metadata, including active processes, open ports, and configuration details. It is classified as suspicious primarily because it includes a hardcoded DingTalk group ID (cid8NuHF/3BALK8ub6oKUf0Dw==) in config.json and CRON_CONFIG.md as the destination for automated security reports, which effectively exfiltrates the host's security posture to an external endpoint. Additionally, scripts/openclaw_checklist.py utilizes subprocess.check_output with shell=True, which is a significant security vulnerability, and SKILL.md contains hardcoded absolute paths (e.g., /home/may/...) that may cause execution failures or indicate environment-specific targeting.
能力评估
Purpose & Capability
Name/description, SKILL.md, and the Python script all implement an OpenClaw host security checklist: reading ~/.openclaw/openclaw.json, checking listening address, processes, Node.js version, skill inventory, file permissions, and invoking OpenClaw audit commands. The requested operations align with the stated purpose.
Instruction Scope
SKILL.md explicitly instructs running the included Python scripts and to display full script output and request user confirmation before making changes. The runtime instructions and the script read local config files, run local commands (ps, lsof, curl, openclaw, node), and save a JSON result—all expected. Note: the package and docs include scheduled execution that formats and sends reports to a DingTalk group; that transmits audit data off-host via the platform's configured messaging channel and should be accepted by the user before enabling.
Install Mechanism
No install spec (instruction-only with included script). There is no remote download or installer in the provided bundle and no non-standard install behavior in the files shown.
Credentials
The skill does not request secrets or new environment variables. It reads local OpenClaw configuration (~/.openclaw/openclaw.json) and the skills directory—appropriate for an audit. However, it relies on the host's OpenClaw messaging/cron configuration (e.g., DingTalk group id in config.json) to send reports; that means audit output may be delivered using existing platform credentials, so confirm that those messaging endpoints are trusted before enabling automatic reporting.
Persistence & Privilege
always:false and user-invocable; the skill does not demand permanent injection. It documents creating cron jobs via OpenClaw cron, but that is an explicit action the user or admin must take. The script itself does not appear to modify other skills or system-wide agent settings without explicit user confirmation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install esr-openclaw-checklist - 安装完成后,直接呼叫该 Skill 的名称或使用
/esr-openclaw-checklist触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.2.1
- Updated skill description and documentation for clarity on operation and scope.
- Added explicit instructions to fully display Python script output without modification.
- Outlined summary and risk reporting process following script execution.
- Clarified conditions for executing scheduled script versus manual checks.
- Listed and described the 8 main security check categories covered by the script.
- Reinforced requirement to get user confirmation before making system changes.
元数据
常见问题
Eskills 是什么?
运行 ESR OpenClaw 主机安全检查脚本并完整展示结果。用于用户要求“运行ESR安全检查”、“执行 ESR 安全审计”、“检查 OpenClaw 主机安全配置”、“查看 ESR 安全检查结果”或需要调用该 skill 的脚本 `/home/may/.openclaw/skills/ESR_openclaw... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 218 次。
如何安装 Eskills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install esr-openclaw-checklist」即可一键安装,无需额外配置。
Eskills 是免费的吗?
是的,Eskills 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Eskills 支持哪些平台?
Eskills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Eskills?
由 xpany37-max(@xpany37-max)开发并维护,当前版本 v3.2.1。
推荐 Skills