← 返回 Skills 市场
romainsantoli-web

Firm Advanced Security Pack

作者 romainsantoli-web · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
347
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install firm-advanced-security-pack
功能描述
Advanced security audit pack covering secrets lifecycle, path canonicalization, exec plan freeze, hook routing, config includes, prototype pollution, safeBin...
使用说明 (SKILL.md)

firm-advanced-security-pack

⚠️ Contenu généré par IA — validation humaine requise avant utilisation.

Purpose

Deep security auditing for OpenClaw configurations — covers external secrets lifecycle, channel path canonicalization, execution plan freeze validation, hook session routing, $include directive guards, prototype pollution detection, safeBins profile enforcement, and group policy default audit.

Tools (8)

Tool Description Severity
openclaw_secrets_lifecycle_check External Secrets lifecycle audit CRITICAL
openclaw_channel_auth_canon_check Channel path canonicalization CRITICAL
openclaw_exec_approval_freeze_check Exec plan freeze validation CRITICAL
openclaw_hook_session_routing_check Hook session routing audit HIGH
openclaw_config_include_check $include directive guards HIGH
openclaw_config_prototype_check Prototype pollution detection HIGH
openclaw_safe_bins_profile_check safeBins profile enforcement HIGH
openclaw_group_policy_default_check Group policy default audit HIGH

Usage

skills:
  - firm-advanced-security-pack

# Run full advanced security audit:
openclaw_secrets_lifecycle_check config_path=/path/to/config.json
openclaw_config_prototype_check config_path=/path/to/config.json
openclaw_safe_bins_profile_check config_path=/path/to/config.json

Requirements

  • mcp-openclaw-extensions >= 3.0.0
安全使用建议
This skill is instruction-only and lists eight audit commands but provides no code, no install steps, and no provenance for the dependency it references. Before installing or running it: 1) Ask the publisher where the openclaw_* tools come from and how to obtain and verify 'mcp-openclaw-extensions >= 3.0.0' (signed releases, repository, package registry). 2) Do not run the listed commands on production systems until you can inspect the actual binaries/scripts; run them in a sandbox. 3) Request human-reviewed source code or a trusted install mechanism; if none is provided, treat the skill as untrusted because it could cause arbitrary command execution. 4) If you proceed, verify digitally-signed packages or review the extension code to ensure the tools only read the intended config files and do not exfiltrate secrets.
功能分析
Type: OpenClaw Skill Name: firm-advanced-security-pack Version: 1.0.0 The OpenClaw AgentSkills bundle 'firm-advanced-security-pack' is classified as benign. Its stated purpose is to provide an advanced security audit pack for OpenClaw configurations, covering various security aspects like secrets lifecycle, prototype pollution, and safeBins profiles. All listed tools and example usage in SKILL.md are consistent with this auditing purpose, involving checks against local configuration files. There is no evidence of data exfiltration, malicious execution, persistence, obfuscation, or prompt injection attempts against the agent within the provided files. The dependency on `mcp-openclaw-extensions` is a standard requirement declaration, not an indicator of malice within this skill itself.
能力评估
Purpose & Capability
The name, description, and listed tools are coherent with an OpenClaw configuration audit pack. However, the SKILL.md lists eight executable tool names (openclaw_*) yet the skill declares no required binaries and provides no installation or provenance for those executables. The metadata lists a dependency on 'mcp-openclaw-extensions >= 3.0.0' but the skill does not explain how that dependency supplies the tools or how it will be installed.
Instruction Scope
Runtime instructions direct the agent to run specific commands (e.g., openclaw_secrets_lifecycle_check config_path=/path/to/config.json). Those commands would execute arbitrary code on the host if present; the SKILL.md does not say where the commands come from, how to verify them, or any sandboxing/validation. The only file path referenced is a user-supplied config_path, which is reasonable for an audit tool, but the agent is being asked to run external commands without provenance—this is scope creep relative to an instruction-only skill.
Install Mechanism
No install spec is present (low disk-write risk), which is consistent with an instruction-only skill. However, the declared dependency (mcp-openclaw-extensions >= 3.0.0) is not accompanied by an installation or verification mechanism; the skill neither declares required binaries nor how to obtain the listed tools. That gap creates uncertainty about how the tools are expected to appear on the system.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate. Note: the commands it tells the agent to run will likely read user-supplied config files (config_path) — expected for an audit tool, but the skill does not constrain or document what parts of configs are read or transmitted.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or elevated platform privileges. Autonomous invocation is allowed by default but is not combined with other high-risk flags here.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install firm-advanced-security-pack
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /firm-advanced-security-pack 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of firm-advanced-security-pack. - Introduces 8 advanced security audit tools for OpenClaw configurations. - Covers areas such as secrets lifecycle, path canonicalization, exec plan freeze, hook routing, config includes, prototype pollution, safeBins profiles, and group policy defaults. - Requires mcp-openclaw-extensions version 3.0.0 or higher. - Provides critical and high-severity checks for comprehensive security auditing.
元数据
Slug firm-advanced-security-pack
版本 1.0.0
许可证
累计安装 1
当前安装数 1
历史版本数 1
常见问题

Firm Advanced Security Pack 是什么?

Advanced security audit pack covering secrets lifecycle, path canonicalization, exec plan freeze, hook routing, config includes, prototype pollution, safeBin... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 347 次。

如何安装 Firm Advanced Security Pack?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install firm-advanced-security-pack」即可一键安装,无需额外配置。

Firm Advanced Security Pack 是免费的吗?

是的,Firm Advanced Security Pack 完全免费(开源免费),可自由下载、安装和使用。

Firm Advanced Security Pack 支持哪些平台?

Firm Advanced Security Pack 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Firm Advanced Security Pack?

由 romainsantoli-web(@romainsantoli-web)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论