← 返回 Skills 市场

Firm Gateway Hardening Pack

Name: Firm Gateway Hardening Pack
Author: romainsantoli-web

作者 romainsantoli-web · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

321

总下载

当前安装

版本数

在 OpenClaw 中安装

/install firm-gateway-hardening-pack

功能描述

Gateway authentication hardening and credentials audit pack. Validates device auth, Baileys credentials, webhook HMAC signatures, log configuration, and work...

使用说明 (SKILL.md)

firm-gateway-hardening-pack

⚠️ Contenu généré par IA — validation humaine requise avant utilisation.

Purpose

Hardens the OpenClaw Gateway by auditing authentication configuration, credentials storage, webhook signatures, logging, and workspace file integrity.

Tools (5)

Tool	Description	Severity
`openclaw_gateway_auth_check`	Validate Gateway device auth is enabled	CRITICAL
`openclaw_credentials_check`	Audit Baileys credentials storage security	HIGH
`openclaw_webhook_sig_check`	Verify HMAC signature on webhooks	HIGH
`openclaw_log_config_check`	Check log configuration (no sensitive data)	MEDIUM
`openclaw_workspace_integrity_check`	Verify workspace file integrity	MEDIUM

Usage

skills:
  - firm-gateway-hardening-pack

# Run full gateway hardening audit:
openclaw_gateway_auth_check config_path=/path/to/config.json
openclaw_credentials_check config_path=/path/to/config.json
openclaw_webhook_sig_check config_path=/path/to/config.json

Requirements

mcp-openclaw-extensions >= 3.0.0

安全使用建议

This pack broadly matches its stated goal (gateway hardening) but has several red flags you should consider before installing or running it: (1) Source and homepage are missing — you cannot verify the author or review code. (2) It depends on mcp-openclaw-extensions but provides no install or verification steps for that dependency — confirm the origin and integrity of that package. (3) The SKILL.md tells the agent to run tools against a config_path you supply, but the manifest doesn't declare which files or secrets the tools will read; expect the tools to access credential files and webhook secrets. (4) Run these checks in a safe/test environment first and inspect the underlying tool implementations (mcp-openclaw-extensions or the binaries that provide the named commands) before using them on production configs. Providing the skill author, source repository, or a verifiable install mechanism (and a list of exact config paths or env vars the tools will read) would increase confidence; without that, treat the skill as untrusted and proceed cautiously.

功能分析

Type: OpenClaw Skill Name: firm-gateway-hardening-pack Version: 1.0.0 The skill bundle 'firm-gateway-hardening-pack' is classified as benign. Its stated purpose is to audit and harden OpenClaw Gateway security, including authentication, credentials, webhooks, logging, and workspace integrity. All listed tools and usage examples in `SKILL.md` align with this security auditing function. There is no evidence of malicious intent, data exfiltration, unauthorized execution, persistence mechanisms, or prompt injection attempts against the AI agent. The declared dependency `mcp-openclaw-extensions` is a standard requirement declaration, not an active malicious action by this skill.

能力评估

ℹ Purpose & Capability

The name/description describe gateway hardening and the SKILL.md lists five audit tools that fit that purpose. However, the SKILL.md enumerates CLI commands (openclaw_gateway_auth_check, openclaw_credentials_check, etc.) but the skill's manifest does not declare any required binaries or config paths. The metadata does list a dependency on mcp-openclaw-extensions >= 3.0.0 which likely provides those commands — that is plausible, but the relationship is not made explicit in install instructions.

⚠ Instruction Scope

Runtime instructions ask the agent to run the named checks against a user-supplied config_path (e.g., /path/to/config.json). The SKILL.md does not enumerate what files, directories, or environment variables those tools will access, nor does it limit the paths. Because the checks target credentials, webhook HMACs, and workspace integrity, the tools will likely read secrets or sensitive config data. The instructions are high-level and give the agent broad discretion to run these tools against arbitrary files, which expands the attack surface if the underlying tooling is untrusted.

ℹ Install Mechanism

This is an instruction-only skill with no install spec and no code files. The metadata 'requires' mcp-openclaw-extensions >= 3.0.0 but no mechanism is provided to obtain or verify that dependency. That is reasonable for an instruction-only wrapper if the environment already provides the extension, but it creates supply-chain uncertainty: it's unclear how/where mcp-openclaw-extensions will be installed or validated.

⚠ Credentials

The skill performs credential and webhook signature audits but declares no required environment variables or config paths. Tools that audit Baileys credentials and webhook HMACs typically need access to secret keys or credential files; the absence of declared secrets/config paths is disproportionate and leaves it unclear what the agent will access at runtime. This mismatch means sensitive data could be read without being explicitly requested in the manifest.

✓ Persistence & Privilege

The skill does not request always:true and is user-invocable only. Model invocation is not disabled (default) but that is normal. The skill does not request system-wide config changes or persistent privileges in its manifest.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install firm-gateway-hardening-pack
安装完成后，直接呼叫该 Skill 的名称或使用 /firm-gateway-hardening-pack 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release — 5 tools: gateway auth, credentials, webhook HMAC, logs, workspace integrity

元数据

Slug firm-gateway-hardening-pack

版本 1.0.0

许可证 —

累计安装 2

当前安装数 2

历史版本数 1

常见问题