← 返回 Skills 市场
Firm Runtime Audit Pack
作者
romainsantoli-web
· GitHub ↗
· v1.0.0
312
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install firm-runtime-audit-pack
功能描述
Runtime environment and configuration audit pack. Validates Node.js version, secrets workflow, HTTP headers, allowed commands, trusted proxy, disk budget, an...
使用说明 (SKILL.md)
firm-runtime-audit-pack
⚠️ Contenu généré par IA — validation humaine requise avant utilisation.
Purpose
Audits the runtime environment of OpenClaw deployments: Node.js version compliance, secrets handling, HTTP security headers, command allowlists, proxy configuration, disk budget, and direct message policies.
Tools (7)
| Tool | Description | Severity |
|---|---|---|
openclaw_node_version_check |
Verify Node.js runtime version | CRITICAL |
openclaw_secrets_workflow_check |
Audit secrets handling in workflows | CRITICAL |
openclaw_http_headers_check |
Check HTTP security headers (HSTS, CSP) | HIGH |
openclaw_nodes_commands_check |
Validate nodes.allowCommands config | HIGH |
openclaw_trusted_proxy_check |
Verify trusted proxy configuration | HIGH |
openclaw_session_disk_budget_check |
Check session disk budget limits | MEDIUM |
openclaw_dm_allowlist_check |
Audit DM channel allowlist policy | MEDIUM |
Usage
skills:
- firm-runtime-audit-pack
# Run full runtime audit:
openclaw_node_version_check config_path=/path/to/config.json
openclaw_secrets_workflow_check config_path=/path/to/config.json
openclaw_http_headers_check config_path=/path/to/config.json
Requirements
mcp-openclaw-extensions >= 3.0.0- Node.js >= 20.x recommended
安全使用建议
This skill is mostly a wrapper that documents and calls auditing checks provided by the mcp-openclaw-extensions package. Before installing or running it: 1) Verify and obtain mcp-openclaw-extensions from a trusted source and review its code or documentation so you know exactly what each 'openclaw_*' check does. 2) Avoid running secret-auditing checks directly against production secrets — run against sanitized copies or ensure the check does not exfiltrate sensitive fields. 3) Review where reports are written or sent (local files, logs, external endpoints) and ensure they won't leak sensitive config. 4) If you need higher assurance, request an explicit install spec or signed release for the required extension so you can validate what will be executed.
功能分析
Type: OpenClaw Skill
Name: firm-runtime-audit-pack
Version: 1.0.0
The skill bundle describes a 'firm-runtime-audit-pack' designed for auditing runtime environment and configuration aspects like Node.js version, secrets handling, HTTP headers, and command allowlists. The `SKILL.md` file clearly outlines the purpose and lists seven specific security audit tools. There is no executable code provided in these files, only metadata and documentation. No evidence of malicious intent, prompt injection, data exfiltration, or other harmful behaviors was found in `_meta.json` or `SKILL.md`. The content is consistent with a legitimate security auditing tool.
能力评估
Purpose & Capability
The name/description (runtime audit of Node.js, secrets workflow, headers, command allowlists, proxy, disk budget, DM allowlist) match the listed 'openclaw_*' tools and the example usage. The declared dependency on mcp-openclaw-extensions >= 3.0.0 reasonably explains where those checks come from.
Instruction Scope
The SKILL.md is instruction-only and simply directs the agent to run named checks against a provided config_path. It does not instruct reading unrelated system paths or sending results to external endpoints. However, several checks (especially the 'secrets_workflow' check) implicitly require reading configuration or workflow definitions that may contain secrets — the skill does not specify how sensitive data is handled or reported.
Install Mechanism
No install spec and no code files — lowest-risk delivery. The skill relies on mcp-openclaw-extensions being available in the environment; the SKILL.md does not provide an install method for that dependency, so installation must be managed separately by the user/agent.
Credentials
The skill does not request environment variables or credentials, which is proportionate. Nonetheless, some checks will need access to configuration files (example shows config_path=/path/to/config.json) and may parse sensitive entries; the SKILL.md does not document how secrets are protected or whether checks will read external secret stores.
Persistence & Privilege
always:false and user-invocable:true. No indication the skill persists or modifies other skills or agent-wide settings. Autonomous invocation is allowed by default but not uniquely privileged here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install firm-runtime-audit-pack - 安装完成后,直接呼叫该 Skill 的名称或使用
/firm-runtime-audit-pack触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — 7 tools: node version, secrets, HTTP headers, commands, proxy, disk, DM
元数据
常见问题
Firm Runtime Audit Pack 是什么?
Runtime environment and configuration audit pack. Validates Node.js version, secrets workflow, HTTP headers, allowed commands, trusted proxy, disk budget, an... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 312 次。
如何安装 Firm Runtime Audit Pack?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install firm-runtime-audit-pack」即可一键安装,无需额外配置。
Firm Runtime Audit Pack 是免费的吗?
是的,Firm Runtime Audit Pack 完全免费(开源免费),可自由下载、安装和使用。
Firm Runtime Audit Pack 支持哪些平台?
Firm Runtime Audit Pack 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Firm Runtime Audit Pack?
由 romainsantoli-web(@romainsantoli-web)开发并维护,当前版本 v1.0.0。
推荐 Skills