功能描述

Audit de sécurité proactif des déploiements OpenClaw. Détecte et remédie aux 4 gaps critiques/hauts identifiés dans openclaw/openclaw : SQL injection (C1), s...

使用说明 (SKILL.md)

firm-security-audit

Name: Firm Security Audit
Author: romainsantoli-web

⚠️ Contenu généré par IA — validation par un expert sécurité requise avant toute modification en production.

Purpose

Ce skill est la porte de sécurité obligatoire avant tout déploiement ou exposition réseau d'un Gateway OpenClaw. Il comble directement les gaps critiques identifiés dans openclaw/openclaw depuis l'extérieur du repo, sans modifier le code upstream.

Gaps couverts :

Gap	Sévérité	Outil
C1 — SQL injection `/api/metrics/database`	CRITICAL	`openclaw_security_scan`
C2 — `sandbox.mode: off` par défaut	CRITICAL	`openclaw_sandbox_audit`
C3 — Session secret régénéré au restart	HIGH	`openclaw_session_config_check`
H8 — Absence de rate limiting sur WS Gateway	HIGH	`openclaw_rate_limit_check`
M10 — Matrix E2EE status non documenté	MEDIUM	checklist documentaire

Tools activés

openclaw_security_scan         — détection SQL injection (C1)
openclaw_sandbox_audit         — vérification sandbox config (C2)
openclaw_session_config_check  — contrôle session secret persistance (C3)
openclaw_rate_limit_check      — vérification rate limiter (H8)
firm_export_slack_digest       — notification équipe si CRITICAL trouvé

Séquence d'audit obligatoire

À exécuter avant chaque déploiement ou avant activation de Tailscale Funnel.

Étape 1 — Sandbox audit (C2, priorité CRITIQUE)

{
  "tool": "openclaw_sandbox_audit",
  "args": {
    "config_path": "/path/to/.openclaw/config.yaml"
  }
}

Attendu : severity: OK avec sandbox_mode: non-main ou all Si CRITICAL : appliquer le fix_snippet fourni avant de continuer

Étape 2 — SQL injection scan (C1)

{
  "tool": "openclaw_security_scan",
  "args": {
    "target_path": "/path/to/openclaw/src/api",
    "endpoint": "/api/metrics/database",
    "scan_depth": 4
  }
}

Attendu : critical_count: 0, high_count: 0 Si CRITICAL ou HIGH : appliquer remediation_by_severity avant déploiement

Étape 3 — Session secret check (C3)

{
  "tool": "openclaw_session_config_check",
  "args": {
    "compose_file_path": "/path/to/docker-compose.yml",
    "env_file_path": "/path/to/.env"
  }
}

Attendu : session_secret_found: true Si HIGH : appliquer fix_docker ou fix_env fourni

Étape 4 — Rate limiting check (H8)

{
  "tool": "openclaw_rate_limit_check",
  "args": {
    "gateway_config_path": "/path/to/.openclaw/config.yaml",
    "check_funnel": true
  }
}

Attendu : rate_limiter_detected: true OU funnel_active: false Si CRITICAL (funnel actif sans rate limiter) : appliquer fix_nginx ou fix_caddy immédiatement

Étape 5 — Alerte si CRITICAL (automatique)

Si un des audits retourne severity: CRITICAL, dispatcher automatiquement via :

{
  "tool": "firm_export_slack_digest",
  "args": {
    "objective": "Security audit — CRITICAL finding",
    "content": "\x3Crésultats de l'audit>",
    "channel": "#security-alerts"
  }
}

Checklist Matrix E2EE (M10)

Vérification documentaire manuelle (pas d'outil disponible — trop repo-spécifique) :

Le CONTRIBUTING.md OpenClaw mentionne-t-il le statut E2EE Matrix ?
Les utilisateurs Matrix privacy-sensitive sont-ils informés de l'absence d'E2EE ?
Un ADR (firm_adr_generate) documente-t-il la décision E2EE Matrix ?

Templates de remédiation rapide

C2 — Sandbox fix (ajout dans config.yaml)

agents:
  defaults:
    sandbox:
      mode: non-main   # ← activer isolation Docker pour sessions non-main
  sessions:
    main:
      sandbox:
        mode: off      # main conserve accès hôte (intentionnel)

C3 — Session secret (docker-compose.yml)

services:
  openclaw:
    environment:
      SESSION_SECRET: "${SESSION_SECRET:?SESSION_SECRET env var required}"
# Générer : openssl rand -base64 48 > /etc/openclaw/session.secret

H8 — Rate limiting Nginx

limit_req_zone $binary_remote_addr zone=openclaw:10m rate=30r/m;
server {
    location /ws {
        limit_req zone=openclaw burst=10 nodelay;
        proxy_pass http://127.0.0.1:18789;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Escalade

Résultat	Action
Tout OK	Déploiement autorisé — log de l'audit dans `docs/security-audits/`
CRITICAL sandbox ou SQL	Bloquer le déploiement — fix obligatoire avant push
CRITICAL rate limit + funnel	Désactiver Funnel et appliquer Nginx/Caddy immédiatement
HIGH session secret	Appliquer fix + redémarrer le container avec le secret persistant

Intégration CI/CD

Ajouter dans le workflow GitHub Actions :

- name: Security audit (firm-security-audit)
  run: |
    # Depuis le CTO ou Engineering agent avant chaque deploy
    openclaw skill run firm-security-audit \
      --config $OPENCLAW_CONFIG_PATH \
      --fail-on CRITICAL,HIGH

OpenClaw gaps : C1 (#29951 SQL injection), C2 (sandbox off), C3 (#29955 session secret), H8 (no rate limit)

💎 Support

Si ce skill vous est utile, vous pouvez soutenir le développement :

Dogecoin : DQBggqFNWsRNTPb6kkiwppnMo1Hm8edfWq

安全使用建议

Before installing or running this skill: 1) Verify provenance — the source is unknown and there is no homepage or maintainer contact; prefer skills from vetted authors. 2) Confirm that the runtime tools the SKILL.md names (openclaw_security_scan, openclaw_sandbox_audit, firm_export_slack_digest, and the openclaw CLI) actually exist in your environment or are listed as required dependencies; ask the author for an explicit dependency list. 3) Treat the remediation snippets as suggestions only: review and test them in staging — they modify configs and may require root privileges (writing /etc/openclaw/session.secret). 4) Provide Slack/webhook credentials deliberately and separately if you want alerting; the skill does not declare or request them, so automatic dispatch could fail or — worse — be misconfigured. 5) If you plan to run scans that read .env or compose files, ensure the operator/agent has authorization to access those secrets and consider running in read-only mode first. 6) Given the unknown source, consult a human security reviewer before using this skill against production systems. Providing the skill's author, repository, or a verified package of the referenced tools would raise confidence.

功能分析

Type: OpenClaw Skill Name: firm-security-audit Version: 1.0.0 The skill bundle is designed for proactive security auditing, addressing known vulnerabilities in OpenClaw deployments. It orchestrates calls to various audit tools (`openclaw_security_scan`, `openclaw_sandbox_audit`, etc.) and includes a step to send critical findings to a Slack channel via `firm_export_slack_digest`. All file access (e.g., config files, Docker Compose) and network communication (Slack alerts) are directly aligned with the stated purpose of a security audit and alerting. There is no evidence of prompt injection attempting to subvert the agent's behavior, exfiltrate arbitrary data, or execute malicious commands beyond the scope of the audit. The skill aims to identify and remediate vulnerabilities, not introduce or exploit them.

能力评估

ℹ Purpose & Capability

The skill is clearly an OpenClaw-focused security audit and the embedded metadata references mcp-openclaw-extensions >= 2.0.0 which is coherent. However the instructions assume the presence of runtime tools (openclaw_security_scan, openclaw_sandbox_audit, firm_export_slack_digest, etc.) and an 'openclaw' CLI for CI usage while the registry metadata and requirements list no declared binaries or credentials. The lack of declared runtime dependencies (CLI/tools) is unexpected for a tool-driven audit.

⚠ Instruction Scope

The SKILL.md directs the agent/operator to read and modify local files and paths (config.yaml, docker-compose.yml, .env, /etc/openclaw/session.secret) and to run scans against code paths and endpoints. It also includes automated remediation snippets and an automatic Slack dispatch step. Those actions involve reading potentially sensitive files and making persistent changes; the skill does not document authorization, safety checks, or a read-only audit mode.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files, which minimizes installer risk. There are no downloads or archive extracts. However, runtime behavior depends on external tools that are not declared in the registry metadata.

⚠ Credentials

The instructions require reading env files and performing actions that will access secrets (SESSION_SECRET in .env) and send results to Slack, but the skill declares no required environment variables, webhooks, or tokens. Requiring access to .env files and an outbound notification channel without declaring or requesting corresponding credentials is disproportionate and could lead to unexpected secret access or accidental exfiltration.

✓ Persistence & Privilege

always is false and the skill does not claim to persist itself or change other skills' configs. It does propose making persistent system/config changes (writing session.secret, editing config.yaml) but that is presented as remediation steps for operators to apply — the skill itself does not request elevated platform privileges in metadata.

版本历史

v1.0.0

firm-security-audit 1.0.0 — Initial release. - Provides proactive security auditing for OpenClaw deployments. - Detects and remediates four critical/high security gaps: SQL injection, sandbox off by default, non-persistent session secret, and missing rate limiting. - Includes step-by-step audit sequence with ready-to-use remediation templates. - Issues automatic Slack alerts for CRITICAL findings. - Requires manual checklist review for Matrix E2EE documentation gap. - Designed for mandatory execution before any deployment or public exposure.

元数据

Slug firm-security-audit

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题