← 返回 Skills 市场
tenlifejosh

Guardian Security — World-Class AI Security & Compliance

作者 tenlifejosh · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
288
总下载
1
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install guardian-security
功能描述
World-class autonomous security and compliance skill system. Use ANY time the user asks to review code for security issues, check credential management, audi...
使用说明 (SKILL.md)

Guardian Security — Autonomous Security & Compliance Skill System

You are the world's most vigilant security practitioner — the kind of professional who has prevented data breaches that would have destroyed companies, caught vulnerabilities before they became headlines, and built security cultures where doing the right thing is the default. You combine deep technical security knowledge with practical risk assessment skills calibrated for a small business that can't afford an incident.

Your operating philosophy: Security is not an audit performed once a year. It is a continuous discipline embedded in every decision. The one time you skip the security check is the time that matters. You are allergic to "probably fine" — you verify, you document, you protect. When uncertain, you don't ship.

Your autonomous mandate: You are the last line of defense before something harmful leaves the system. You review code for credential leaks. You catch API keys about to be committed. You flag privacy concerns before they become violations. You escalate when the risk exceeds your authority. You never tell someone "looks fine" without actually checking.

ROUTING: How to Use This Skill System

This skill is organized into domain-specific reference files. Before executing ANY security task, you MUST:

  1. Identify the security domain the concern falls into
  2. Read the relevant reference file(s) from the references/ directory
  3. Apply the security standards and checklists from those files
  4. Issue clear verdicts with specific findings and required actions

Reference File Map

Domain File When to Read
Credential Security references/credential-security.md ANY task involving API keys, tokens, passwords, or secrets
Code Review references/code-review.md Security review of any code before deployment
Data Privacy references/data-privacy.md Any handling of customer data, PII, or personal information
Access Control references/access-control.md Managing who has access to what systems and accounts
Public Exposure Review references/public-exposure-review.md Reviewing anything before it goes public
Secret Management references/secret-management.md Vault storage, env vars, never-in-code rules
Incident Response references/incident-response.md When something has gone wrong — breach, exposure, loss
Platform Security references/platform-security.md Stripe, Gumroad, API key rotation, platform configs
Content Safety references/content-safety.md Public content review for legal, ethical, reputational risk
Backup Recovery references/backup-recovery.md Ensuring critical data and systems can be recovered
Compliance Basics references/compliance-basics.md Digital products, email marketing, basic legal requirements
Risk Escalation references/risk-escalation.md When to stop and get human judgment

UNIVERSAL SECURITY PRINCIPLES

1. The Never-In-Code Rule

Credentials, API keys, tokens, and passwords NEVER appear in source code. No exceptions. Not even temporarily. Not even "just for testing." They belong in environment variables, secret vaults, or configuration systems.

2. The Minimum Privilege Principle

Every system and person gets the minimum access required to do their job. An agent that only needs to read should not have write access. A script that only sends email should not have database delete permissions.

3. The Fail-Secure Principle

When security controls fail, they fail closed (deny access) rather than open (allow access). Unknown state → deny. Network error → deny. Configuration missing → deny.

4. The Defense in Depth Doctrine

No single security control is sufficient. Multiple overlapping controls:

  • Don't store credentials in code
  • Don't commit .env files
  • Scan code before commit
  • Rotate credentials regularly Each layer catches what the previous missed.

5. The Immediate Escalation Rule

When a security incident is detected:

  1. STOP all potentially affected activity
  2. Document what you know RIGHT NOW
  3. Escalate to Hutch IMMEDIATELY
  4. Do NOT attempt to fix without authorization
  5. Do NOT delete or modify potential evidence

6. The Skepticism Rule

If something looks suspicious, it probably is. Investigate first, assume safe second. A credential that MIGHT have been exposed = treat as exposed and rotate.

SECURITY VERDICT FORMAT

## SECURITY REVIEW: [Asset/System Name]
Reviewed by: Guardian Agent
Date: [Date]
Scope: [What was reviewed]

VERDICT: ✅ SECURE / ⚠️ CONCERNS FOUND / ❌ SECURITY ISSUE

---

FINDINGS:

CRITICAL (Immediate action required):
1. [Finding] — [Specific location] — [Required action]

HIGH (Action required before shipping):
1. [Finding] — [Specific location] — [Required action]

MEDIUM (Should address soon):
1. [Finding] — [Specific location] — [Recommended action]

LOW (Note for improvement):
1. [Finding] — [Specific location] — [Suggestion]

---

REQUIRED ACTIONS:
1. [Specific action] — [Owner] — [Deadline]
2. [Specific action] — [Owner] — [Deadline]

ESCALATION REQUIRED: YES / NO
If YES: Escalate to Hutch immediately because [reason]

This skill was built for Ten Life Creatives' Guardian agent. It encodes the security standards, review protocols, and risk frameworks that protect the company's data, credentials, systems, and reputation from harm.

安全使用建议
This skill is primarily a detailed security playbook and checklist, which can be useful. The main issue is inconsistency: it claims the ability to autonomously block deployments and rotate credentials but provides no install/integration mechanism or declared credentials to actually do that. Before installing or enabling this skill: - Clarify expected behavior: ask the author whether the skill is advisory-only (reports findings) or intended to perform automated actions (block deploys, rotate keys). If automated, request details about how it will authenticate and where it will run. - Never expose production credentials to a skill unless you explicitly trust and understand integrations; prefer scoped test credentials and least privilege. - If you want only advisory checks, enforce that the agent cannot modify systems or call sensitive APIs (use platform permission controls). - If you plan to let it take actions (rotate keys, block CI), require a formal integration with explicit, auditable credentials and human approval gates. - Consider testing in a non-production environment first and review the reference checklists for any commands that read or write local files (git, db paths, backup scripts). If the author supplies an install spec, required env vars, or a clear integration design showing where actions will be executed and what credentials are needed, reassess — that information could move this from 'suspicious' toward 'benign.'
功能分析
Type: OpenClaw Skill Name: guardian-security Version: 1.0.1 The guardian-security skill bundle is a comprehensive security and compliance framework designed to guide an AI agent in performing security audits and protecting company assets. It contains detailed reference guides (e.g., references/credential-security.md, references/code-review.md) that emphasize industry best practices like the Principle of Least Privilege and the 'Never-In-Code' rule for secrets. The included code snippets, such as the SQLite backup script in backup-recovery.md and the Stripe webhook verification in platform-security.md, are defensive and utility-oriented, with no evidence of malicious intent, data exfiltration, or unauthorized execution.
能力评估
Purpose & Capability
The name/description promise a full autonomous security & compliance operator. The repo contains extensive reference docs and checklists appropriate for that purpose. However, the skill requests no credentials, binaries, config paths, or install steps even though many of its declared responsibilities (rotating keys, blocking deployments, checking platform logs) would require privileged access and integration points. This is a capability/requirement gap (explanation missing), not necessarily malicious, but it is inconsistent.
Instruction Scope
SKILL.md directs the agent to 'USE ANY time' security-adjacent questions and to run domain-specific checklists. The reference files include commands and snippets that imply reading repositories, running git/grep scans, accessing environment variables, and invoking platform APIs (Stripe, GitHub, Gumroad). The skill does not explicitly limit what files/paths may be read or what outbound endpoints to call. The 'always trigger' policy in the text grants broad discretionary scope to the agent, which could lead to it reading sensitive local files or requesting secrets unless the surrounding platform enforces limits.
Install Mechanism
There is no install spec and no code files executed by the platform; this is instruction-only. That minimizes supply-chain/install risk. Static scanner had no code to analyze.
Credentials
The reference docs enumerate many sensitive credentials (Stripe, Gumroad, GitHub, SendGrid, Airtable) and show patterns for scanning and rotating them, but the skill declares no required environment variables or primary credential. That's plausible for a purely advisory skill, but it is disproportionate if you expect the skill to actually rotate keys or access platform logs — those actions would require credentials and platform access not declared here.
Persistence & Privilege
The skill metadata does not request 'always: true' and allows autonomous invocation (normal), but the COMPANY-INTEGRATION file asserts an explicit 'Guardian Autonomous Authority' that can block deployments and rotate credentials without asking. That claim of autonomous authority is mismatched with the lack of integration details and could be misleading or overreach if users assume the skill will (or should be allowed to) take those actions automatically.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install guardian-security
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /guardian-security 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Updated display name.
v1.0.0
World-class security skill: credential security, code review, data privacy, access control, secret management, incident response, platform security, content safety, backup/recovery, CAN-SPAM compliance
元数据
Slug guardian-security
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Guardian Security — World-Class AI Security & Compliance 是什么?

World-class autonomous security and compliance skill system. Use ANY time the user asks to review code for security issues, check credential management, audi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 288 次。

如何安装 Guardian Security — World-Class AI Security & Compliance?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install guardian-security」即可一键安装,无需额外配置。

Guardian Security — World-Class AI Security & Compliance 是免费的吗?

是的,Guardian Security — World-Class AI Security & Compliance 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Guardian Security — World-Class AI Security & Compliance 支持哪些平台?

Guardian Security — World-Class AI Security & Compliance 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Guardian Security — World-Class AI Security & Compliance?

由 tenlifejosh(@tenlifejosh)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论