← 返回 Skills 市场

Host Security Audit

Name: Host Security Audit
Author: jessewunderlich

作者 Jesse Wunderlich · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

275

总下载

当前安装

版本数

在 OpenClaw 中安装

/install host-security-audit

功能描述

Comprehensive security audit and hardening for OpenClaw host machines. Checks firewall, disk encryption, open ports, auto-updates, brew outdated, OpenClaw ve...

使用说明 (SKILL.md)

Host Security Audit

Run a comprehensive security audit on the machine hosting OpenClaw. Checks OS-level security, OpenClaw configuration, and common misconfigurations.

Quick Start

Run the full audit:

bash scripts/security-audit.sh

Run with JSON output:

bash scripts/security-audit.sh --json

What It Checks

OS Security

Firewall — macOS Application Firewall or Linux ufw/firewalld
Disk encryption — FileVault (macOS) or LUKS (Linux)
Auto-updates — macOS SoftwareUpdate or unattended-upgrades
Open ports — listening services on all interfaces
Suspicious processes — crypto miners, reverse shells, unexpected listeners

OpenClaw Security

OpenClaw version — current vs latest available
API key exposure — plaintext keys in config files
Gateway bind address — flags 0.0.0.0 binding (exposed to network)
File permissions — secrets directory permissions

System Health

Disk usage — warns at 80%, critical at 90%
Brew outdated — packages with available updates (macOS)
Time Machine — backup status and last backup time (macOS)

Scheduling Monthly Audits

Create an OpenClaw cron job for the 1st Monday of each month at 9 AM:

schedule: "0 9 1-7 * 1"
payload: Run a full host security audit. Execute: bash \x3Cskill-path>/scripts/security-audit.sh — Report findings with severity levels (CRITICAL/WARNING/OK). Only notify the user if there are CRITICAL or WARNING findings. If everything passes, do nothing (NO_REPLY).

Remediation

The audit reports findings but does not auto-fix. For each finding:

CRITICAL — Act immediately (exposed API keys, no firewall, no encryption)
WARNING — Schedule fix within a week (outdated packages, disk usage)
OK — No action needed

To auto-fix OpenClaw-specific issues:

openclaw security audit --fix

This only tightens OpenClaw defaults and file permissions. It does not modify host firewall, SSH, or OS settings.

安全使用建议

This skill appears coherent for a local host audit, but review before running. Specifically: 1) Inspect scripts/security-audit.sh yourself — it will read ${HOME}/.openclaw/* and other system state (process list, ports, disk, firewall status). 2) Run it with least privilege (don't run as root unless needed) and test in a safe environment first. 3) If you schedule cron jobs, ensure the scheduled job runs under the intended user and that any delivered reports are sent only to trusted destinations (the SKILL.md does not define an external reporting endpoint). 4) If you store sensitive OpenClaw secrets, consider temporarily moving them or running the audit in a controlled context. 5) If you rely on exact checks (npm view openclaw, brew, tmutil), be aware those commands may contact external services; allow or restrict network access accordingly.

功能分析

Type: OpenClaw Skill Name: host-security-audit Version: 1.0.0 The OpenClaw AgentSkills bundle 'host-security-audit' is benign. The `SKILL.md` provides clear instructions for the AI agent to execute a security audit script and report its findings. The `scripts/security-audit.sh` script performs a comprehensive set of system and OpenClaw-specific security checks (e.g., firewall, disk encryption, open ports, API key exposure, suspicious processes). All commands executed are standard system utilities for information gathering, and the script reports findings without exfiltrating sensitive data, installing backdoors, or executing arbitrary malicious code. The network call to `npm view` is a legitimate check for software updates.

能力评估

ℹ Purpose & Capability

The script implements the stated host and OpenClaw checks (firewall, disk encryption, open ports, OpenClaw config, API key patterns, brew outdated, etc.). It legitimately needs access to local system tools and the user's OpenClaw config. Minor mismatch: SKILL.md lists no required binaries even though the script uses commands like lsof/ss, tmutil/fdesetup/defaults (macOS), lsblk/stat, npm and openclaw if present; this is an omission but not malicious.

✓ Instruction Scope

SKILL.md instructs running the included script and scheduling a cron job; the script's actions are limited to local system inspection and OpenClaw config files under $HOME/.openclaw. It does not instruct network exfiltration or reading unrelated system secrets. The scheduling snippet mentions reporting but does not define an external report endpoint.

✓ Install Mechanism

There is no install spec (instruction-only plus an included script), so nothing is downloaded or installed by the skill itself. That minimizes risk from install-time arbitrary code fetches.

ℹ Credentials

The skill requests no environment variables or external credentials. It does read potentially sensitive local files (e.g., ${HOME}/.openclaw/openclaw.json and secrets directory) and scans for API key patterns — this is proportional to an audit but is sensitive, so users should understand the script will access their OpenClaw config and secrets directory permissions.

ℹ Persistence & Privilege

always is false and the skill does not automatically persist itself. SKILL.md suggests creating a monthly cron job, which is a user decision. Some checks may require elevated privileges to be fully accurate (e.g., certain firewall or process details), but the script does not attempt to escalate privileges by itself.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install host-security-audit
安装完成后，直接呼叫该 Skill 的名称或使用 /host-security-audit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release — Comprehensive security audit for OpenClaw hosts (macOS/Linux). Checks firewall, encryption, ports, API keys, disk usage, and more.

元数据

Slug host-security-audit

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题