← 返回 Skills 市场

Key Vault Auditor

Name: Key Vault Auditor
Author: anmolnagpal

作者 Anmol Nagpal · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

327

总下载

当前安装

版本数

在 OpenClaw 中安装

/install key-vault-auditor

功能描述

Audit Azure Key Vault configuration, access policies, and secret hygiene for credential exposure risks

使用说明 (SKILL.md)

Azure Key Vault & Secrets Security Auditor

You are an Azure Key Vault security expert. Misconfigured Key Vaults expose your most sensitive credentials.

This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

Key Vault list with network settings — all vaults and their configurations

az keyvault list --output json
az keyvault show --name my-vault --output json

Key Vault access policies or RBAC assignments — who can access what

az keyvault show --name my-vault --query 'properties.accessPolicies' --output json
az role assignment list --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/my-vault --output json

Secret and certificate expiry status — near-expiry items

az keyvault secret list --vault-name my-vault --output json
az keyvault certificate list --vault-name my-vault --output json

Minimum required Azure RBAC role to run the CLI commands above (read-only):

{
  "role": "Key Vault Reader",
  "scope": "Key Vault resource",
  "note": "Use 'Reader' at subscription scope for vault list; 'Key Vault Reader' to inspect vault configuration"
}

If the user cannot provide any data, ask them to describe: how many Key Vaults you have, whether they use public or private network access, and how secrets are rotated.

Checks

Key Vault with public network access enabled (no IP firewall or private endpoint)
Key Vault using legacy Access Policies instead of Azure RBAC
Over-privileged access: Key Vault Administrator or Key Vault Secrets Officer granted broadly
Expired or near-expiry (\x3C 30 days) certificates, keys, and secrets
Secrets not rotated in > 90 days
Soft delete disabled (Key Vault can be permanently deleted)
Purge protection disabled (deleted secrets can be purged before retention period)
Key Vault diagnostic logging disabled (no audit trail)
Applications using hardcoded connection strings instead of Key Vault references
Managed identities not used (service principals with long-lived secrets instead)

Output Format

Critical Findings: public access, disabled protections
Findings Table: vault name, finding, risk, remediation
Hardened Bicep Template: per finding with network rules + RBAC
Secret Rotation Plan: rotation schedule recommendations per secret type
Managed Identity Migration: guide to replace client secrets with managed identity

Rules

Public Key Vault + no IP firewall = any internet user can attempt access — always Critical
Recommend Key Vault references in App Service / Functions instead of env vars
Note: one Key Vault per application/environment is the recommended pattern
Flag if Key Vault is shared across production and non-production — blast radius risk
Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
If user pastes raw data, confirm no credentials are included before processing

安全使用建议

This skill appears coherent and low-risk because it only asks you to provide exported az CLI output (read-only). Before using it: (1) do the az commands locally in your environment, redact or remove any secret values or connection strings before pasting output, and prefer sharing only the minimal JSON objects needed (vault properties, accessPolicies, role assignments, secret metadata). (2) Confirm you are not pasting secret values, private keys, or client secrets—CLI output can sometimes include these. (3) If possible, share redacted samples or summaries (e.g., counts, boolean flags, principal names) instead of raw dumps. (4) Use least-privilege Reader access when running az commands and avoid granting elevated rights. If you need higher confidence about what will be inspected, ask the maintainer for a detailed data-extraction checklist or a script you can run locally that strips sensitive values before upload.

功能分析

Type: OpenClaw Skill Name: key-vault-auditor Version: 1.0.0 The skill explicitly states it is 'instruction-only' and 'does not execute any Azure CLI commands or access your Azure account directly' in SKILL.md. It instructs the AI agent to ask the user for data, not to fetch it, and critically, it includes rules for the agent to 'Never ask for credentials, access keys, or secret keys' and to 'confirm no credentials are included before processing' user-pasted data. These instructions demonstrate a clear intent to prevent malicious actions and ensure data privacy, despite `bash` being listed as a tool.

能力评估

✓ Purpose & Capability

The name/description (Key Vault auditing) match the runtime instructions: the skill asks users to provide az CLI outputs and inspects vault configuration, access policies, and secret hygiene. It does not request unrelated credentials or services.

ℹ Instruction Scope

SKILL.md explicitly states the skill is instruction-only and will not run az CLI itself, and it instructs the user which CLI outputs to paste. Minor inconsistency: the front-matter lists 'bash' as a tool which could imply execution, but the body clarifies no direct execution. The instructions appropriately avoid asking for credentials and warn users to confirm no secrets are included; still, this relies on the user to redact sensitive values before pasting.

✓ Install Mechanism

No install specification or code is included (instruction-only), so nothing is written to disk or downloaded.

✓ Credentials

No environment variables, credentials, or config paths are required. The SKILL.md correctly requests only read-only CLI outputs and recommends the minimum read-only RBAC role (Key Vault Reader) needed to produce those outputs.

✓ Persistence & Privilege

The skill is not marked always:true, does not request persistent presence, and does not modify agent/system configurations. Autonomous invocation is allowed by default but is not combined with broad privileges or credential access.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install key-vault-auditor
安装完成后，直接呼叫该 Skill 的名称或使用 /key-vault-auditor 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

azure-key-vault-auditor 1.0.0 – Initial release - Provides instruction-only auditing for Azure Key Vault security, configuration, and access policies. - Analyzes exported Azure CLI/console data for exposures (public access, policy risks, expired secrets). - Generates a findings table, Bicep hardening templates, secret rotation plans, and managed identity migration guidance. - Clearly outlines required user inputs and minimum Azure permissions (read-only). - Does not request or process any credentials or secrets directly.

元数据

Slug key-vault-auditor

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题