← 返回 Skills 市场
Li Sentry Check
作者
Terry S Fisher
· GitHub ↗
· v0.4.0
· MIT-0
56
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install li-sentry-check
功能描述
Multi-platform server inspection and health check skill. SSH into remote Linux servers using key-based authentication, run read-only inspection commands (CPU...
使用说明 (SKILL.md)
li_sentry_check
Multi-platform server inspection and health check via SSH.
Security Declaration
This skill is strictly read-only and does NOT:
- ❌ Modify any server configuration
- ❌ Install or remove software
- ❌ Restart or stop services
- ❌ Write to any file on the remote server
- ❌ Exfiltrate data to external services
- ❌ Access local files other than:
references/targets.yaml,references/checks.yaml, and the SSH private key specified inkeyPath - ❌ Make any network connections other than SSH to the target server specified in
targets.yaml - ❌ Execute arbitrary commands — only commands from
references/checks.yamlare allowed
This skill ONLY:
- ✅ Reads system information via predefined read-only commands
- ✅ Generates a local Markdown/JSON report
- ✅ Connects to ONE remote server via SSH using the key specified in
targets.yaml
Overview
Read-only inspection of remote Linux hosts over SSH using a dedicated key. Collects system metrics, service status, security events, and generates a structured Markdown report with anomaly highlighting.
Platform Support
| Platform | Script | Runtime |
|---|---|---|
| OpenClaw | scripts/inspect.mjs |
Node.js 24+ |
| NanoBot | scripts/inspect.py |
Python 3.10+ |
| Hermes | scripts/inspect.py |
Python 3.10+ |
Safety (Default Deny)
- Only run commands defined in
references/checks.yaml - No state-changing commands (no installs, no config edits, no restarts)
- Only SSH key authentication (no passwords)
- BatchMode=yes — non-interactive SSH only
Config
- Targets:
references/targets.yaml - Allowed checks:
references/checks.yaml
How To Run
NanoBot / Hermes (Python)
python3 scripts/inspect.py --target bogon --checks daily
OpenClaw (Node.js)
node scripts/inspect.mjs --target bogon --checks daily
Options
| Option | Description | Default |
|---|---|---|
--target |
Target name from targets.yaml |
(required) |
--checks |
Check group: basic, services, daily |
basic |
--format |
Output format: markdown, json |
markdown |
--output |
Write report to file instead of stdout | stdout |
Check Groups
| Group | Description |
|---|---|
basic |
Hardware resources: CPU, memory, disk, network |
services |
Service status and error logs (from targets.yaml) |
daily |
Full inspection: basic + services + security + logs |
Extending
- Add target: Edit
references/targets.yaml - Add checks: Edit
references/checks.yaml - Add check group: Define new group in
checks.yaml
SSH Key Setup
# Generate key pair
ssh-keygen -t rsa -b 4096 -f ~/.ssh/li_sentry_check -N ""
# Copy to remote server
ssh-copy-id -i ~/.ssh/li_sentry_check.pub inspector@\x3CSERVER_IP>
# Test connection
ssh -i ~/.ssh/li_sentry_check inspector@\x3CSERVER_IP>
Security Best Practices
- Key permissions:
chmod 600 ~/.ssh/li_sentry_check - Host verification: For production, pre-populate
known_hostsinstead ofaccept-new - Service names: Only alphanumeric, hyphens, underscores allowed (validated before use)
- Command allowlist: Never modify
checks.yamlwith state-changing commands - Report handling: Reports may contain system data — do not share publicly
Report Output
Reports are generated in Markdown format with:
- Summary section: Overall health status, anomaly count
- Anomaly section: ⚠️ Highlighted issues requiring attention
- Normal section: Collapsible normal check results
- Details: Full command output for each check
Architecture
li_sentry_check/
├── SKILL.md # This file
├── _meta.json # Skill metadata
├── references/
│ ├── targets.yaml # Target server configuration
│ └── checks.yaml # Command allowlist
└── scripts/
├── inspect.mjs # Node.js implementation (OpenClaw)
└── inspect.py # Python implementation (NanoBot/Hermes)
安全使用建议
The skill's documentation describes a reasonable read-only SSH inspection tool, but you should NOT install or run it without first auditing the implementation in scripts/inspect.py and scripts/inspect.mjs. Specifically: 1) Confirm the scripts strictly enforce the checks.yaml command allowlist and validate service/command inputs (no shell interpolation or shell=True usage). 2) Search the scripts for outgoing network activity (HTTP requests, sockets, DNS lookups) and any hard-coded remote endpoints — the SKILL.md forbids exfiltration but only code review can verify it. 3) Verify the code only reads the SSH private key for making an SSH connection and does not transmit the key or other sensitive files. 4) Check subprocess usage for shell=True, unsanitized command building, or use of user-provided values directly in commands. 5) Run the scripts in an isolated environment (container or VM) against a test server first, and confirm observed network traffic matches only the expected SSH session. 6) Ensure targets.yaml and checks.yaml contain only the hosts/commands you expect, and enforce strict filesystem permissions on your private key (chmod 600). If you cannot or will not review the script sources, treat this package as untrusted.
功能分析
Type: OpenClaw Skill
Name: li-sentry-check
Version: 0.4.0
The li-sentry-check skill is a legitimate server inspection tool designed to perform health checks on remote Linux hosts via SSH. It implements several security best practices, including a strict command allowlist in `references/checks.yaml`, input validation for service names to prevent shell injection in both `scripts/inspect.mjs` and `scripts/inspect.py`, and explicit read-only constraints. The code is transparent, well-documented, and lacks any indicators of data exfiltration, persistence, or malicious intent.
能力标签
能力评估
Purpose & Capability
The declared purpose (SSH-based, read-only server inspection) aligns with the files and documentation: targets.yaml/checks.yaml, SSH key usage, and scripts for Node/Python implementations are expected. The skill does not request unrelated cloud credentials or unusual config paths in its metadata, which is coherent with its stated purpose.
Instruction Scope
SKILL.md tightly constrains runtime behavior (allowlist of commands from references/checks.yaml, key-based SSH, non-interactive BatchMode, single target). However the actual enforcement of these constraints depends on the implementation in scripts/inspect.py and scripts/inspect.mjs. Those script sources were not provided in the review excerpt, so we cannot confirm they actually implement strict allowlisting, prevent network connections other than the target, avoid reading unrelated files or environment variables, or avoid exfiltration. The SKILL.md explicitly allows reading the SSH private key at keyPath and the two references files — reading the private key is necessary for SSH but is sensitive and worth auditing in the code path that uses it.
Install Mechanism
No install spec is present (instruction-only), which means nothing is downloaded or installed automatically by the registry. This is lower-risk than remote installers. The skill does include executable scripts which will be run by the agent/platform at invocation rather than installed system-wide.
Credentials
No environment variables, special config paths, or credentials are declared in registry metadata — appropriate for an SSH-key-based inspection tool. That said, because the implementation code was not inspected here, it is unknown whether the scripts read additional environment variables or unexpected files at runtime. The declared requirement to read the SSH private key from keyPath is proportionate but is a sensitive operation that should be implemented carefully (proper file permissions, no logging of the key).
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not claim to persistently modify agent configuration or system-wide settings. That is proportionate for this functionality.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install li-sentry-check - 安装完成后,直接呼叫该 Skill 的名称或使用
/li-sentry-check触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.4.0
- Added support for specifying output format (Markdown or JSON) and writing reports to a file in both Python and Node.js scripts.
- Expanded and clarified CLI option documentation in SKILL.md, including additional explanations for --format and --output.
- Improved help and argument validation for both scripts: now shows usage and validates input options more robustly.
- No breaking changes; existing usage remains compatible.
v0.3.0
- Added an explicit Security Declaration section to SKILL.md, clarifying strict read-only operations and listing prohibited behaviors.
- Documented exactly which files and connections are accessed, improving auditability.
- No changes were made to functionality; this release improves documentation and transparency for security review.
v0.2.0
li-sentry-check v0.2.0
- No file changes detected in this release.
- Documentation and skill usage remain unchanged from the previous version.
v0.1.0
Initial release of li_sentry_check: A multi-platform, read-only server inspection and health check tool over SSH.
- Supports Linux server checks via SSH key authentication with no state changes.
- Compatible with NanoBot, OpenClaw, and Hermes (Python and Node.js implementations).
- Checks CPU, memory, disk, network, services, security, and more, outputting structured Markdown reports with anomaly highlighting.
- Extensible via YAML files for targets, checks, and check groups.
- Strict security: only allowlist commands, SSH key login, and no password support.
- Detailed documentation provided in SKILL.md, including usage, extension, and best practices.
元数据
常见问题
Li Sentry Check 是什么?
Multi-platform server inspection and health check skill. SSH into remote Linux servers using key-based authentication, run read-only inspection commands (CPU... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 56 次。
如何安装 Li Sentry Check?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install li-sentry-check」即可一键安装,无需额外配置。
Li Sentry Check 是免费的吗?
是的,Li Sentry Check 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Li Sentry Check 支持哪些平台?
Li Sentry Check 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Li Sentry Check?
由 Terry S Fisher(@43622283)开发并维护,当前版本 v0.4.0。
推荐 Skills