功能描述

Enterprise-grade security framework for LobsterAI with audit logging, RBAC, input validation, output sanitization, code scanning, and dependency vulnerabilit...

使用说明 (SKILL.md)

Security

Name: Security
Author: stoneyhoo

Comprehensive security framework for LobsterAI providing audit logging, role-based access control (RBAC), input validation, output sanitization, code scanning, and dependency vulnerability detection.

Core Features

Audit Logger

Records all skill executions with timestamps, user context, and input/output
JSON-structured logs for easy analysis
Automatic log rotation (90 days retention)
Encrypted storage support

Authorizer (RBAC)

Role-based access control configuration
Fine-grained permission management
JSON-based role definitions
Session validation

Input Validator

Path traversal prevention
Dangerous command detection (rm, del, eval, etc.)
Cron expression validation
Working directory restrictions

Output Sanitizer

Automatic redaction of sensitive data (passwords, API keys, tokens)
Error message sanitization
Safe error formatting for user display

Code Scanner

Static code analysis for common vulnerabilities
Pattern-based malicious code detection
Configurable scan rules

Dependency Scanner

NPM vulnerability scanning (npm audit)
Python package vulnerability detection (pip-audit)
Automated dependency checking

Usage

All security features are available for import by other skills:

from security.audit_logger import audit_log_skill_start, audit_log_skill_end
from security.authorizer import Authorizer
from security.input_validator import InputValidator, ValidationError
from security.output_sanitizer import sanitize_text, create_safe_error
from security.code_scanner import CodeScanner
from security.dependency_scanner import DependencyScanner

Configuration

Copy rbac_config.example.json to rbac_config.json and customize roles and permissions.

Scan Scope

The code scanner and dependency scanner are designed to scan all skills in the SKILLs directory when invoked explicitly (e.g., python -m security.code_scanner --skill all). This allows comprehensive security assessment across your entire LobsterAI installation.

Privacy Note: Scanning all skills grants this module read access to all skill code and dependencies. This is intentional for a security audit tool, but users should be aware of the broad read scope. Ensure you trust the skill source before enabling full-system scanning.

To limit scanning to specific skills, invoke with explicit skill IDs:

python -m security.code_scanner --skill web-search --skill scheduled-task

Environment Variables

This skill requires the following environment variables to function correctly:

Variable	Description	Required	Default
`LOBSTERAI_HOME`	Base directory for LobsterAI data and logs	Yes (if not using default)	`${APPDATA}/LobsterAI` (Windows) or `${HOME}/.config/LobsterAI` (Linux/macOS)
`LOBSTERAI_AUDIT_SECRET`	HMAC secret for audit log signature (optional)	No	-
`LOBSTERAI_USER_ID`	Current user identifier for audit trails	No	`anonymous`
`SKILLS_ROOT`	Path to the SKILLs root directory	No (auto-detected)	Parent directory of the current skill

Note: Ensure LOBSTERAI_HOME/logs/security/ exists and is writable.

Deployment

See DEPLOYMENT.md for detailed deployment instructions, security hardening checklist, and incident response procedures.

Testing

Run python tests.py to execute the test suite.

Integration

This module integrates seamlessly with LobsterAI's skill execution pipeline, providing:

Pre-execution validation
Runtime monitoring
Post-execution sanitization
Comprehensive audit trails

Security Maturity

⭐⭐⭐☆☆ (3/10) - Active development

We are continuously improving our security posture. See SECURITY.md for the complete security architecture and best practices.

安全使用建议

This package appears to implement what it claims: auditing, RBAC, input/output sanitization, code and dependency scanning. Before installing or enabling system-wide scans you should: (1) review the code (especially audit_logger, code_scanner, dependency_scanner) yourself or in a staging environment; (2) limit initial scans to specific skills (use --skill <id>) rather than --skill all; (3) set up and protect LOBSTERAI_HOME and rbac_config.json with restrictive file permissions; (4) configure LOBSTERAI_AUDIT_SECRET if you need tamper-evident logs; (5) be aware the module will read other skills' source and dependency files (potentially exposing secrets if they are hard-coded); and (6) run the module in an isolated environment first (or with limited privileges) if you are unsure of the source. The registry metadata omission of required environment variables is a minor inconsistency — prefer the SKILL.md values when configuring.

功能分析

Type: OpenClaw Skill Name: lobsterai-security Version: 1.0.5 The bundle is a comprehensive security framework for LobsterAI, providing features such as RBAC, audit logging, input validation, and security scanning. While it contains high-privilege capabilities, such as a script that automatically modifies other skills to inject auditing logic (scripts/integrate_audit.py) and a scanner that reads all skill source code (code_scanner.py), these behaviors are clearly documented and strictly aligned with the stated purpose of an enterprise security tool. No evidence of data exfiltration, hidden backdoors, or malicious intent was found.

能力评估

✓ Purpose & Capability

The files (audit logger, RBAC authorizer, input validator, output sanitizer, code and dependency scanners) match the skill name and description. The scanner components explicitly target SKILLs code and dependency files which is expected for a security framework. Minor mismatch: the registry metadata listed no required environment variables, but SKILL.md documents LOBSTERAI_HOME, LOBSTERAI_AUDIT_SECRET, LOBSTERAI_USER_ID and SKILLS_ROOT — these environment variables are reasonable for this skill but the registry omission is an inconsistency to note.

ℹ Instruction Scope

SKILL.md and the code explicitly allow scanning 'all skills' under the SKILLs directory and advise copying the security module into the SKILLS_ROOT. The scanner reads other skills' source code and dependency files (intentionally). The code and examples use subprocess calls to optional external tools (e.g., safety, pip-audit) and spawn the Python audit logger from other skill wrappers (including background launches that write PID files under /tmp in examples). These behaviors are coherent with the stated purpose but constitute broad read scope and some runtime actions that should only be enabled if you trust the package.

ℹ Install Mechanism

There is no declared install spec; the package is provided as code files and DEPLOYMENT.md instructs manual copying into SKILLS_ROOT. No external downloads/URLs or package installs are forced by the skill itself. This is lower risk than a remote installer but means files will be written into your SKILLs tree if you follow the deployment steps—review the code before copying.

ℹ Credentials

Required environment variables in SKILL.md (LOBSTERAI_HOME, SKILLS_ROOT, optional LOBSTERAI_AUDIT_SECRET, LOBSTERAI_USER_ID) are appropriate for logging and locating SKILLs. The skill will read code and dependency files across SKILLs if asked to scan 'all', which is necessary for its scanning function but grants broad read access to other skills (including any hard-coded secrets within them). No unrelated external credentials are requested.

✓ Persistence & Privilege

The skill is not force-included (always:false) and uses normal integration patterns (importable Python package and optional wrappers). It does not request elevated platform privileges in its code. Note: autonomous invocation (disable-model-invocation:false) is the platform default — combined with the skill's ability to scan the whole SKILLs tree, this increases the impact if you allow the skill to be invoked broadly; that is expected for a security tool but worth considering before enabling automated scans.

版本历史

v1.0.5

Add skill.json for declarative environment configuration; fix env var names

v1.0.4

Fix environment variable metadata: declare LOBSTERAI_HOME, LOBSTERAI_AUDIT_SECRET, LOBSTERAI_USER_ID, SKILLS_ROOT in SKILL.md to match platform metadata

v1.0.3

Fixed environment variable metadata, added CLI entry point to audit_logger.py, removed JavaScript child_process integration, and corrected documentation inconsistencies.

v1.0.2

- Added comprehensive SKILL.md documentation outlining all major features, environment variables, and integration details. - Clarified audit logging, RBAC, input validation, output sanitization, code scanning, and dependency scanning capabilities. - Provided configuration steps and example usage for easy adoption. - Included important privacy and scan-scope caveats for full-system audits. - Added security maturity information and references to further documentation.

元数据

Slug lobsterai-security

版本 1.0.5

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 4

常见问题

Security 是什么？

Enterprise-grade security framework for LobsterAI with audit logging, RBAC, input validation, output sanitization, code scanning, and dependency vulnerabilit... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 166 次。

如何安装 Security？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install lobsterai-security」即可一键安装，无需额外配置。

Security 是免费的吗？

是的，Security 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Security 支持哪些平台？

Security 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Security？

由 stoney（@stoneyhoo）开发并维护，当前版本 v1.0.5。

Security

Security

Core Features

Audit Logger

Authorizer (RBAC)

Input Validator

Output Sanitizer

Code Scanner

Dependency Scanner

Usage

Configuration

Scan Scope

Environment Variables

Deployment

Testing

Integration

Security Maturity

Security 是什么？

如何安装 Security？

Security 是免费的吗？

Security 支持哪些平台？

谁开发了 Security？

💬 留言讨论