← 返回 Skills 市场

m78armor : openclaw security configuration check

Name: m78armor : openclaw security configuration check
Author: move78ai

作者 Move78 AI · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install m78armor-security-check

功能描述

Read-only local OpenClaw security configuration check and hardening assessment. 本地只读 OpenClaw 安全配置检查与加固评估。

使用说明 (SKILL.md)

m78armor : openclaw security configuration check

中文说明: 本工具用于本地只读 OpenClaw 实例的安全配置检查与基线评估。执行本地优先 (local-first) 的安全审计与配置加固 (hardening) 建议。重点关注数据隐私 (privacy-first)、暴露面及配置漂移。不上传任何本地数据。

Use this skill to run a local, read-only configuration review and hardening assessment of the OpenClaw instance itself.

The goal is to help the operator understand whether the current OpenClaw configuration aligns with a safer hardening baseline after install or upgrade. Keep the tone calm, factual, and operator-facing. Build trust through evidence, clear reasoning, and explicit limits. Do not use hype, fear theater, or vague security language.

What this skill reviews

Use the bundled script to inspect the local OpenClaw configuration baseline for:

misconfiguration findings
permission and exposure gaps
risky defaults
local drift indicators
abuse-path explanations for known misconfigurations

Output expectations

When presenting results to the operator:

explain what was found in plain language
explain how a finding can be abused without exaggeration
explain why it matters operationally
separate confirmed findings from assumptions
avoid absolute claims unless directly supported by the local evidence
keep remediation guidance practical and concise

Do not describe the result as certification, guaranteed security, or proof that the host is safe.

Default action

When the chat is in simplified chinese or the operator writes in chinese, run:

node {baseDir}/scripts/m78armor-lite.js --lang zh

When the chat is in english or another non-chinese language, run:

node {baseDir}/scripts/m78armor-lite.js --lang en

Only fall back to:

node {baseDir}/scripts/m78armor-lite.js

when the operator's preferred language is unclear.

Optional arguments

If the operator gives a specific OpenClaw config path, run:

node {baseDir}/scripts/m78armor-lite.js --config "\x3Cpath>"

If the operator explicitly asks for machine-readable output, run:

node {baseDir}/scripts/m78armor-lite.js --json

Guardrails

Stay read-only in this free edition.
Do not switch to --harden from this skill.
Do not request secrets, API keys, or gateway tokens.
Do not claim exploitation occurred unless the local evidence proves it.
Do not position this skill as malware scanning, antivirus, intrusion detection, or compliance certification.
If node is unavailable, stop and tell the operator to install Node.js first.

Paid boundary

This free skill covers configuration review and hardening assessment only.

Do not claim that the free skill includes:

signature-based malicious skill detection
deep provenance or bundle analysis
advanced memory-file pattern analysis
automatic hardening remediation (自动加固修复)
backup or rollback
evidence-pack outputs

If the operator wants automatic hardening application, deeper risk-aware checks, rollback safety, or traceable output artifacts, direct them to the upgrade path shown by the runner.

安全使用建议

This skill appears coherent for a local, read-only configuration check and is reasonably scoped. Before running: (1) review the full scripts/m78armor-lite.js file locally (search for require('http'|'https'|'net'|'child_process'|'exec'|'spawn'|'fetch'|'axios') or any outbound network calls) to confirm it doesn't send data off-host or execute privileged commands; (2) run it in an isolated environment or with an explicit --config path to target the intended OpenClaw config; (3) if you need higher assurance, run it offline (no network) to ensure no external callbacks, and inspect the code for any hidden telemetry or upgrade-check code that might contact ORDER_URL. If you want me to scan the full script text for network/exec patterns, paste it here and I will analyze it line-by-line.

功能分析

Type: OpenClaw Skill Name: m78armor-security-check Version: 1.0.0 The m78armor-security-check skill is a legitimate security auditing tool designed to perform local, read-only configuration reviews of an OpenClaw instance. The core logic in `scripts/m78armor-lite.js` inspects the `openclaw.json` configuration file for security risks such as weak authentication tokens, exposed network bindings, and disabled sandboxes, while explicitly redacting sensitive values using a masking function. The `SKILL.md` file contains robust guardrails that instruct the AI agent to remain in a read-only state and avoid requesting secrets, and no evidence of data exfiltration, unauthorized network activity, or malicious prompt injection was found.

能力标签

cryptorequires-sensitive-credentials

能力评估

✓ Purpose & Capability

Name/description, required binary (node), README, SKILL.md and included script all align: the tool inspects local OpenClaw configuration and reports findings. Required resources are proportional to the stated task; there are no unrelated credentials, binaries or system paths declared.

ℹ Instruction Scope

SKILL.md instructs running the bundled Node script with optional --config/--json flags and explicitly states a read-only scope and guardrails (do not upload data, do not request secrets, do not run hardening). The README documents optional environment overrides (OPENCLAW_CONFIG, M78ARMOR_LANG) — these are reasonable. I did not see any instructions that ask the agent to read unrelated host secrets, nor open-ended language that would grant broad discretionary data collection. However the bundled script source in the listing was truncated; confirm the script does not perform network uploads or spawn privileged commands before trusting it.

✓ Install Mechanism

No install spec; this is instruction + bundled script that runs under Node. No external downloads or archive extraction are declared. This is a low-risk installation surface, assuming the script itself is benign.

✓ Credentials

The skill does not require environment variables or credentials. The README documents optional environment variables to override config path or language; these are consistent with the tool's purpose and are not excessive. No secrets/keys are requested in the manifest or SKILL.md.

✓ Persistence & Privilege

always is false and the skill is user-invocable; it does not request persistent platform privileges. The SKILL.md explicitly forbids switching to a hardening mode in this free edition. Nothing indicates it modifies other skills or global configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install m78armor-security-check
安装完成后，直接呼叫该 Skill 的名称或使用 /m78armor-security-check 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

v1.0.0 — Initial public release. Read-only local configuration review and hardening assessment for OpenClaw. 17 checks across gateway, sandbox, filesystem, authentication, plugins, browser, and discovery surfaces. Bilingual output (English/Chinese) with locale auto-detection. Exit code 1 on high-risk findings for CI integration. Includes --quiet flag for pipeline use. v1.0.0 — 首次公开发布。面向 OpenClaw 的本地只读配置检查与加固评估。覆盖网关、沙箱、文件系统、认证、插件、浏览器、发现服务等 17 项检查。支持中英文双语输出与区域自动检测。高风险发现时退出码为 1，支持 CI 流水线集成。包含 --quiet 标志用于自动化环境。

元数据

Slug m78armor-security-check

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题