← 返回 Skills 市场
267
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install n0nu-security-audit
功能描述
Logs risky OpenClaw agent actions, conducts activity audits, and reviews OpenClaw configs for security risks without blocking operations.
安全使用建议
This skill is plausibly the audit tool it claims to be, but review and clarify a few things before installing or enabling it:
- Confirm blocking semantics: SKILL.md says 'does not block' but the audit guide describes a 'blocked_soft' behavior — decide which behavior you want and ensure the agent follows only that. Unexpected blocking or prompting can break workflows.
- Verify log/config paths: docs use both `logs/` and `memory/` paths; the scripts write to workspace/logs/security-audit.log. Make sure this path is acceptable and that the relative path resolution (SCRIPT_DIR/../../..) will not cause writes outside your intended workspace in your deployment layout.
- Treat --deep and --fix carefully: `--deep` may perform live probes of your gateway (network activity). `--fix` will attempt to change permissions/config — run only in an environment where automated changes are safe and after code review.
- Notifications: the scripts do not themselves send messages; SKILL.md expects the agent to call the platform `message` tool based on config. Confirm the OpenClaw config tokens/credentials used for messaging are stored and accessed securely.
- Test in a sandbox first: run the scripts manually in a controlled environment to confirm where logs are created and what `openclaw security audit` does in your setup.
If these inconsistencies are fixed (unify the docs and scripts, remove contradictory blocking guidance, and clearly document where logs live and when the skill modifies config), the skill looks coherent and appropriate for its stated purpose.
功能分析
Type: OpenClaw Skill
Name: n0nu-security-audit
Version: 1.0.0
The security-audit skill bundle is a legitimate administrative tool designed to provide logging and configuration review for OpenClaw agents. It includes scripts for recording security events (log_event.sh), generating Markdown audit reports (run_audit.sh), and delegating configuration checks to the native OpenClaw CLI (audit_config.sh). The provided reference documentation (dangerous-patterns.md, config-risks.md) contains accurate security guidance, and the skill lacks any indicators of data exfiltration, unauthorized persistence, or malicious prompt injection.
能力评估
Purpose & Capability
Overall the requested files and scripts align with a security-audit purpose: config audit delegates to the native `openclaw` CLI, logging and reporting operate on local log files, and notification is delegated to the platform's message tool. Asking for no external credentials and no unusual binaries is proportional. Note: the script `audit_config.sh` will call `openclaw security audit` (expected) and `--deep` can probe the live gateway (network activity).
Instruction Scope
SKILL.md repeatedly states the skill is observer-only and 'Does not block', but references/audit-guide.md contains a 'Per-Action Soft Check' that tells the agent to 'Decline or request explicit confirmation' and to log `blocked_soft` for CRITICAL actions. That's a direct contradiction in runtime behavior and could make agents either block or not block depending on which instruction is followed. There are also inconsistent paths across documents: some docs reference memory/security-audit.log or memory/security-audit-config.json, while the scripts use logs/security-audit.log. The skill also documents `--fix` which will attempt to apply fixes (chmod/config changes) — that is an active change and not pure observation, so it must be treated as higher-privilege.
Install Mechanism
Instruction-only install with included scripts; there is no network download/install step or external package install. This is low risk from an install-mechanism perspective.
Credentials
The skill requests no env variables or credentials, which is appropriate. It does rely on platform tooling (the `message` tool) and the OpenClaw CLI when present. Config references indicate it will read OpenClaw config fields (tokens, gateway settings) during a config audit — that's expected for this purpose, but you should confirm that the agent has permission to read those config files and that secrets in configs are handled properly. Notification channels mentioned will depend on whatever the OpenClaw config exposes (tokens can be present there).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It creates and writes to a local log file under the workspace (logs/security-audit.log) and suggests optionally scheduling periodic audits via cron — both are reasonable for an audit skill. Be aware `--fix` mode modifies config/permissions if used.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install n0nu-security-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/n0nu-security-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: behavior logging, audit reports, and config audit via openclaw security audit
元数据
常见问题
Security Audit for OpenClaw 是什么?
Logs risky OpenClaw agent actions, conducts activity audits, and reviews OpenClaw configs for security risks without blocking operations. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 267 次。
如何安装 Security Audit for OpenClaw?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install n0nu-security-audit」即可一键安装,无需额外配置。
Security Audit for OpenClaw 是免费的吗?
是的,Security Audit for OpenClaw 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Security Audit for OpenClaw 支持哪些平台?
Security Audit for OpenClaw 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Security Audit for OpenClaw?
由 n0nu(@n0nu)开发并维护,当前版本 v1.0.0。
推荐 Skills