← 返回 Skills 市场

Security Hardener

Name: Security Hardener
Author: mariusfit

作者 mariusfit · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

1924

总下载

当前安装

版本数

在 OpenClaw 中安装

/install oc-security-hardener

功能描述

Audit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permiss...

使用说明 (SKILL.md)

Security Hardener

Audit your OpenClaw configuration and apply security best practices automatically.

Quick Start

# Full security audit (read-only, no changes)
python scripts/hardener.py audit

# Audit a specific config file
python scripts/hardener.py audit --config /path/to/openclaw.json

# Audit with JSON output
python scripts/hardener.py audit -f json

# Auto-fix issues (creates backup first)
python scripts/hardener.py fix

# Fix specific issues only
python scripts/hardener.py fix --only gateway,permissions

# Scan for exposed credentials in config
python scripts/hardener.py scan-secrets

# Generate a security report
python scripts/hardener.py report -o security-report.md

# Check file permissions
python scripts/hardener.py check-perms

Commands

Command	Args	Description
`audit`	`[--config PATH] [-f FORMAT]`	Full security audit (read-only)
`fix`	`[--config PATH] [--only CHECKS]`	Auto-fix issues (with backup)
`scan-secrets`	`[--config PATH]`	Scan for exposed API keys/tokens
`report`	`[-o FILE]`	Generate detailed security report
`check-perms`	`[--config-dir PATH]`	Check file permissions

Security Checks

Check	Severity	Description
`gateway-bind`	CRITICAL	Gateway not bound to loopback
`exposed-keys`	CRITICAL	API keys in config instead of .env
`insecure-auth`	HIGH	`allowInsecureAuth` or `dangerouslyDisableDeviceAuth` enabled
`exec-sandbox`	HIGH	exec sandbox mode not set to restricted
`file-perms`	HIGH	Config files readable by others (not 600)
`agent-allow-all`	MEDIUM	`agentToAgent.allow: ["*"]` is overly permissive
`no-heartbeat`	MEDIUM	No heartbeat configured (can't detect outages)
`no-session-reset`	MEDIUM	No session reset policy (memory leak risk)
`no-pruning`	LOW	No context pruning (cost and performance impact)
`no-memory-flush`	LOW	Memory flush disabled (context loss on pruning)

Scoring

The audit produces a security score from 0-100:

90-100: Excellent — production-ready
70-89: Good — minor improvements recommended
50-69: Fair — several issues to address
0-49: Poor — critical issues require immediate attention

Example Output

╔══════════════════════════════════════════════════╗
║  OPENCLAW SECURITY AUDIT                         ║
╠══════════════════════════════════════════════════╣
║  Score: 75/100 (Good)                            ║
║                                                  ║
║  ✅ Gateway bound to loopback                    ║
║  ✅ No exposed API keys in config                ║
║  ⚠️  exec sandbox mode: unrestricted             ║
║  ⚠️  agentToAgent allow: * (too permissive)      ║
║  ❌ File permissions too open (644 → should be 600) ║
║  ✅ Heartbeat configured                         ║
║  ✅ Session reset policy active                   ║
║  ⚠️  No context pruning configured               ║
╚══════════════════════════════════════════════════╝

安全使用建议

This tool appears coherent and local-only, but be cautious before running automatic fixes: 1) Run an initial 'audit' (read-only) and/or 'audit -f json' to review findings. 2) Inspect the generated report and any suggested fixes; consider backing up your config manually even if the script claims to create backups. 3) If you run 'fix', review the script or the backup to confirm changes are safe. 4) Note the secret scanner may produce false positives; verify any 'exposed keys' before rotating credentials. 5) Because the tool suggests moving keys to ~/.openclaw/.env, ensure that file is created and restricted (chmod 600). If you want extra assurance, run the script in a controlled environment or inspect scripts/hardener.py in full before invoking write operations.

功能分析

Type: OpenClaw Skill Name: oc-security-hardener Version: 1.0.0 The OpenClaw AgentSkills bundle 'oc-security-hardener' is designed for auditing and hardening OpenClaw configurations. The `SKILL.md` and `README.md` clearly describe its purpose, which aligns with the Python script's functionality. The `scripts/hardener.py` script identifies exposed API keys (masking them in output, not exfiltrating), checks and fixes file permissions (using `os.chmod` on specified config files), and modifies `openclaw.json` to apply security best practices, always creating a backup first. There is no evidence of data exfiltration, unauthorized remote execution, persistence mechanisms, or prompt injection attempts against the agent. All actions are transparent, documented, and intended for security improvement.

能力评估

✓ Purpose & Capability

Name/description match the implementation: the tool inspects OpenClaw config files, checks gateway/auth/exec/agent settings, scans for API-key patterns, and checks file permissions. No unrelated binaries, installs, or external services are required.

ℹ Instruction Scope

SKILL.md and the script restrict operations to local config files (default ~/.openclaw/openclaw.json or a supplied path) and config directory permissions. The 'fix' command (per README/SKILL.md) will modify local config files (it claims to create backups first) — this is expected for a hardener but users should review fixes before applying them.

✓ Install Mechanism

No install spec or external downloads — the skill is instruction-only with a bundled Python script. This minimizes supply-chain risk.

✓ Credentials

No environment variables or credentials are requested. The script scans for many common API-key formats (Anthropic, OpenAI, Google, GitHub, Slack, etc.), which is appropriate for a secret scanner targeting OpenClaw configs.

✓ Persistence & Privilege

always is false; the skill does not request persistent/platform-wide privileges. It operates locally and only modifies files when the user runs 'fix'. Autonomous invocation is permitted by default for skills but is not combined with other red flags here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install oc-security-hardener
安装完成后，直接呼叫该 Skill 的名称或使用 /oc-security-hardener 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of security-hardener for OpenClaw. - Scans openclaw.json for vulnerabilities, exposed credentials, insecure settings, and missing best practices. - Provides audit, auto-fix, secret scanning, and security report generation commands. - Checks file permissions and outputs a security score with summary and detailed findings. - Supports customizable checks and outputs in multiple formats.

元数据

Slug oc-security-hardener

版本 1.0.0

许可证 —

累计安装 15

当前安装数 15

历史版本数 1

常见问题