← 返回 Skills 市场
Openclaw Audit
作者
shawnpetros
· GitHub ↗
· v1.2.0
· MIT-0
175
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install openclaw-audit
功能描述
Audit your OpenClaw configuration against 12 production primitives PLUS 8 common setup footguns (silent cost leaks, prompt-injection paths, zombie session st...
安全使用建议
This skill appears to do what it claims: read your local OpenClaw configuration, run local OpenClaw CLI checks, and report problems (including detecting inlined API keys). Before installing or running it: (1) ensure the agent has access only to the machine you intend — the audit will read files under ~/.openclaw and may output detected secret-like strings, (2) confirm the openclaw CLI is available locally (the SKILL.md uses it but the skill metadata doesn't declare it), (3) review findings before sharing them externally since they may contain sensitive configuration or example keys, and (4) if you want extra safety, run the checks yourself locally (the SKILL.md is self-contained) or ask the skill to redact secret values in its report. Overall the skill is internally consistent for its stated purpose, but be mindful of sensitive data exposure in its output.
功能分析
Type: OpenClaw Skill
Name: openclaw-audit
Version: 1.2.0
The 'openclaw-audit' skill bundle is a configuration auditing tool designed to identify security risks and performance bottlenecks in an OpenClaw environment. It instructs the agent to inspect local configuration files (e.g., openclaw.json, secrets.json) and system status to detect issues like inlined API keys, zombie session states, and potential data leaks in Slack integrations. The instructions in SKILL.md include explicit security safeguards, such as directing the agent to check secret paths without reading their values, and the logic is entirely consistent with its stated purpose of improving system health.
能力标签
能力评估
Purpose & Capability
The skill's name/description align with the actions in SKILL.md (reading OpenClaw config, scanning for leaks, checking sessions and plugin/channel status). One mismatch: the runtime instructions call the openclaw CLI (e.g., `openclaw status`) but the registry metadata does not declare any required binaries. Declaring the openclaw CLI as a required binary would be expected.
Instruction Scope
The SKILL.md explicitly instructs reading many local files under ~/.openclaw (openclaw.json, cron jobs, workspace files, session files) and running local CLI audit commands. This is appropriate for a config auditor, but it will necessarily inspect potentially sensitive configuration (including any inlined API keys it detects). The doc claims 'Read secrets.json (path only, never the values)', which reduces risk, but the auditor does scan other files for plaintext API-key patterns — so results will include sensitive findings and may surface secret-like strings in the report.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes the risk of arbitrary code being installed on disk.
Credentials
The skill requests no environment variables, credentials, or config paths in the registry metadata. The SKILL.md inspects local config files for references to credentials (e.g., SecretRefs, auth.profiles) which is expected behavior for an audit and does not demand extra secrets from the environment.
Persistence & Privilege
The skill is not marked always:true, does not include an installer and does not request persistent system changes in the instructions. It reads local files and returns a report; it does not request writing to other skills' configs or global settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Added Tier 3: 8 common setup footguns. Severity scoring now 0/20.
v1.1.1
Tighten safety claims, default to offline/local-file audit, add explicit OpenClaw CLI requirement metadata for optional live checks, and improve secret-redaction guidance.
v1.1.0
**Expanded focus on security, read-only operation, and secrets hygiene.**
- Introduces strict read-only guarantees: no files modified, no secrets extracted, and no external network calls made.
- Adds explicit redaction requirements for secrets found in config files.
- Major overhaul of audit criteria: expands from "production primitives" to include detailed checks for secrets management, token/cost controls, gateway security, and operational documentation.
- Output is now more actionable, including config snippets and an explicit "Overall" production readiness summary.
- Includes a dedicated "Safety" section with user protections and clear guidance.
- Adds version metadata to SKILL.md and publicizes contact for free audits.
v1.0.0
Audit your config against 12 production primitives. By PennywiseOps.
元数据
常见问题
Openclaw Audit 是什么?
Audit your OpenClaw configuration against 12 production primitives PLUS 8 common setup footguns (silent cost leaks, prompt-injection paths, zombie session st... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 175 次。
如何安装 Openclaw Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-audit」即可一键安装,无需额外配置。
Openclaw Audit 是免费的吗?
是的,Openclaw Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Openclaw Audit 支持哪些平台?
Openclaw Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Openclaw Audit?
由 shawnpetros(@shawnpetros)开发并维护,当前版本 v1.2.0。
推荐 Skills