← 返回 Skills 市场
OpenClaw Audit Log Hook
作者
hanxiao-bot
· GitHub ↗
· v1.0.0
· MIT-0
100
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-audit-log-hook
功能描述
Records and logs all tool calls before and after execution for auditing, debugging, usage stats, and error tracking with sensitive data redaction.
安全使用建议
This skill is plausible but sloppy: do not install it as-is if you care about protecting secrets. Key issues to resolve before use: (1) actually write logs to a controlled file path (with secure file permissions) rather than console, and declare OPENCLAW_STATE_DIR; (2) integrate and improve redaction — apply redaction to parsed objects and nested fields, handle stringified JSON, and avoid relying on truncation as a protection; (3) add log rotation, retention limits, and access controls; (4) avoid logging raw command outputs or API responses that may include credentials or tokens; (5) consider hashing or minimizing session/user identifiers and document who can read the logs. If you can't review and modify the hooks yourself, treat this skill as risky because it could leak sensitive data into agent logs.
功能分析
Type: OpenClaw Skill
Name: openclaw-audit-log-hook
Version: 1.0.0
The skill implements an audit logging mechanism in SKILL.md that records tool parameters and results. While it includes a 'redactSensitive' utility function, the provided hook implementations for 'before_tool_call' and 'after_tool_call' fail to actually invoke this function, leading to the logging of potentially sensitive data (API keys, tokens, passwords) in plain text to the console. This constitutes a sensitive information disclosure vulnerability.
能力评估
Purpose & Capability
The SKILL.md claims to record all tool calls to an audit.log under OPENCLAW_STATE_DIR and to auto-redact sensitive data, but the example hook only console.logs entries (does not write to the claimed audit.log path) and never calls the redact function. That mismatch means the skill as-written won't deliver its described purpose and may expose data via stdout instead of a controlled file.
Instruction Scope
Instructions access event.tool.params and event.result (which commonly contain secrets). The provided redaction function is defined but not integrated into the hook code. Redaction logic only checks top-level property names, won't handle stringified JSON or nested fields, and the current code stringifies params and truncates them (slice(0,500)), which can still leak sensitive prefixes and break redaction. The SKILL.md also references OPENCLAW_STATE_DIR without declaring it and suggests analyzing an audit.log file even though the hooks don't write to that file.
Install Mechanism
Instruction-only skill with no install steps or external downloads, so it doesn't introduce installation-time code execution risk.
Credentials
No required environment variables are declared, but the example reads process.env.OPENCLAW_STATE_DIR. The skill should declare this env var (and its intended default) and document permissions expectations for where logs will be written.
Persistence & Privilege
The skill does not request always:true or modify other skills; it is user-invocable and can be run autonomously like other hooks. That default model-invocation behavior is expected.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-audit-log-hook - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-audit-log-hook触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
OpenClaw Audit Log Hook 是什么?
Records and logs all tool calls before and after execution for auditing, debugging, usage stats, and error tracking with sensitive data redaction. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 100 次。
如何安装 OpenClaw Audit Log Hook?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-audit-log-hook」即可一键安装,无需额外配置。
OpenClaw Audit Log Hook 是免费的吗?
是的,OpenClaw Audit Log Hook 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
OpenClaw Audit Log Hook 支持哪些平台?
OpenClaw Audit Log Hook 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Audit Log Hook?
由 hanxiao-bot(@hanxiao-bot)开发并维护,当前版本 v1.0.0。
推荐 Skills