← 返回 Skills 市场
Openclaw Security Guard
作者
miloudbelarebia
· GitHub ↗
· v1.0.0
1387
总下载
0
收藏
10
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-security-guard
功能描述
Security audit CLI + live dashboard for OpenClaw. Scans for secrets, config issues, prompt injections, vulnerable dependencies, and unverified MCP servers. Zero telemetry.
安全使用建议
This package appears coherent for a local OpenClaw security scanner, but take these precautionary steps before installing or running with --auto:
- Verify the npm package and repository: confirm the package on npm matches the GitHub repo referenced in SKILL.md and check the package author/publisher identity.
- Grep the source for outbound network calls (http, https, ws, fetch, axios, net.connect) to confirm 'zero telemetry' — focus on dashboard/server.js, monitors/*, and helpers for any external endpoints or hosts.
- Review code paths that modify configuration (auto-hardener, fix command) and test fix --dry-run first; ensure backups are created in a location you control.
- Inspect where dashboard credentials are stored (~/.openclaw-security-guard/auth.json is mentioned) and secure or delete that file as needed.
- Prefer running via npx or in an isolated/sandbox environment initially rather than global install.
If you want, I can (1) point to specific files to grep for outbound connections or secrets exfiltration patterns, or (2) run a quick static checklist of the top files (dashboard/server.js, monitors/*, auto-hardener.js) and list lines that look like external network usage. Confidence is medium because the package includes full source (which helps) but registry/source metadata had a small mismatch and claims like 'zero telemetry' should be verified by code inspection.
功能分析
Type: OpenClaw Skill
Name: openclaw-security-guard
Version: 1.0.0
The OpenClaw Security Guard skill bundle is a security tool designed to audit, monitor, and harden OpenClaw installations. The code and documentation consistently emphasize privacy, local operation, and the absence of telemetry. Key security features include robust input validation using Zod, path sanitization to prevent traversal attacks, strong password hashing (PBKDF2, SHA-512) for the local dashboard, and explicit binding of the dashboard to localhost (127.0.0.1) to prevent external access. The tool performs local file system operations (reading/writing OpenClaw configuration, creating git pre-commit hooks) as part of its stated purpose, with safeguards like backups and direct programmatic file/permission modifications (e.g., `fs.chmod`) instead of shell execution. There is no evidence of data exfiltration, malicious execution, persistence mechanisms beyond intended git hooks, or prompt injection attempts against the AI agent itself. The skill is a legitimate security utility.
能力评估
Purpose & Capability
Name/description match the delivered pieces: a Node.js npm package that exposes CLI binaries and implements secrets/config/prompt-injection/dependency/MCP-server scanners and a local dashboard. Required binary (node) and the npm install are proportionate to the stated purpose. The publish metadata omission of a source/homepage in the registry (but SKILL.md includes a GitHub URL) is a small inconsistency worth verifying.
Instruction Scope
SKILL.md instructs the tool to scan the user's OpenClaw install (default paths like ~/.openclaw), run an optional auto-fix that edits configuration, and open a localhost dashboard. Those actions are expected for a security auditor. Note: auto-fix modifies user files (claims to backup first) — this is expected but the user should confirm backups and review proposed fixes before running --auto. The docs include example malicious prompt strings (used to demonstrate the prompt-injection detector); that's why prompt-injection patterns appear in the docs.
Install Mechanism
Install uses an npm package (openclaw-security-guard) which is appropriate for a Node.js CLI. npm install is a standard distribution method; npm packages carry typical supply-chain risk, so verify package provenance and version before installing globally.
Credentials
The skill declares no required environment variables or credentials. Documentation references optional env vars (OPENCLAW_HOME, OPENCLAW_GUARD_CONFIG), which is reasonable for a local scanner. No unexplained credential or system-wide config access is requested in metadata or SKILL.md.
Persistence & Privilege
always is false and model invocation is default — normal. The package runs as a CLI and dashboard service and can modify OpenClaw config when asked (auto-hardening). It does not request unwarranted system-wide privileges or attempt to persist across unrelated skills. Verify where the dashboard auth file is stored (docs mention ~/.openclaw-security-guard/auth.json) if you are concerned about local persistence.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-security-guard - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-security-guard触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of openclaw-security-guard.
- Provides a CLI and live dashboard to audit OpenClaw setups for secrets, config issues, prompt injections, vulnerable dependencies, and unverified MCP servers.
- Features include automated fixes, a real-time dashboard, security scoring, pre-commit hooks, and multi-language support.
- All security checks run locally with zero telemetry.
元数据
常见问题
Openclaw Security Guard 是什么?
Security audit CLI + live dashboard for OpenClaw. Scans for secrets, config issues, prompt injections, vulnerable dependencies, and unverified MCP servers. Zero telemetry. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1387 次。
如何安装 Openclaw Security Guard?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-security-guard」即可一键安装,无需额外配置。
Openclaw Security Guard 是免费的吗?
是的,Openclaw Security Guard 完全免费(开源免费),可自由下载、安装和使用。
Openclaw Security Guard 支持哪些平台?
Openclaw Security Guard 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(macos, linux, windows)。
谁开发了 Openclaw Security Guard?
由 miloudbelarebia(@miloudbelarebia)开发并维护,当前版本 v1.0.0。
推荐 Skills