← 返回 Skills 市场
hzzhuohui

OpenClaw Vulnerability Checker

作者 hzzhuohui · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
349
总下载
1
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install openclaw-vulnerability-checker
功能描述
OpenClaw 安全漏洞检查与配置审计工具。用于检测当前 OpenClaw 版本存在的已知安全漏洞、公网访问安全风险,对比当前版本与最新版本的差异,获取漏洞详情、风险评估、配置审计和升级建议。使用场景:(1) 用户询问"检查一下我的 OpenClaw 版本有什么安全漏洞",(2) 用户说"检查 OpenClaw...
安全使用建议
This skill appears to implement an OpenClaw audit tool, but it has a few red flags you should consider before running it: (1) It expects local binaries (openclaw, lsof/netstat, pfctl/iptables, etc.) and a Python environment with requests + beautifulsoup4, but the package metadata doesn't declare these requirements — verify these tools exist in your environment. (2) The scripts and instructions will run local commands that reveal process lists, open ports, and firewall rules; only run on systems you control or in an isolated environment if you're uncomfortable exposing that state. (3) If you provide a GitHub token for GHSA queries, limit its scope (no broad repo deletion/admin scopes) and treat it as sensitive. (4) Review the included scripts (get_releases.py and get_version.py) yourself — they are plain Python and network-capable; no obfuscated code was found, but ensure network calls (GitHub/NVD/CNNVD) are acceptable in your environment. If you want to proceed: run the scripts interactively (not with elevated automation), ensure required dependencies are installed in a virtualenv, and avoid giving any credentials unless necessary and scoped narrowly.
功能分析
Type: OpenClaw Skill Name: openclaw-vulnerability-checker Version: 1.0.1 The skill bundle is designed as a security auditor for 'OpenClaw', but it requires the AI agent to perform high-risk system operations. Specifically, SKILL.md instructs the agent to execute sensitive commands such as 'ps aux', 'lsof', 'iptables', and 'pfctl' to inspect processes and network configurations. It also provides instructions for the agent to modify system settings via 'openclaw gateway config.patch'. While these actions align with the stated purpose of security auditing and remediation, the broad system access and the ability to alter configurations represent a significant risk profile for an automated agent, though no clear evidence of intentional malice or data exfiltration was found.
能力评估
Purpose & Capability
The skill claims to check the local OpenClaw installation and public exposure, which legitimately requires reading local process/listening-port/firewall state and calling external vulnerability databases. However the SKILL metadata lists no required binaries or dependencies, while the runtime instructions and included scripts assume: the 'openclaw' CLI, system tools (lsof, netstat, ps, pfctl, iptables), Python runtime and third-party libraries (requests, beautifulsoup4). That mismatch (declaring nothing while requiring several platform tools and Python packages) is an incoherence the user should notice.
Instruction Scope
The SKILL.md instructs the agent to run local commands that list processes, open ports, and firewall rules (e.g., `openclaw --version`, `lsof`, `netstat`, `ps aux`, `pfctl`, `iptables`) and to query external sources (GitHub API, NVD, CNNVD). Those actions are within the stated purpose (configuration/audit) but they will reveal local system state and potentially send data to external APIs. The instructions also allow optionally supplying a GitHub token for richer GHSA queries; the skill does not require a token but will accept one if provided.
Install Mechanism
There is no install spec (instruction-only), which lowers supply-chain risk, but the package includes two Python scripts that rely on requests and BeautifulSoup. The top of get_releases.py mentions `pip install requests beautifulsoup4`, but the skill metadata does not declare these dependencies or provide an installer. Running the scripts as-is will require a local Python environment and network access. No remote download of arbitrary code is present in the provided files.
Credentials
The registry declares no required environment variables or credentials. SKILL.md recommends (optionally) using a GitHub Personal Access Token to query GitHub Security Advisories; if supplied it should be limited to minimum scopes. There is no attempt to read other environment variables, but the instructions do access local system state (process list, ports, firewall) which is sensitive and proportional to an audit tool but should be explicitly acknowledged to the user.
Persistence & Privilege
The skill does not request persistent inclusion (always:false) and does not attempt to modify other skills or system configuration as part of install. It suggests commands the user could run to patch configurations, but it does not itself declare any autonomous persistent privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-vulnerability-checker
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-vulnerability-checker 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Version 1.0.1 expands security auditing: - 新增:公网访问风险检测与配置扫描,识别 Gateway/Control UI 是否暴露、绑定地址、端口监听、认证状态、安全建议等。 - 现在支持对 OpenClaw 配置安全状态进行分级风险提示和修复建议(如“仅绑定 127.0.0.1”、“开启认证”)。 - 使用场景增加“检查是否开启了公网访问”等相关问题。 - 报告结构新增“配置安全风险”、“公网访问安全扫描”板块。 - 技术文档补充详细公网检测流程和命令参考。
v1.0.0
Initial release: Supports OpenClaw security vulnerability checking and version comparison features. - Query vulnerabilities from NVD, GitHub Security Advisories, CNNVD, and other data sources - Detect whether there are unpatched known security vulnerabilities in the current version - Compare the difference between the current version and the latest version to get update content - Generate security reports and upgrade recommendations 初始版本: 支持 OpenClaw 安全漏洞检查和版本对比功能。 - 从 NVD、GitHub Security Advisories、CNNVD 等数据源查询漏洞 - 检测当前版本是否存在未修复的已知安全漏洞 - 对比当前版本与最新版本的差异,获取更新内容 - 生成安全报告和升级建议
元数据
Slug openclaw-vulnerability-checker
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

OpenClaw Vulnerability Checker 是什么?

OpenClaw 安全漏洞检查与配置审计工具。用于检测当前 OpenClaw 版本存在的已知安全漏洞、公网访问安全风险,对比当前版本与最新版本的差异,获取漏洞详情、风险评估、配置审计和升级建议。使用场景:(1) 用户询问"检查一下我的 OpenClaw 版本有什么安全漏洞",(2) 用户说"检查 OpenClaw... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 349 次。

如何安装 OpenClaw Vulnerability Checker?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-vulnerability-checker」即可一键安装,无需额外配置。

OpenClaw Vulnerability Checker 是免费的吗?

是的,OpenClaw Vulnerability Checker 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

OpenClaw Vulnerability Checker 支持哪些平台?

OpenClaw Vulnerability Checker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 OpenClaw Vulnerability Checker?

由 hzzhuohui(@hzzhuohui)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论