← 返回 Skills 市场
288
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install security-audit-openclaw
功能描述
⚠️ HIGH PRIVILEGE SECURITY AUDIT SKILL Performs comprehensive security auditing for OpenClaw deployments. Requires system-level access for legitimate securit...
安全使用建议
This skill appears to be a legitimate high-privilege audit tool, but it carries inherent sensitivity because it reads many system files and process environments. Before installing or running: (1) review the full script contents yourself (or have a trusted reviewer) because it runs many system inspections; (2) do not enable Git/Telegram options unless you understand what will be committed or sent (these are opt-in but will transmit data to remote endpoints if enabled); (3) run audits on systems you own/trust and avoid running as root unless needed (script will warn if root); (4) consider running in an isolated/test environment first to verify outputs; (5) if you need higher assurance, ask the author for reproducible build provenance or a signed release. Confidence is medium because the provided code was only partially visible in the prompt — review the full shipped script before trusting it with sensitive systems.
功能分析
Type: OpenClaw Skill
Name: security-audit-openclaw
Version: 1.0.2
The skill performs high-privilege security auditing that includes several high-risk behaviors: scanning the workspace for plaintext private keys and mnemonics (DLP), reading sensitive environment variables from the /proc filesystem, and optionally exfiltrating the entire OpenClaw state directory (which may contain API keys and session data) to a remote Git repository. While these actions are documented in SKILL.md and SECURITY.md as legitimate auditing and backup functions, and external communication (Git/Telegram) is disabled by default, the broad system access and potential for data exposure via hardcoded endpoints (api.telegram.org) warrant a suspicious classification. Key files involved are scripts/openclaw_security_audit.py and SKILL.md.
能力评估
Purpose & Capability
The skill name/description (OpenClaw security audit) aligns with its actions: reading system state, OpenClaw workspace, process env, ports, cron, file hashes, and producing reports. The declared required commands in SECURITY.md (ss, top, systemctl, journalctl, last, df, find, etc.) match the checks described.
Instruction Scope
SKILL.md directs running the included Python script which performs many read-only system inspections (/etc, ~/.ssh, /proc/{pid}/environ, listening ports, process lists, file hashes). These actions are within audit scope, but SKILL.md also documents opt-in features that perform writes/network activity (Git commits/pushes and Telegram notifications) — the top-level description initially states 'All operations are read-only and local-only', which is misleading without reading the later opt-in details.
Install Mechanism
No install spec or external downloads; the skill is distributed with a bundled Python script and docs. This is lower risk than remote fetch/install mechanisms.
Credentials
Metadata lists no required environment variables (none mandatory). SKILL.md and the script read optional env vars (SECURITY_AUDIT_ENABLE_GIT, SECURITY_AUDIT_ENABLE_TELEGRAM, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, OPENCLAW_STATE_DIR). These are reasonable for opt-in features, but the skill will read process envs and files that can contain secrets — acceptable for an audit tool but sensitive. The skill does not require external API credentials by default.
Persistence & Privilege
The skill does not request persistent always-on privilege and is user-invocable. It requires elevated filesystem/process read privileges to be effective (expected). Optional Git backup will write/commit to the user's repo only if enabled.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install security-audit-openclaw - 安装完成后,直接呼叫该 Skill 的名称或使用
/security-audit-openclaw触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Made Git backup and Telegram notifications opt-in features (disabled by default). Added SECURITY_AUDIT_ENABLE_GIT and SECURITY_AUDIT_ENABLE_TELEGRAM env vars for explicit opt-in.
v1.0.1
Added SECURITY.md with detailed security declarations, enhanced SKILL.md documentation
v0.0.4
Security audit tool for OpenClaw deployments with cross-platform support
元数据
常见问题
OpenClaw Security Audit 是什么?
⚠️ HIGH PRIVILEGE SECURITY AUDIT SKILL Performs comprehensive security auditing for OpenClaw deployments. Requires system-level access for legitimate securit... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 288 次。
如何安装 OpenClaw Security Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install security-audit-openclaw」即可一键安装,无需额外配置。
OpenClaw Security Audit 是免费的吗?
是的,OpenClaw Security Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
OpenClaw Security Audit 支持哪些平台?
OpenClaw Security Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Security Audit?
由 iaadoa(@iaadoa)开发并维护,当前版本 v1.0.2。
推荐 Skills