← 返回 Skills 市场
tianjin-ren

Security Audit Tianjin

作者 tianjin-ren · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
315
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install security-audit-tianjin
功能描述
Comprehensive security auditing for Clawdbot deployments. Scans for exposed credentials, open ports, weak configs, and vulnerabilities. Auto-fix mode included.
安全使用建议
This skill appears to implement a Clawdbot security audit, but take these precautions before installing/running it: - Expect to run the script with Node.js; the skill does not declare Node as a required binary — ensure Node is present or the run will fail. - Review the full scripts/audit.cjs source (the provided file was truncated) to confirm exactly what --fix does (which files are modified, exact permission changes, any writes). Back up the target directories first. - The script uses hard-coded paths under /root/clawd and '/root/clawd/skills/.env'. Only run it on a system where those paths are the intended target; otherwise edit the script or run it in a controlled environment. - Run the audit in read-only mode (no --fix) first to inspect findings. If you consider using --fix, run it in an isolated test environment or container and review changes afterwards. - The code uses child_process.execSync (ss/netstat, git). That is expected for port/git checks but increases the blast radius — avoid running as root unless necessary. - Confirm the skill source/owner is trusted (metadata mismatch observed). If provenance is uncertain, prefer manual review or use in an isolated sandbox.
功能分析
Type: OpenClaw Skill Name: security-audit-tianjin Version: 1.0.1 The skill performs security audits by scanning for credentials, open ports, and configuration flaws in 'Clawdbot' deployments. It utilizes high-risk capabilities including shell command execution (ss, netstat, git) via child_process.execSync and broad file system access to read sensitive files like private keys and .env files. While these actions in scripts/audit.cjs are aligned with the stated purpose in SKILL.md and no evidence of data exfiltration was found, the inherent risk of these operations qualifies the bundle as suspicious under the provided criteria.
能力评估
Purpose & Capability
The name/description (Clawdbot security audit) aligns with the script's behaviors: recursive file scans, port checks, Docker/Git checks and credential pattern matching under a Clawdbot directory. However, the script hard-codes paths under /root/clawd and a CONFIG_DIR '/root/clawd/skills/.env' which is very specific and could be incorrect or overly broad for other installs. Also _meta.json ownerId differs from registry ownerId (metadata mismatch).
Instruction Scope
SKILL.md instructs to run node skills/security-audit/scripts/audit.cjs with flags and promises scanning of 'tokens in command history' and an 'auto-fix' mode. The included script shows many read/scan operations and execSync usage (ss/netstat, git), but the provided file is truncated so the full auto-fix implementation and any reads of shell history are not visible. The instructions give the agent permission to run code that reads many files and may modify filesystem state; the exact modification behavior (what --fix changes) is not fully verifiable from the truncated code.
Install Mechanism
There is no install spec (instruction-only style), but SKILL.md commands invoke node. The registry metadata lists no required binaries. That is an inconsistency: the script requires Node.js to run but the skill does not declare Node as a required binary or runtime. Running without Node will fail; running with Node will execute the bundled code. Lack of declared runtime is a mismatch the user should note.
Credentials
The skill declares no environment variables or external credentials (consistent). The script reads many files under /root/clawd (configs, .env, Dockerfile, .git, code files) which is proportionate to auditing Clawdbot, but because the path is hard-coded to /root it will access root-owned files if run as a privileged user. The audit's read-only checks are expected, but the auto-fix option implies write operations (e.g., setting permissions, creating .gitignore) which require filesystem write privileges and increase risk if run on a system with unrelated sensitive files.
Persistence & Privilege
The skill is not always-enabled and the default autonomous invocation is allowed (platform default). There are no indications it attempts to persist itself or modify other skills. However, the auto-fix behavior can change file permissions and create files in the audited tree — this is expected for an auto-fix feature but is higher privilege than a pure scanner and should be used cautiously.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install security-audit-tianjin
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /security-audit-tianjin 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Updated metadata in _meta.json; no functional or documentation changes. - All skill usage, setup, and audit instructions remain the same.
v1.0.0
Initial release of the Security Audit skill for Clawdbot: - Runs comprehensive security audits for Clawdbot deployments, checking for exposed credentials, open ports, weak configurations, and vulnerabilities. - Supports quick, full, and targeted audits via command-line options. - Includes auto-fix mode to automatically remediate common security issues. - Generates detailed reports with actionable severity ratings (Critical, High, Medium, Info). - No external dependencies required; uses native system tools. - Offers specific checks for credentials, ports, configuration, file permissions, and Docker security settings.
元数据
Slug security-audit-tianjin
版本 1.0.1
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 2
常见问题

Security Audit Tianjin 是什么?

Comprehensive security auditing for Clawdbot deployments. Scans for exposed credentials, open ports, weak configs, and vulnerabilities. Auto-fix mode included. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 315 次。

如何安装 Security Audit Tianjin?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install security-audit-tianjin」即可一键安装,无需额外配置。

Security Audit Tianjin 是免费的吗?

是的,Security Audit Tianjin 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Security Audit Tianjin 支持哪些平台?

Security Audit Tianjin 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Security Audit Tianjin?

由 tianjin-ren(@tianjin-ren)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 留言讨论