← 返回 Skills 市场
Security Constitution
作者
byronbanck-AI
· GitHub ↗
· v1.0.0
· MIT-0
128
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install security-constitution
功能描述
为 OpenClaw 提供企业级安全保障的四级风险控制技能。 - 四级风险评估(L1-L4):L1直接拒绝,L2密码确认,L3记录放行,L4直接放行 - 密码二次验证:敏感操作需主人确认 - 操作日志审计:记录所有操作供审计 - 绝对锁定:改密码/改owner/绕过安全机制均无法执行 ⚠️ 此技能是 AGENTS...
安全使用建议
This skill appears to implement a reasonable risk-gating policy, but it is underspecified around secrets and identity verification. Before installing: (1) Confirm where the owner's password is stored and how password verification is performed — do NOT allow the agent to ask users to 'type the password' into chat. (2) Require that password checks be done against a hashed/secure store (not logged), and that logs never include plaintext secrets. (3) Ask for a precise definition of how sender identity is extracted and protected (so that an attacker cannot impersonate the owner). (4) If you plan to use this skill in production, review the actual implementation (code) or request stricter SKILL.md rules that forbid collecting secrets via chat and mandate encrypted storage and audit controls. Because these gaps affect sensitive behavior, proceed only after clarifying/mitigating them.
功能分析
Type: OpenClaw Skill
Name: security-constitution
Version: 1.0.0
The 'security-constitution' skill is a security policy framework designed to enforce risk-based access control for an OpenClaw agent. It implements a four-level risk assessment system (L1-L4), requiring password verification for high-risk operations and logging all activities to 'memory/security-log.md' for auditing. The skill includes 'Absolute Lock' instructions in 'SKILL.md' to prevent the agent from modifying its own security settings or revealing passwords, and it lacks any indicators of data exfiltration or malicious command execution.
能力评估
Purpose & Capability
Name and description match the requested behavior: a policy-based risk gate that reads a local policy (~/.openclaw/workspace/security-policy.json) and enforces L1–L4 rules, logs to a local memory log, and runs hooks. No unrelated binaries, env vars, or installs are requested.
Instruction Scope
SKILL.md tells the agent to read a local policy file, identify sender/owner, classify commands by risk, request password confirmations for L2, and log operations. However it leaves critical details unspecified: where/how the owner password is stored and verified, how sender identity is extracted and authenticated, and how keyword matching is performed. The instructions therefore grant broad discretion to solicit passwords and block actions without clear safe handling rules.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal installation risk (nothing is downloaded or written by an installer).
Credentials
No environment variables or external credentials are requested, which is consistent, but the policy requires password confirmation flows without specifying secure storage/verification. That means the agent could prompt users to type sensitive secrets into chat or store them in plain logs (the skill references a memory/security-log.md) — disproportionate risk because sensitive input handling is undefined.
Persistence & Privilege
The skill does not request always:true and does not declare writes beyond its own memory/log paths. The 'absolute lock' policy (disallow changing owner/password) is an instruction-level rule rather than a demonstrated capability to enforce across other skills; there's risk if the agent enforces it by modifying global configs, but SKILL.md does not show any cross-skill config changes.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install security-constitution - 安装完成后,直接呼叫该 Skill 的名称或使用
/security-constitution触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of security-constitution, implementing enterprise-grade, four-level risk control for OpenClaw:
- Introduces L1–L4 risk assessment with distinct handling for each level (deny, confirm with password, log, direct allow).
- Adds password re-authentication for sensitive operations and owner-only confirmations.
- Implements comprehensive operation logging for auditing purposes.
- Enforces absolute lockout on owner change, password change, and any attempt to bypass security mechanisms—these cannot be overridden.
- Provides detailed hooks for operation pre- and post-processing, password failure, and bypass attempts.
- Offers clear response templates and workflows for risk actions and user confirmations.
元数据
常见问题
Security Constitution 是什么?
为 OpenClaw 提供企业级安全保障的四级风险控制技能。 - 四级风险评估(L1-L4):L1直接拒绝,L2密码确认,L3记录放行,L4直接放行 - 密码二次验证:敏感操作需主人确认 - 操作日志审计:记录所有操作供审计 - 绝对锁定:改密码/改owner/绕过安全机制均无法执行 ⚠️ 此技能是 AGENTS... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 128 次。
如何安装 Security Constitution?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install security-constitution」即可一键安装,无需额外配置。
Security Constitution 是免费的吗?
是的,Security Constitution 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Security Constitution 支持哪些平台?
Security Constitution 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Security Constitution?
由 byronbanck-AI(@byronbanck-ai)开发并维护,当前版本 v1.0.0。
推荐 Skills