← 返回 Skills 市场
Security Dashboard
作者
vegasbrianc
· GitHub ↗
· v1.2.1
1626
总下载
2
收藏
5
当前安装
7
版本数
在 OpenClaw 中安装
/install security-dashboard
功能描述
Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure. Monitors gateway status, network security, public exposure, system updates, SSH access, TLS certificates, and resource usage.
安全使用建议
Before installing, review the included files (scripts/install.sh and server.js) yourself or on a test machine. Specific checks:
- Inspect /etc/sudoers.d/openclaw-dashboard the installer creates. The rule uses wildcards (e.g., 'journalctl *') — consider narrowing this to only the journalctl invocations needed (for example '-u sshd' or specific time ranges) to avoid exposing unrelated logs.
- Prefer running as the dedicated user but give that user a real home or adjust server.js to read the OpenClaw config via a configurable path (do not rely on /nonexistent HOME). If you must run as root, be aware of the higher risk.
- Confirm the service runs with the intended hardened systemd flags (NoNewPrivileges, ProtectSystem, ReadWritePaths limited to skill directory). Don’t change these without understanding the consequences.
- Audit server.js for any commands that call sudo or parse files (fs.readFileSync and many execSync calls). Ensure they only access the data you want monitored and do not transmit data externally (there are no outgoing network calls in the code provided, but review future updates).
- Consider running the dashboard in an isolated environment (container or VM) first to validate behavior and to avoid exposing sensitive host logs or files.
- If you accept the install, restrict the sudoers entries to the minimal commands and arguments required and verify file ownership/permissions for the OpenClaw config the dashboard needs to read.
If you want, I can produce a tightened sudoers snippet and a checklist of the least-privileged commands the dashboard needs, or point out exact lines in server.js that would need modification to make the service run under a non-login dedicated user.
功能分析
Type: OpenClaw Skill
Name: security-dashboard
Version: 1.2.1
The OpenClaw Security Dashboard skill is designed for system monitoring and incorporates significant security hardening measures. The `scripts/install.sh` creates a dedicated, restricted user with limited sudo privileges for specific monitoring commands (e.g., `systemctl`, `ufw`, `fail2ban-client`) and applies strong systemd hardening (`NoNewPrivileges`, `ProtectSystem`, `ProtectHome`). The `server.js` uses `execSync` to gather system metrics, but commands are hardcoded or derived from trusted sources, and no user input is directly executed. There is no evidence of data exfiltration to external endpoints, malicious execution, persistence mechanisms beyond a legitimate systemd service, or prompt injection attempts in `SKILL.md` or `README.md`.
能力评估
Purpose & Capability
The name/description (security monitoring of OpenClaw and Linux) matches the code: server.js runs many local system checks (systemctl, ss, fail2ban, tailscale, journalctl, file perms). Requiring access to system status commands is expected. However, some implementation details are odd: the installer creates a dedicated user with no home (/nonexistent) yet server.js expects to read files under $HOME and uses ~ in many shell commands — that will make many OpenClaw-specific checks fail when the service runs as the dedicated user unless run as root or the service user is given a real home or sudo access to read those files.
Instruction Scope
SKILL.md stays within the stated scope (install, start, access, configuration) and all runtime instructions operate on local system state. But the installer creates a sudoers file that allows the service user to run a number of system utilities with wildcards (notably 'journalctl *' and 'ss *'), which can expose arbitrary logs or system socket/process info beyond narrowly scoped checks. The README/SKILL.md do not document the exact sudoers entries in detail for user review before installation (they are present in scripts/install.sh).
Install Mechanism
There is no remote download; installation is via bundled scripts that create a systemd service and a sudoers file. Installing writes to /etc/systemd/system and /etc/sudoers.d (sensitive system areas) which is expected for a local monitoring service but is a privileged change and should be inspected prior to running. No external URLs or archives are fetched during install.
Credentials
The skill requests no environment variables or external credentials. However, the installer grants the service user passwordless sudo for several commands with globs (systemctl is-active *, systemctl status *, journalctl *, ss *, tailscale status * etc.). For a monitoring dashboard, systemctl/fail2ban/ufw/ss/tailscale access is reasonable, but 'journalctl *' is broad and could reveal unrelated logs (potential secrets). Also running the service as root is explicitly allowed (and documented as dangerous) — the combination of allowed sudo commands and root/run-as-root option raises privilege concerns that should be restricted to the minimum needed.
Persistence & Privilege
The skill installs a persistent systemd service and enables it at boot (normal for a dashboard). always is false and the skill does not request to auto-enable itself across the platform. The main elevation vector is the sudoers entry (NOPASSWD) for the dashboard user — this is normal for local monitoring but increases blast radius if the dashboard process is compromised. The service uses systemd hardening flags (NoNewPrivileges, ProtectSystem, PrivateTmp) which is a positive mitigation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install security-dashboard - 安装完成后,直接呼叫该 Skill 的名称或使用
/security-dashboard触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.1
**Summary:** Adds frontmatter metadata for improved catalog integration.
- Added YAML frontmatter (name/description) to SKILL.md for better compatibility.
- No changes to code or functionality.
- Existing documentation and usage instructions remain unchanged.
v1.2.2
Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure.
## What's New in v1.2.1
- Fixed ClawdHub metadata display
- Updated publish script with proper changelog format
## Security Features
- Monitors 7 critical security areas (gateway, network, SSH, firewall, fail2ban, resources)
- 4x daily automated checks with instant alerts
- Runs as dedicated user with limited privileges (recommended)
- Systemd hardening (NoNewPrivileges, ProtectSystem, PrivateTmp)
- Localhost-only binding (127.0.0.1) - secure by default
## Installation
```bash
cd skills/security-dashboard
sudo ./scripts/install.sh
```
Access via SSH port forwarding for maximum security.
v1.1.2
## Version 1.1.0 - Security Hardening
**Security Improvements:**
- Run as dedicated user with limited privileges (default)
- Systemd hardening (NoNewPrivileges, ProtectSystem, PrivateTmp)
- Limited sudo access (only security check commands)
- Changed Restart=always to Restart=on-failure
**Breaking Changes:**
- Install script now prompts for user preference (user/root)
- Default changed from root to dedicated user
**Why This Matters:**
Running as root with Restart=always increases attack surface. New version uses privilege separation while maintaining full monitoring capabilities.
v1.1.0
**Security-hardening update with new dedicated user option**
- Install script now asks whether to run as a dedicated “openclaw-dashboard” user (recommended) or root.
- Adds systemd security hardening: privilege restriction, isolated file access, limited restart policy.
- Dedicated user mode grants only specific sudo permissions needed for security checks (fail2ban, firewall, systemctl status).
- Updated documentation to explain all new hardening, install, and configuration options.
- Maintains existing features and config, no breaking changes.
v1.0.2
- Updated documentation in SKILL.md for clarity and consistency.
- No changes to core functionality or code; improvements are limited to documentation.
v1.0.1
- Updated documentation in README.md.
- No functional or code changes were made; SKILL.md contents were reorganized and/or clarified.
v1.0.0
Initial release of Security Dashboard Skill.
- Real-time dashboard for OpenClaw and Linux server security monitoring.
- Covers OpenClaw gateway, network/firewall state, port exposure, system metrics, SSH/fail2ban status, TLS/certificates, and resource usage.
- Systemd-based installation, secure localhost binding by default, and configurable via `server.js`.
- Provides both web UI and API endpoints to view metrics and integrate alerts.
- Includes sections for critical alerts, warning/informational states, and integration/automation points.
- Troubleshooting and uninstall instructions included for easy maintenance.
元数据
常见问题
Security Dashboard 是什么?
Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure. Monitors gateway status, network security, public exposure, system updates, SSH access, TLS certificates, and resource usage. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1626 次。
如何安装 Security Dashboard?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install security-dashboard」即可一键安装,无需额外配置。
Security Dashboard 是免费的吗?
是的,Security Dashboard 完全免费(开源免费),可自由下载、安装和使用。
Security Dashboard 支持哪些平台?
Security Dashboard 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Security Dashboard?
由 vegasbrianc(@vegasbrianc)开发并维护,当前版本 v1.2.1。
推荐 Skills