← 返回 Skills 市场
Security Hardener
作者
stevojarvisai-star
· GitHub ↗
· v1.0.0
· MIT-0
90
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install security-hardener
功能描述
One-command OpenClaw security audit, scoring, and auto-remediation. Addresses CVE-2026-33579 and common misconfigurations. Scans for exposed API keys, weak f...
安全使用建议
This tool largely does what it says (scan + fix OpenClaw security issues), but it reads and can modify many personal and agent-related files (shell history, .env, SKILL.md files, openclaw.json). Before running 'fix': (1) inspect the full scripts/security-hardener.py yourself or with a trusted reviewer—the provided excerpt is large but truncated; (2) run 'python3 scripts/security-hardener.py audit --json --verbose' and/or a dry-run mode first, and review the proposed changes carefully; (3) create backups (use the --backup-dir option) and/or test in an isolated environment; (4) verify provenance—the package lists 'GetAgentIQ' but the skill's source/homepage is unknown; prefer tools from known sources or signed releases; (5) be aware the script will modify other skills' SKILL.md files and plugin settings, so plan for rollbacks. If you want to proceed safely, request the full script (untruncated) and a checksum/signature from the publisher before allowing auto-remediation.
功能分析
Type: OpenClaw Skill
Name: security-hardener
Version: 1.0.0
The security-hardener skill is a legitimate security auditing and remediation tool for OpenClaw. It scans for exposed API keys, checks authentication and transport configurations, audits plugin permissions, and verifies file system permissions. The script (security-hardener.py) performs these checks locally and provides actionable findings or automatic fixes (with backups) without any evidence of data exfiltration, unauthorized remote access, or malicious intent.
能力标签
能力评估
Purpose & Capability
The name/description (security hardener for OpenClaw) matches what the Python script does: scanning OpenClaw config/workspace, searching for secrets, checking permissions, network binding, plugin state, and offering auto-fixes. Requiring no external credentials and no install is plausible for a local hardening tool. Note: the tool claims to 'remove API keys from memory/SKILL.md files' and 'disable unsigned plugins' — those actions legitimately belong to a hardener but will modify other skill files and plugin state (see persistence_privilege).
Instruction Scope
SKILL.md and the script instruct the agent to scan many user paths (configs, workspace, .env files, shell history, git history) and to apply fixes (chmod, edit config, move/remove secrets, change bind address, disable plugins). Scanning shell history and git history and editing SKILL.md files can touch unrelated sensitive data and other installed skills. There's also an inconsistency: SKILL.md says 'Enables auth if disabled' in auto-fix, but the code's auth check marks enabling auth as not auto-fixable (requires user to pick a token). That mismatch affects user expectations about what the 'fix' command will do automatically.
Install Mechanism
No install spec — the skill includes an executable Python script only. This is lower risk than network-based installs. The shipped script will be executed locally; nothing in the provided excerpts shows it downloads and executes external code.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, it will read many local files (config, workspace, .env, shell history, git history). That is expected for secret scanning, but it's a high-sensitivity operation because it may find or touch secrets from unrelated services (AWS, OpenAI, Stripe, etc.). The script's SECRET_PATTERNS explicitly include many providers, so it will detect (and some commands claim to remove/relocate) sensitive credentials without requiring explicit user-supplied tokens.
Persistence & Privilege
The skill will modify local configuration and other skill files: changing openclaw.json, setting file permissions, moving secrets out of SKILL.md files, and disabling unsigned plugins. While these changes are in-scope for a hardener, they constitute modifications to other skills' files and to agent configuration. The skill is not 'always:true' and does not require autonomous invocation to run, but its auto-remediation operations have a real risk of breaking functionality or altering other skills. The user should expect the script to write to and change many files.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install security-hardener - 安装完成后,直接呼叫该 Skill 的名称或使用
/security-hardener触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — One-command OpenClaw security audit, scoring, and auto-remediation
元数据
常见问题
Security Hardener 是什么?
One-command OpenClaw security audit, scoring, and auto-remediation. Addresses CVE-2026-33579 and common misconfigurations. Scans for exposed API keys, weak f... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 90 次。
如何安装 Security Hardener?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install security-hardener」即可一键安装,无需额外配置。
Security Hardener 是免费的吗?
是的,Security Hardener 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Security Hardener 支持哪些平台?
Security Hardener 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Security Hardener?
由 stevojarvisai-star(@stevojarvisai-star)开发并维护,当前版本 v1.0.0。
推荐 Skills