← 返回 Skills 市场
Senior Secops
作者
Alireza Rezvani
· GitHub ↗
· v2.1.1
· MIT-0
2069
总下载
2
收藏
11
当前安装
2
版本数
在 OpenClaw 中安装
/install senior-secops
功能描述
Senior SecOps engineer skill for application security, vulnerability management, compliance verification, and secure development practices. Runs SAST/DAST sc...
安全使用建议
This skill appears to implement the advertised SecOps capabilities, but verify these before installing or running it on sensitive data:
- Ensure a Python runtime (3.x) and any required libraries are available — SKILL metadata does not declare Python as a required binary.
- Inspect the three included scripts locally for any network calls or credential usage (look for fetch_nvd_data, HTTP requests, or use of API tokens) before running them in production.
- Do not run the scanner over system-wide or credential-containing directories unless you want secrets discovered; consider scanning a copy or limiting the target path.
- The docs show CI integrations that expect tokens (SNYK_TOKEN, etc.). If you integrate with third-party services, only provide the minimum-scoped secrets via your CI secret store.
- Because some functions shown in references look like placeholders or rely on external integrations, test the tool in a sandbox and confirm its outputs and failure modes before relying on it for audit or blocking CI pipelines.
If you want, I can (1) summarize any network/IO calls found in the actual script files, (2) list external Python packages the scripts import that may need installation, or (3) highlight exact lines where the scanner detects credential patterns so you can review them.
功能分析
Type: OpenClaw Skill
Name: senior-secops
Version: 2.1.1
The 'senior-secops' skill bundle is a comprehensive and legitimate security operations toolkit designed for local auditing and compliance verification. It includes Python scripts (security_scanner.py, vulnerability_assessor.py, and compliance_checker.py) that use regular expressions to identify common vulnerabilities like hardcoded secrets, SQL injection, and XSS, as well as checking dependencies against a local CVE database. The code is well-documented, follows secure coding practices itself, and contains no evidence of data exfiltration, malicious execution, or harmful prompt injection instructions.
能力评估
Purpose & Capability
Name/description, SKILL.md, and the three scripts (security_scanner.py, vulnerability_assessor.py, compliance_checker.py) are consistent with a SecOps toolset (SAST/DAST, dependency CVE checks, compliance). However the skill declares no required binaries while the runtime instructions and GitHub Actions examples assume a Python runtime (and examples show use of tools like Snyk/Trivy). The lack of a declared Python requirement is an inconsistency that should be addressed.
Instruction Scope
SKILL.md instructs the agent/user to run the included Python scripts against a target path (project directory). That scope is appropriate for a security scanner/compliance tool. Caveats: the code and references include example calls to external services (NVD/Snyk/Trivy) and placeholder functions (e.g., fetch_nvd_data, get_access_reviews) which may require network access or integration code not present. Also the scanner is designed to detect secrets (AWS keys, OpenAI keys, private keys) — running it against broad paths could enumerate sensitive findings; review and restrict scan targets accordingly.
Install Mechanism
No install spec (instruction-only with included scripts). That minimizes implicit installation risk. Because there is no install step, nothing is being downloaded or executed from arbitrary remote URLs by the skill itself.
Credentials
requires.env and primary credential are empty, which is consistent with the skill not demanding credentials up front. However the documentation and CI examples include SNYK_TOKEN and other external-tool tokens, and the scanner deliberately looks for many credential patterns in source code (AWS keys, GH tokens, OpenAI keys). This is not itself malicious, but you should not supply secrets to the skill and should avoid scanning locations containing live credentials unless you intend to surface/handle them. The absence of declared env vars while showing integration examples is an inconsistency to be aware of.
Persistence & Privilege
always:false and default autonomous invocation are set to normal values. The skill does not request persistent system-wide privileges and contains no install-time hooks to modify other skills. There are no signs it tries to persist credentials or alter platform config.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install senior-secops - 安装完成后,直接呼叫该 Skill 的名称或使用
/senior-secops触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.1
v2.1.1: optimization, reference splits
v1.0.0
senior-secops v1.0.0
- Initial release of the senior-secops skill.
- Provides a complete SecOps toolkit covering security scanning, vulnerability assessment, compliance checking, and security automation.
- Includes detailed workflows for security audits, CI/CD integration, CVE triage, and incident response.
- Supports security and compliance standards such as SOC 2, PCI-DSS, HIPAA, and GDPR.
- Features ready-to-use commands and best practices for secure development and operations.
元数据
常见问题
Senior Secops 是什么?
Senior SecOps engineer skill for application security, vulnerability management, compliance verification, and secure development practices. Runs SAST/DAST sc... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2069 次。
如何安装 Senior Secops?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install senior-secops」即可一键安装,无需额外配置。
Senior Secops 是免费的吗?
是的,Senior Secops 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Senior Secops 支持哪些平台?
Senior Secops 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Senior Secops?
由 Alireza Rezvani(@alirezarezvani)开发并维护,当前版本 v2.1.1。
推荐 Skills