← 返回 Skills 市场
194
总下载
1
收藏
0
当前安装
9
版本数
在 OpenClaw 中安装
/install server-mate
功能描述
Build or extend a lightweight server monitoring and AI operations workflow for Linux hosts running Nginx or Apache. Use when Codex needs to collect psutil me...
安全使用建议
This package is internally consistent with a server-monitoring tool, but review and control these items before deployment:
- Automation: Keep automation.dry_run: true and auto_ban/auto_heal disabled until you've validated alerts, allowlists, cooldowns, audit logs, and rollback plans. The command templates (iptables, systemctl) will be executed if you enable automation.
- Secrets & webhooks: Webhook URLs, Telegram tokens, and any OpenAI key are operator-supplied secrets. Store them securely and do not commit them to Git. The agent will send data to whatever webhook/API endpoints you configure.
- GeoIP bootstrap: If no local MaxMind .mmdb is available the report generator will attempt a public mirror download (GEOIP_MIRROR_URL points at a GitHub-hosted mirror). Prefer provisioning GeoIP via your own MaxMind account and geoipupdate; treat public-mirror downloads as an operator-reviewed bootstrap only.
- Log paths & scope: The agent can auto-detect auth logs (e.g., /var/log/auth.log or /var/log/secure) if configured that way; verify config.yaml paths to avoid unintentionally reading system logs you don't want processed. Running with defaults on a production host may require root privileges for some operations and to access protected log files.
- Network egress: Enabling AI analysis or webhook channels will cause egress to third-party services (OpenAI, Telegram, DingTalk, Feishu, etc.). Audit the content you allow to be sent (raw or excerpted logs) and sanitize sensitive fields if needed.
If you want increased assurance before installing: inspect the command_template strings in your config, run the agent in a sandbox with synthetic logs, and prefer local-only config paths (./data, ./logs, ./reports) until you're ready to connect real endpoints.
功能分析
Type: OpenClaw Skill
Name: server-mate
Version: 1.3.3
The skill bundle implements a server monitoring and automation system with high-privilege capabilities, specifically 'auto-ban' and 'auto-heal' features in 'server_agent.py' that execute system commands (e.g., iptables, systemctl) via subprocess. While the code includes safety measures like 'dry_run' modes, whitelists, and the use of 'shlex.split' to mitigate shell injection, the pattern of executing commands based on parsed log data (which can be influenced by external attackers) poses a inherent security risk. Additionally, 'report_generator.py' includes logic to download a GeoIP database from a third-party GitHub repository (P3TERX/GeoLite.mmdb) if not found locally, which introduces a supply chain risk. No clear evidence of intentional malice or data exfiltration was found, but the high-risk capabilities warrant a suspicious classification.
能力评估
Purpose & Capability
Name/description match the included scripts and docs: collector agent, report generator, webhook delivery, GeoIP handling, and guarded automation. The included Python files implement the advertised features (log parsing, SQLite rollups, report PDFs, webhooks, optional AI analysis and auto-ban/heal templates). The presence of iptables/systemctl command templates and GeoIP bootstrap logic is coherent with the 'auto-ban', 'auto-heal', and 'GeoIP provisioning' features.
Instruction Scope
SKILL.md explicitly recommends read-only collection by default, keeping artifacts local, and leaving automation in dry-run. However the agent supports (and will attempt) auto-detection of auth logs and has command_template execution paths for firewall and restart actions (guarded by config flags). The analyzer/report generator may call external OpenAI endpoints if ai_analysis is enabled and an API key is present. Operators should note that the agent can read configured system log paths (including /var/log/auth.log when auto-detected) and will transmit alerts/reports to operator-supplied webhooks or to OpenAI/Telegram when enabled.
Install Mechanism
No install spec; the skill is instruction + Python scripts. That lowers installation risk. Dependencies are standard Python packages (psutil, pyyaml, matplotlib, optional geoip libs) and the repo uses only typical stdlib networking and subprocess calls.
Credentials
No required environment variables are declared, which aligns with the skill being optional/locally configured. The code optionally reads TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID and OPENAI_API_KEY when features are enabled. Those variables are reasonable for the advertised integrations; they are optional and documented in SKILL.md/_meta.json. Operators should ensure webhook URLs and API keys are provided only when needed and kept secret in config or environment.
Persistence & Privilege
Skill is not force-included (always:false) and follows an opt-in automation model (automation.dry_run defaults to true, auto_ban/auto_heal default to disabled). The code can execute system commands via configurable templates (iptables, systemctl) but those paths are gated by configuration and documented safety checks. No evidence the skill tries to modify other skills or system-wide agent config automatically.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install server-mate - 安装完成后,直接呼叫该 Skill 的名称或使用
/server-mate触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.3
No user-facing changes in this release.
- Version updated to 1.3.3 (no content or file changes detected).
v1.3.2
Version 1.3.2 is a minor documentation update with clarified GeoIP practices and stronger automation safeguards.
- Clarifies use of MaxMind GeoLite2 workflow for GeoIP updates, preferring local configuration with official `geoipupdate`.
- Expands safety rules: do not enable auto-ban or auto-heal automation features (`dry_run: false`) without explicit operator approval of commands, allowlists, and cooldowns.
- Documentation otherwise retains previous structure and features; no detected code changes.
v1.3.1
Version 1.3.1
- Added support for GeoIP official refresh via local `./data/GeoIP.conf` and `geoipupdate`, including public mirror fallback.
- Updated documentation to treat GeoIP credentials as local-only secrets, not to be committed to Git.
- All previous features retained: multi-site matrix config, guarded automation, logrotate-tolerant readers, SSH brute-force detection, SSL expiry reports, and Telegram alerting.
v1.3.0
**Server Mate 1.3.0** adds SSH brute-force detection, SSL expiry reports, and Telegram alert support.
- Adds SSH brute-force detection with alerting and optional auto-ban.
- Includes SSL certificate expiry checks in reports and webhooks.
- Supports Telegram integration for alerts and report delivery.
- Now parses access, error, and auth logs.
- All previous features remain, including multi-site monitoring, guarded automation, and incremental log reading.
v1.2.0
No file changes detected in this release.
- Version number updated to 1.2.0, but underlying files are unchanged.
- No new features, fixes, or documentation updates in this version.
- Safe to skip upgrade if you are running 1.1.2.
v1.1.2
server-mate 1.1.2
- All generated files and logs now default to the current workspace (e.g., ./config.yaml, ./logs/, ./metrics.db, ./reports/) instead of system-wide directories.
- Cron job and scheduling examples updated for local paths and non-rooted installs.
- In OpenClaw, `OPENAI_API_KEY` is now injected automatically; users are not required to export it manually.
- Documentation improved for local workspace usage and OpenClaw deployment.
- No changes to functional logic.
v1.1.1
- Added homepage and metadata fields in SKILL.md for improved discoverability and documentation.
- Clarified handling of secrets: treat `OPENAI_API_KEY` and webhooks as sensitive and not required unless optional features are used.
- Strengthened language around auto-ban and auto-heal, emphasizing these are privileged, opt-in features.
- No functional changes to logic or workflow; all features remain as in 1.1.0.
- Release notes and example cron jobs maintained for consistency with previous version.
v1.1.0
Version 1.1.0 adds multi-site support, guarded automation, improved safety, and enhanced scheduling guidance.
- Introduced matrix-style config with `system_metrics` and `sites[]` for multi-site monitoring (see new `config.example.yaml`).
- Added separation of host-global metrics from site-local rollups.
- Implemented logrotate-compatible incremental readers with recovery.
- Expanded automation safety: default `dry_run`, enforce whitelists, TTL-based unban, cooldowns, and audit trail in SQLite.
- Updated documentation with new multi-site layout, audit requirements, and scheduling tips.
v1.0.0
Initial release of server-mate, a lightweight server monitoring and AI ops workflow for Linux hosts running Nginx or Apache.
- Provides a two-plane monitoring system: Python server agent for log/metric collection and analyzer for aggregation, alerting, and AI diagnosis.
- Details a safe, incremental workflow for implementing collection, alerting, auto-ban, and auto-heal features.
- Includes agent and analyzer best practices, strict safety rules, and clearly defined report expectations.
- Recommends external scheduling via cron or systemd for data collection and report generation.
- Supports user-requested natural-language monitoring questions and guarded automation.
- Example cron jobs and usage patterns provided for practical rollout.
元数据
常见问题
Server Mate 是什么?
Build or extend a lightweight server monitoring and AI operations workflow for Linux hosts running Nginx or Apache. Use when Codex needs to collect psutil me... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 194 次。
如何安装 Server Mate?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install server-mate」即可一键安装,无需额外配置。
Server Mate 是免费的吗?
是的,Server Mate 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Server Mate 支持哪些平台?
Server Mate 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Server Mate?
由 tankeito(@tankeito)开发并维护,当前版本 v1.3.3。
推荐 Skills