← 返回 Skills 市场
trent-ai-release

Trent OpenClaw Security Assessment

作者 trent-ai-release · GitHub ↗ · v1.2.0 · MIT-0
cross-platform ⚠ suspicious
358
总下载
10
收藏
0
当前安装
6
版本数
在 OpenClaw 中安装
/install trentclaw
功能描述
Assess your Agent deployment against security risks using Trent.
安全使用建议
This skill appears to do what it says: collect OpenClaw metadata, package workspace skills (with redaction), and upload them to Trent for analysis using TRENT_API_KEY. Before installing or running: 1) Only provide a TRENT_API_KEY you trust (the key gives the remote service ability to accept uploads and run analyses). 2) Review and confirm the upload step when prompted — the code asks you to confirm before uploading, but an automated agent could bypass that prompt. 3) Be aware redaction is regex-based and may miss custom secret formats; remove or move any highly sensitive files (private keys, proprietary data) out of the workspace or keep them in environment variables rather than in files. 4) The client writes streaming output to temp files (tempfile.mktemp is used) — consider specifying output_file or cleaning temp files if you are concerned about local exposure. 5) If you don't want any code leaving your environment, do not confirm uploads; the local metadata-only Phase 1 and the system_analysis output functions can be used for limited local inspection. If you need more assurance, review the code yourself or run it in an isolated environment before granting the TRENT_API_KEY.
功能分析
Type: OpenClaw Skill Name: trentclaw Version: 1.2.0 The skill bundle implements a security auditor that collects OpenClaw configuration metadata and packages workspace source code into ZIP files for upload to a remote service (trent.ai). While it includes extensive local secret redaction logic (secret_redactor.py, package_skills.py) and instructs the agent to seek user confirmation before uploading (SKILL.md), the core functionality involves large-scale data exfiltration of potentially sensitive source code and system metadata. The use of urllib to PUT data to presigned S3 URLs (trent_client.py) and the broad workspace scanning represent significant security risks if the third-party service is untrusted. Additionally, trent_client.py uses the insecure tempfile.mktemp() function.
能力标签
cryptorequires-oauth-tokenrequires-sensitive-credentials
能力评估
Purpose & Capability
Name/description match the code and runtime instructions. The package collects OpenClaw metadata, packages workspace/skills, redacts common secret patterns, and uploads packages to Trent using a single API key (TRENT_API_KEY), which is expected for an external analysis service.
Instruction Scope
SKILL.md explicitly describes three phases (collect metadata, scan/package skills, upload with user confirmation, then deep analysis). The code limits reads to ~/.openclaw (or OPENCLAW_WORKSPACE), excludes .env/key files, redacts secrets, and observes size/symlink limits. Note: the skill relies on the agent/automation to obey the 'wait for user confirmation' step — if an agent ignores that instruction the tool can upload packaged code.
Install Mechanism
Instruction-only install (no external installer). All required functionality is bundled in the skill files; no downloads or external install steps are performed by the skill itself.
Credentials
Only TRENT_API_KEY is required (primary credential), plus optional endpoint/workspace overrides. No unrelated credentials or system secrets are requested. The code explicitly excludes common secret file types and applies regex-based redaction before uploading.
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously (platform default). Combined with its ability to package and upload workspace code, autonomous invocation increases risk if the agent acts without user approval — SKILL.md asks to prompt the user before uploading, but the platform does not enforce that.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install trentclaw
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /trentclaw 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
- Phase 2 workflow improved: skill scanning now occurs before upload, with a clear preview of what will be sent and explicit user confirmation required. - User messaging updated to clarify the exact data being uploaded and how secrets are redacted, including warnings about custom secret formats. - Presentation of skill scan results enhanced with examples and tabular summaries. - Initial phase summary and upload prompts adjusted to be more transparent and user-friendly. - No code or functionality outside documentation changed.
v1.1.1
- Updated skill name, description, and tags to broaden applicability beyond AppSec and OpenClaw. - Incremented version to 1.1.1. - Updated documentation links and improved wording in SKILL.md for clarity. - No functional changes to scripts or APIs; changes focused on metadata and documentation for better discoverability and onboarding.
v1.1.0
- Updated the description to support Agent deployments, broadening assessment coverage beyond OpenClaw. - Bumped version to 1.1.0. - No changes to usage instructions or API; all phases and guidance remain the same.
v1.0.2
- Skill renamed from trent-openclaw-security-assessment to trent-security-assessment. - Version bumped from 1.0.1 to 1.0.2. - No feature or instructional changes; documentation only updated to reflect new name and version.
v1.0.1
- Skill name updated to "trent-openclaw-security-assessment" for improved clarity. - Description, tags, and metadata enhanced for discoverability and accuracy. - Version bumped to 1.0.1. - Documentation improvements: clearer purpose, more detailed tags, and updated instructions. - No changes to functionality or audit workflow.
v1.0.0
Initial release of Trent OpenClaw Security Audit skill. - Audits OpenClaw deployment for security risks via Trent AppSec Advisor. - Detects misconfigurations, chained attack paths, and categorizes findings by severity with recommended fixes. - Multi-phase workflow: configuration audit, skill code upload (with secret redaction), and deep skill analysis. - User is shown exactly what data will be sent; dangerous files and secrets are excluded/redacted before upload. - Results are grouped by severity and provide config diffs; system files are not modified directly. - Includes utilities for reviewing system context and skill analysis data.
元数据
Slug trentclaw
版本 1.2.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 6
常见问题

Trent OpenClaw Security Assessment 是什么?

Assess your Agent deployment against security risks using Trent. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 358 次。

如何安装 Trent OpenClaw Security Assessment?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install trentclaw」即可一键安装,无需额外配置。

Trent OpenClaw Security Assessment 是免费的吗?

是的,Trent OpenClaw Security Assessment 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Trent OpenClaw Security Assessment 支持哪些平台?

Trent OpenClaw Security Assessment 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Trent OpenClaw Security Assessment?

由 trent-ai-release(@trent-ai-release)开发并维护,当前版本 v1.2.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论