by 安全扫描
OpenClaw
安全
high confidenceThe skill's files and runtime instructions are consistent with an advisory/instruction-only 'infrastructure' helper: it generates cloud CLI commands and backup scripts for the user to run and does not itself request credentials or install code.
评估建议
This skill is essentially documentation and examples — not executable code pushed by the skill — so review and adapt everything before running. Specific suggestions: 1) Inspect backup scripts (pg_dump, aws s3 cp and cleanup logic) and replace placeholder bucket names; validate the aws s3 ls parsing/cleanup logic before enabling retention deletion. 2) Use least-privileged IAM credentials and short-lived tokens where possible; never paste long-lived root credentials into chats. 3) Test backup and ...详细分析 ▾
✓ 用途与能力
The name/description match the provided content: architecture patterns, provider CLI commands, and backup scripts. The skill is instruction-only and intends the user to run commands. It recommends common provider CLIs (hcloud, aws, doctl, docker) which are reasonable for the stated purpose. Minor documentation/metadata mismatch: registry metadata lists no required binaries/env vars while SKILL.md documents required tools and references environment variables the user must set.
✓ 指令范围
SKILL.md and the companion files show only guidance, example CLI invocations, and example scripts (cron entry, backup script) that assume the user provides credentials/environment variables and executes commands locally. There are no hidden endpoints, obfuscated code, or instructions to exfiltrate data. The scripts do reference env vars (e.g., $DATABASE_URL, $HCLOUD_TOKEN, AWS creds) and write outputs to /tmp and suggested cron paths — these are expected for backup/infra tooling but should be reviewed before execution.
✓ 安装机制
No install spec or remote downloads are present; all files are documentation and sample scripts. The skill only recommends commonly used community CLIs (brew install hcloud/awscli/doctl) and Docker Desktop — nothing fetched or installed automatically by the skill itself.
ℹ 凭证需求
The skill does not declare required env vars in registry metadata, but its content repeatedly references credentials and connection strings (HCLOUD_TOKEN, AWS_ACCESS_KEY_ID, $DATABASE_URL, etc.). This is consistent with its 'user-driven credentials' model, but users should be aware they must supply appropriate credentials locally. Use least-privilege keys and avoid pasting sensitive tokens into shared/public contexts.
✓ 持久化与权限
The skill is not always-enabled and is user-invocable. It does not request persistent installation or modify other skills or system-wide settings. It does provide example scripts that a user might install (cron job, /opt/scripts), but these are user actions rather than automatic behavior by the skill.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSLinux · macOS · Windows
版本
latestv1.0.12026/2/13
User-driven credential model, explicit tool requirements
● 无害
安装命令 点击复制
官方npx clawhub@latest install infrastructure
镜像加速npx clawhub@latest install infrastructure --registry https://cn.clawhub-mirror.com
技能文档
Scope
This skill:
- ✅ Guides architecture decisions
- ✅ Provides provisioning commands for user to run
- ✅ Documents infrastructure patterns
User-driven model:
- User provides cloud credentials when needed
- User runs provisioning commands
- Skill guides decisions and generates commands
This skill does NOT:
- ❌ Store or access cloud credentials directly
- ❌ Run provisioning commands automatically
- ❌ Modify infrastructure without user confirmation
For implementation: User runs commands skill provides, or uses server skill for execution.
Quick Reference
| Topic | File |
|---|---|
| Architecture patterns | patterns.md |
| Provider commands | providers.md |
| Backup strategies | backups.md |
Core Rules
1. User Runs Commands
Skill generates commands, user executes:Agent: "To create the server, run:
hcloud server create --name web1 --type cx21 --image ubuntu-24.04
This requires HCLOUD_TOKEN in your environment."
User: [runs command]
2. Required Tools (User Installs)
| Provider | Tool | Install |
|---|---|---|
| Hetzner | hcloud | brew install hcloud |
| AWS | aws | brew install awscli |
| DigitalOcean | doctl | brew install doctl |
| Docker | docker | Docker Desktop |
3. Credential Handling
- User sets credentials in their environment
- Skill never stores or logs credential values
- Commands reference env vars:
$HCLOUD_TOKEN,$AWS_ACCESS_KEY_ID
4. Architecture Guidance
| Stage | Recommended |
|---|---|
| MVP | Single VPS + Docker Compose |
| Growth | Dedicated DB + load balancer |
| Scale | Multi-region + CDN |
5. Decision Framework
| Question | Answer |
|---|---|
| How to structure infra? | ✅ This skill |
| Should I add another server? | ✅ This skill |
| How to configure nginx? | Use server skill |
| How to write Dockerfile? | Use docker skill |
6. Backup Strategy
| Data | Method | Frequency |
|---|---|---|
| Database | pg_dump → S3/B2 | Daily |
| Volumes | Snapshots | Weekly |
| Config | Git | Every change |
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制