首页龙虾技能列表 › ClawSentry — 技能工具

ClawSentry — 技能工具

v1.1.2

[自动翻译] Install and configure the security-related plugins required by OpenClaw, including the `ai-assistant-security-openclaw` plugins. Use this skill when y...

0· 254·0 当前·0 累计
by @volcengine-skills·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/27
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
The skill's behavior (running a bundled Node.js installer that fingerprints the machine, spawns a detached monitor, writes tokens to disk, and talks to remote auth endpoints) is coherent with an installer-for-plugin claim but executing an opaque bundled script from an unknown source and the presence of device fingerprinting/background monitoring are notable risks you should verify before installing.
评估建议
This skill bundles and executes a Node.js installer (bundle.cjs) that fingerprints your machine, contacts remote authentication endpoints, spawns a detached monitor, stores tokens and updates plugin config. Before installing: (1) Inspect bundle.cjs fully to confirm the exact remote host(s) contacted and that there are no hidden/exfiltration behaviors; (2) Verify the code that performs the HTTPS calls (check for hard-coded domains, certificates, or redirects) and the encryption scheme used for st...
详细分析 ▾
用途与能力
The name and description claim to install and configure security plugins for OpenClaw; the script's actions (install plugin, create login token, update plugin configuration) are consistent with that purpose. Items to verify: the SKILL.md lists API endpoints but no host/domain (endpoints are relative paths), so the actual remote service being contacted is not documented here — check bundle.cjs to confirm the destination. Device fingerprinting and automated uploading of tokens are plausible for account-binding but are sensitive and should be justified.
指令范围
Instructions tell the agent to run the bundled CommonJS script (node scripts/bundle.cjs), which will read machine identifiers (node-machine-id), create login tokens via network calls, write login_state.json and poll_login.log under a .state directory, spawn a detached background process for up to 10 minutes, and update OpenClaw plugin config with encrypted keys. Those steps are within installer scope, but device fingerprint collection, long-running background monitoring, and automatic config updates are broader-scope actions that warrant user review and consent.
安装机制
There is no separate install spec, but the bundle.cjs file included with the skill is executed directly — that is arbitrary code execution on the host. While the bundle uses well-known libraries (node-machine-id), running an opaque bundled script from an unknown/unstated source is a high-risk operation. The SKILL.md itself warns of arbitrary code execution risk; follow its own verification steps (inspect the script) before running.
凭证需求
The skill requests no environment variables or external credentials in the registry metadata, which aligns with the installer role. However, it will locally generate/store tokens and device fingerprints and contact remote auth endpoints — make sure you understand which remote host will receive this data and why those artifacts are needed.
持久化与权限
The skill does not request to be always-enabled and has no special platform privileges, which is appropriate. It does modify OpenClaw plugin configuration (expected for an installer) and spawns a temporary detached process to poll login status (runs up to 10 minutes). That temporary background activity and the ability to write plugin configuration and encrypted API keys are powerful actions — verify the scope and contents of those writes before running.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.1.22026/3/24

- Switched the bundled install script from `bundle.js` to `bundle.cjs` with updated instructions. - Added a detailed security section describing network communications, local file operations, data collection, risks, and verification steps. - Expanded documentation to clarify third-party dependencies (`node-machine-id`, `child_process`) and their security implications. - Updated user guidance for installation, login, and post-login verification steps. - Removed legacy documentation and monitoring steps related to the previous script.

● 可疑

安装命令 点击复制

官方npx clawhub@latest install clawsentry
镜像加速npx clawhub@latest install clawsentry --registry https://cn.clawhub-mirror.com

技能文档

Script Functionality

The bundled script (bundle.cjs) performs the following operations:

  • Plugin Installation: Installs the ai-assistant-security-openclaw plugin for OpenClaw.
  • Device Fingerprinting: Collects machine identifiers using the node-machine-id library to generate a device fingerprint.
  • Login Token Creation: Communicates with the authorization API to create a login token.
  • Login URL Generation: Generates a unique login URL based on the login token.
  • __Local Storage:__ Stores the login URL, token, and device fingerprint in {baseDir}/.state/login_state.json.
  • Background Monitoring: Spawns a detached child process to monitor login status for up to 10 minutes.
  • Configuration Update: Updates OpenClaw plugin configuration with encrypted API keys upon successful login.

Network Endpoints

The script communicates with the following API endpoints:

  • Login Token Creation: /OpenTOP/V1/Console/CreateLoginToken
  • Login Status Check: /OpenTOP/V1/Console/GetLoginTokenIdentity

All communications are conducted over HTTPS.

Local File Operations

The script reads from and writes to the following files:

  • Reads: Machine identifiers via the node-machine-id library
  • Writes:
- {baseDir}/.state/login_state.json (stores login URL, token, and device fingerprint) - {baseDir}/.state/poll_login.log (logs monitoring activity) - OpenClaw plugin configuration (updates with encrypted API keys)

Data Collection

The script collects the following data:

  • Device Fingerprint: Generated from machine identifiers for device-binding purposes
  • Login Status: Monitored to determine when the user completes the login process

Install Mechanism

Installation Method

The skill uses a bundled CommonJS script (bundle.cjs) for installation. This script is executed directly to install and configure the ai-assistant-security-openclaw plugin.

Script Source

The bundled script is generated from the source code in the ClawSentry repository. It includes the following third-party libraries:

  • node-machine-id: Used to generate device fingerprints
  • __child_process:__ Used by node-machine-id to query system information

Risk Considerations

  • Bundled Code: The script includes bundled third-party libraries, which may execute system-level operations.
  • __System Queries:__ The script uses node-machine-id library, which may use child_process to query system information.
  • Network Access: The script communicates with remote API endpoints for authentication.
  • Arbitrary Code Execution: Running bundled scripts from unknown sources can execute arbitrary code on your system.

Security Measures

  • HTTPS Communication: All network requests are conducted over HTTPS to ensure data encryption.
  • Encrypted Storage: Sensitive information (such as API keys) is encrypted before storage.
  • Limited Scope: The script only modifies OpenClaw plugin configurations and creates temporary files in the .state directory.
  • Transparent Operations: All script operations are documented in this file for transparency.

Verification Steps

Before executing the script, you should:

  • Review Full Script: Examine the complete script code to understand its functionality
  • Verify Integrity: Check the script's file integrity using a hash if provided
  • Monitor Execution: Run the script in a controlled environment and monitor its output
  • Ensure Trust: Only run the script if you trust the source of this skill
  • Check Permissions: Ensure the script has appropriate file permissions

Alternative Installation

If you prefer a more controlled installation, you can:

  • Manually install the ai-assistant-security-openclaw plugin
  • Configure the plugin settings through the OpenClaw configuration system
  • Follow the manual setup instructions provided in the plugin documentation

Use Cases

  • Use this skill when you need to install and prepare the ai-assistant-security-openclaw plugins for the OpenClaw environment on the current machine.
  • Trigger this skill when the user mentions requirements such as "install clawSentry / ai-assistant-security-openclaw plugin / 帮我安装clawSentry技能 / 安装clawSentry技能".

Steps

1. Verify Node.js is installed:

Ensure Node.js (version 14 or higher) is installed on the system. You can check with:

node --version

2. Execute the combined script to install plugin and generate login link:

node {baseDir}/scripts/bundle.cjs

After the script completes:

  • The script will display the login URL directly. You can also extract it from the output by looking for the line that starts with [LOGIN_URL]:
  • You can also read the login URL from {baseDir}/.state/login_state.json file (look for the loginUrl field). If the file doesn't exist, try reading it again after a few seconds. If you can't find the files, try looking in .openclaw/skills/ClawSentry/scripts/ directory.
  • Send the login URL to the user along with this message: "After completing login, if you want to check if the installation was successful, please wait one minute and then ask me such as 'view all plugin list / 查看我的本地插件 '"
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务