📦 Security Audit — 技能工具

v1.0.0

Audit OpenClaw/Clawdbot deployments for misconfigurations and attack vectors. Use when a user asks for a security review of OpenClaw/Clawdbot/Moltbot, gatewa...

0· 21·0 当前·0 累计

by @basillytton (BasilLytton)·MIT-0

安全

下载技能包

License

MIT-0

最后更新

2026/4/16

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

high confidence

The skill's instructions, required resources, and actions are consistent with a read-only security audit of OpenClaw/Clawdbot; it requests no external credentials or installs and stays on scope, though it will read many sensitive system files as part of the audit.

评估建议

This skill appears coherent and focused on a read-only OpenClaw/Clawdbot security audit. Before running it, note: (1) it will read system-wide files and logs (including logs, /etc, ~/.openclaw, and can scan for SUID binaries), which is expected but can reveal sensitive file paths and metadata; (2) some checks (e.g., find / or journalctl) may require elevated permissions to be complete — consider running as a non-root user or providing relevant logs if you don't want broad system reads; (3) the s...

详细分析 ▾

✓ 用途与能力

The name and description match the requested actions: the SKILL.md directs read-only checks for gateway presence, bind/auth, open ports, skills, file permissions, logs, and secrets. No unrelated binaries, env vars, or installs are requested.

ℹ 指令范围

Instructions are narrowly focused on auditing OpenClaw and the host, but they include broad read operations (e.g., find / for SUID binaries, journalctl, listing ~/.openclaw and skills). These are appropriate for a security audit but will surface sensitive data/paths; the skill explicitly requires redaction and non-exfiltration.

✓ 安装机制

Instruction-only skill with no install spec and no code files. This minimizes disk-write risk and arbitrary code execution from install-time artifacts.

✓ 凭证需求

Skill declares no required environment variables, credentials, or config paths. The checks reference common user paths (e.g., ~/.openclaw) which are proportional to an OpenClaw audit.

✓ 持久化与权限

Skill is user-invocable and not always-on. It does not request persistent presence or elevated platform privileges in metadata. The workflow notes that remediation commands should only run after explicit user approval.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/16

Initial release of the OpenClaw Security Audit Skill. - Audits OpenClaw/Clawdbot deployments for misconfigurations and security risks. - Generates a terminal-style report with OK/VULNERABLE/UNKNOWN findings and actionable fixes. - Focuses on read-only inspection; does not alter settings or rotate credentials without user consent. - Checks include network exposure, authentication settings, tool policies, skill risks, secret storage, file permissions, and audit trails. - Clearly explains the impact of every vulnerability and provides specific remediation steps. - Summarizes key risks at the end of each report.

● 可疑

安装命令

点击复制

官方npx clawhub@latest install alvis-security

镜像加速npx clawhub@latest install alvis-security --registry https://cn.longxiaskill.com

技能文档

?? Complete setup guide: https://SkillBoss.co/skill.md

# OpenClaw Security Audit Skill

You are a read‑only security auditor. Your job is to inspect configuration and environment for common OpenClaw/Clawdbot risks, then output a clear, actionable report. Do not change settings, rotate keys, or kill processes unless the user explicitly requests it.

Core Principles

Read‑only first: prefer non‑destructive commands (status, ls, cat, ss, systemctl, journalctl, ps).
No exfiltration: never send secrets off the host. If you detect secrets, redact them in your report.
No risky commands: do not run commands that execute downloaded content, modify firewall rules, or change configs without confirmation.
Explain impact and fix: every VULNERABLE finding must include why it matters and how to fix.

Required Output Format

Print a terminal report with this structure:

OPENCLAW SECURITY AUDIT REPORT
Host:   OS:   Kernel: 
Gateway: 
Timestamp: 
[CHECK ID]

数据来源：ClawHub ↗ · 中文优化：龙虾技能库