首页 / 技能 / m78armor : openclaw security configuration check — m78armor — OpenClaw安全配置检查

🛡️ m78armor : openclaw security configuration check — m78armor — OpenClaw安全配置检查

v1.0.0

本地只读 OpenClaw 安全配置检查与加固评估工具。提供 17 项安全检查,覆盖网关、沙箱、文件系统、认证、插件、浏览器、发现服务等面。支持中英文双语输出与区域自动检测,高风险发现时退出码为 1,便于 CI 集成。

0· 22·0 当前·0 累计
move78ai 头像by @move78ai (Move78 AI)·MIT-0
安全
下载技能包 项目主页
License
MIT-0
最后更新
2026/4/15
0
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
medium confidence
该技能声明的用途(本地只读 OpenClaw 配置检查)与其运行时指令和捆绑的 Node 脚本一致。清单或 SKILL.md 中未请求无关凭据或安装,但我无法完全验证整个脚本是否存在隐藏的网络调用,因此建议运行前进行审查。
评估建议
该技能对于本地只读配置检查来说似乎是合理的,范围适中。运行前:(1) 在本地审查完整的 scripts/m78armor-lite.js 文件(搜索 require('http'|'https'|'net'|'child_process'|'exec'|'spawn'|'fetch'|'axios') 或任何出站网络调用)以确认它不会将数据发送出主机或执行特权命令;(2) 在隔离环境中运行或使用明确的 --config 路径来定位目标 OpenClaw 配置;(3) 如需更高保证,请离线运行(无网络)以确保无外部回调,并检查代码中是否存在可能联系 ORDER_URL 的隐藏遥测或升级检查代码。如果希望我扫描完整脚本文本以查找网络/执行模式,请在此粘贴,我将逐行分析。...
详细分析 ▾
用途与能力
名称/描述、所需二进制文件(node)、README、SKILL.md 和包含的脚本均一致:该工具检查本地 OpenClaw 配置并报告结果。所需资源与声明的任务成正比;没有声明无关的凭据、二进制文件或系统路径。
指令范围
SKILL.md 指示运行捆绑的 Node 脚本,可选 --config/--json 标志,并明确声明只读范围和防护措施(不上传数据、不请求密钥、不运行加固)。README 记录了可选的环境覆盖(OPENCLAW_CONFIG、M78ARMOR_LANG)—— 这些是合理的。我没有看到任何指示代理读取无关主机机密的指令,也没有开放性语言授予广泛的任意数据收集。但是列表中捆绑的脚本源代码被截断;在信任它之前,请确认脚本不执行网络上传或生成特权命令。
安装机制
无安装规范;这是指令 + 捆绑脚本,在 Node 下运行。未声明外部下载或归档提取。假设脚本本身是良性的,这是一个低风险的安装面。
凭证需求
该技能不需要环境变量或凭据。README 记录了可选的环境变量来覆盖配置路径或语言;这些与工具的目的一致,不过度。清单或 SKILL.md 中未请求任何密钥。
持久化与权限
always 为 false,该技能可由用户调用;它不请求持久平台权限。SKILL.md 明确禁止在此免费版中切换到加固模式。没有迹象表明它修改其他技能或全局配置。
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/15

v1.0.0 — 首次公开发布。面向 OpenClaw 的本地只读配置检查与加固评估。覆盖网关、沙箱、文件系统、认证、插件、浏览器、发现服务等 17 项检查。支持中英文双语输出与区域自动检测。高风险发现时退出码为 1,支持 CI 流水线集成。包含 --quiet 标志用于自动化环境。

无害

安装命令

点击复制
官方npx clawhub@latest install m78armor-security-check
镜像加速npx clawhub@latest install m78armor-security-check --registry https://cn.longxiaskill.com

技能文档

中文说明: 本工具用于本地只读 OpenClaw 实例的安全配置检查与基线评估。执行本地优先 (local-first) 的安全审计与配置加固 (hardening) 建议。重点关注数据隐私 (privacy-first)、暴露面及配置漂移。不上传任何本地数据。

Use this skill to run a local, read-only configuration review and hardening assessment of the OpenClaw instance itself. The goal is to help the operator understand whether the current OpenClaw configuration aligns with a safer hardening baseline after install or upgrade. Keep the tone calm, factual, and operator-facing. Build trust through evidence, clear reasoning, and explicit limits. Do not use hype, fear theater, or vague security language.

What this skill reviews

Use the bundled script to inspect the local OpenClaw configuration baseline for:

  • misconfiguration findings
  • permission and exposure gaps
  • risky defaults
  • local drift indicators
  • abuse-path explanations for known misconfigurations

Output expectations

When presenting results to the operator:

  • explain what was found in plain language
  • explain how a finding can be abused without exaggeration
  • explain why it matters operationally
  • separate confirmed findings from assumptions
  • avoid absolute claims unless directly supported by the local evidence
  • keep remediation guidance practical and concise

Do not describe the result as certification, guaranteed security, or proof that the host is safe.

Default action

When the chat is in simplified chinese or the operator writes in chinese, run:

node {baseDir}/scripts/m78armor-lite.js --lang zh

When the chat is in english or another non-chinese language, run:

node {baseDir}/scripts/m78armor-lite.js --lang en

Only fall back to:

node {baseDir}/scripts/m78armor-lite.js

when the operator's preferred language is unclear.

Optional arguments

If the operator gives a specific OpenClaw config path, run:

node {baseDir}/scripts/m78armor-lite.js --config ""

If the operator explicitly asks for machine-readable output, run:

node {baseDir}/scripts/m78armor-lite.js --json

Guardrails

  • Stay read-only in this free edition.
  • Do not switch to --harden from this skill.
  • Do not request secrets, API keys, or gateway tokens.
  • Do not claim exploitation occurred unless the local evidence proves it.
  • Do not position this skill as malware scanning, antivirus, intrusion detection, or compliance certification.
  • If node is unavailable, stop and tell the operator to install Node.js first.

Paid boundary

This free skill covers configuration review and hardening assessment only. Do not claim that the free skill includes:

  • signature-based malicious skill detection
  • deep provenance or bundle analysis
  • advanced memory-file pattern analysis
  • automatic hardening remediation (自动加固修复)
  • backup or rollback
  • evidence-pack outputs

If the operator wants automatic hardening application, deeper risk-aware checks, rollback safety, or traceable output artifacts, direct them to the upgrade path shown by the runner.

数据来源ClawHub ↗ · 中文优化:龙虾技能库