📦 OpenClaw Security Audit — 安全审计

v1.0.2

为 OpenClaw 部署执行全方位安全审计，需系统级权限。

0· 244·0 当前·0 累计

by @iaadoa

安全系统工具云服务

下载技能包

最后更新

2026/4/21

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

medium confidence

NULL

评估建议

This skill appears to be a legitimate high-privilege audit tool, but it carries inherent sensitivity because it reads many system files and process environments. Before installing or running: (1) review the full script contents yourself (or have a trusted reviewer) because it runs many system inspections; (2) do not enable Git/Telegram options unless you understand what will be committed or sent (these are opt-in but will transmit data to remote endpoints if enabled); (3) run audits on systems y...

详细分析 ▾

✓ 用途与能力

The skill name/description (OpenClaw security audit) aligns with its actions: reading system state, OpenClaw workspace, process env, ports, cron, file hashes, and producing reports. The declared required commands in SECURITY.md (ss, top, systemctl, journalctl, last, df, find, etc.) match the checks described.

ℹ 指令范围

SKILL.md directs running the included Python script which performs many read-only system inspections (/etc, ~/.ssh, /proc/{pid}/environ, listening ports, process lists, file hashes). These actions are within audit scope, but SKILL.md also documents opt-in features that perform writes/network activity (Git commits/pushes and Telegram notifications) — the top-level description initially states 'All operations are read-only and local-only', which is misleading without reading the later opt-in details.

✓ 安装机制

No install spec or external downloads; the skill is distributed with a bundled Python script and docs. This is lower risk than remote fetch/install mechanisms.

ℹ 凭证需求

Metadata lists no required environment variables (none mandatory). SKILL.md and the script read optional env vars (SECURITY_AUDIT_ENABLE_GIT, SECURITY_AUDIT_ENABLE_TELEGRAM, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, OPENCLAW_STATE_DIR). These are reasonable for opt-in features, but the skill will read process envs and files that can contain secrets — acceptable for an audit tool but sensitive. The skill does not require external API credentials by default.

✓ 持久化与权限

The skill does not request persistent always-on privilege and is user-invocable. It requires elevated filesystem/process read privileges to be effective (expected). Optional Git backup will write/commit to the user's repo only if enabled.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.22026/3/14

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install security-audit-openclaw

镜像加速npx clawhub@latest install security-audit-openclaw --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库