security-audit-hand

自主安全审计 - 定期检查系统安全、发现风险、生成报告

View Source SKILL.md

Stars

Installs

Status

ACTIVE

Visibility

PUBLIC

安装方式

直接复制以下提示词，发送给你的 AI 助手即可完成安装。

请先检查是否已安装 SkillHub 商店，若未安装，请根据 https://skillhub-1388575217.cos.ap-guangzhou.myqcloud.com/install/skillhub.md 安装 SkillHub 商店，然后安装 security-audit-hand 技能。若已安装，则直接安装 security-audit-hand 技能。

Overview

Skill Key: bandwe/security-audit-hand
Author: bandwe
Source Repo: openclaw/skills
Version: 1.0.0
Source Path: skills/bandwe/security-audit-hand
Latest Commit SHA: 3c12b3a71feb1a4e01a78f8c78e306643cfe1934

Extracted Content

SKILL.md excerpt

# Security Audit Hand - 自主安全审计

## 🎯 核心功能

自主定期安全检查：
- 系统漏洞扫描
- 配置审计
- 权限检查
- 日志分析
- 风险报告

**灵感来源**: OpenFang 16 层安全模型

---

## 🛡️ 审计框架 (基于 OpenFang)

### 16 层安全检查

| # | 检查项 | OpenFang 实现 | 我的实现 |
|---|--------|--------------|---------|
| 1 | 沙箱隔离 | WASM 双计量 | exec 允许列表 |
| 2 | 审计追踪 | Merkle 哈希链 | 日志文件 |
| 3 | 污点追踪 | 信息流标签 | 敏感数据扫描 |
| 4 | 身份签名 | Ed25519 | ⏳ 待实现 |
| 5 | SSRF 防护 | 私有 IP 阻止 | URL 白名单 |
| 6 | 秘密零化 | Zeroizing | ⏳ 待实现 |
| 7 | 双向认证 | HMAC-SHA256 | Token 认证 |
| 8 | 能力门控 | RBAC | 工具配置文件 |
| 9 | 安全头 | CSP/HSTS | N/A |
| 10 | 端点脱敏 | 最小化信息 | ✅ 已实现 |
| 11 | 进程沙箱 | env_clear | ✅ 已实现 |
| 12 | 注入扫描 | 提示词检测 | ✅ 已实现 |
| 13 | 循环守卫 | SHA256 检测 | ✅ 已实现 |
| 14 | 会话修复 | 7 阶段验证 | ✅ 已实现 |
| 15 | 路径遍历 | 规范化 + 符号链接 | ✅ 已实现 |
| 16 | 限流 | GCRA | ⏳ 待实现 |

---

## 🔍 审计流程 (7 阶段)

### Phase 1: 状态恢复
```
1. memory_recall `security_audit_state`
2. 读取历史报告 `security_reports/`
3. 加载基线配置 `security_baseline.json`
```

### Phase 2: 系统信息收集
```bash
# 系统信息
uname -a
whoami
pwd
df -h
free -h

# 网络信息
netstat -tlnp
curl ifconfig.me

# OpenClaw 状态
openclaw gateway status
openclaw --version
```

### Phase 3: 配置审计
```json
检查 ~/.openclaw/openclaw.json:
- [ ] auth.token 是否设置
- [ ] gateway.bind 是否安全 (loopback/lan)
- [ ] tools.deny 是否配置
- [ ] session.dmScope 是否安全
- [ ] 敏感信息是否明文
```

### Phase 4: 权限检查
```bash
# 文件权限
ls -la ~/.openclaw/
ls -la ~/.openclaw/workspace/

# API Key 权限
cat ~/.openclaw/.api-keys.md | grep -E "sk-|nvapi-"

# 进程权限
ps aux | grep openclaw
```

### Phase 5: 日志分析
```bash
# 检查异常日志
grep -i "error\|fail\|unauthorized" /tmp/openclaw/*.log

# 检查频繁错误
grep -c "error" /tmp/openclaw/openclaw-*.log

# 检查敏感信息泄露
grep -E "sk-[a-zA-Z0-9]+" /tmp/openclaw/*.log
```

##...

Related Claw Skills

capt-marbles

Task Router Skill

★ 0

Task Router

captchasco

captchas-openclaw

★ 0

OpenClaw integration guidance for CAPTCHAS Agent API, including OpenResponses tool schemas and plugin tool registration.

carol-gutianle

Modelready

★ 0

name: modelready description: Start using a local or Hugging Face model instantly, directly from chat. metadata: {"openclaw":{"requires":{"bins": "bash", "curl" }, "env": "URL" }}

cartoonitunes

Ethereum History

★ 0

Read-only factual data about historical Ethereum mainnet contracts. Use when the user asks about a specific contract address, early Ethereum contracts, deployment era, deployer, bytecode, decompiled code, or documented history (what a contract is and is not). Data is non-opinionated and includes runtime bytecode, decompiled code, and editorial history when available. Base URL https://ethereumhistory.com (or set BASE_URL for local/staging).

cassh100k

agent-dna

★ 0

Portable agent identity encoding. Compress SOUL.md/MEMORY.md into transferable DNA fingerprints, detect identity drift between snapshots, and port personality across platforms (OpenClaw, Claude, GPT, CrewAI). Pure Python, zero dependencies. Use when migrating agents between platforms, detecting personality drift, or backing up agent identity.

camopel

storage-cleanup

★ 0

One-command disk cleanup for macOS and Linux — trash, caches, temp files, old kernels, snap revisions, Homebrew, Docker, and Xcode artifacts. Use when user asks to free storage, clean up disk, reclaim space, reduce disk usage, or encounters low disk / "disk full" warnings. Safe by default with dry-run mode. No dependencies beyond bash and awk.