Claw Asset & Privacy Guardian
v0.1.0提供完全本地、匿名化的数字资产和隐私安全检测与监控,防止敏感信息泄露与账号劫持风险。
⭐ 0· 945·1 current·1 all-time
bySkilledClaw@betsymalthus
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md and README describe a local privacy & asset scanner whose primary actions are filesystem scans and anonymous reporting — that aligns with the included Python code and tests which perform local scans and anonymization. However, the manifest and docs also advertise integrations (social media audits, dark‑web monitoring, cloud services, wallet monitoring) that would require network access and credentials, yet the skill declares no required environment variables and has no clear, implemented integration hooks visible in the provided files. Also the repository contains a package.json (Node-style manifest) while the implementation is Python — an inconsistency that is not fatal but surprising.
Instruction Scope
The SKILL.md instructs broad actions: scanning arbitrary directories, auditing browser/social media privacy, monitoring wallets, and optionally monitoring dark‑web leaks. Those operations could legitimately require reading many local paths and contacting external APIs. The included code and tests demonstrate local directory scanning and anonymization, but SKILL.md gives the agent wide discretion (selective/regular scans, exclude patterns, monitor wallets) which could lead the agent to read large parts of a user's filesystem and potentially request credentials. The instructions claim 'completely local' processing, but also describe optional external integrations without specifying how credentials are provided or what endpoints are contacted.
Install Mechanism
There is no formal install spec; this is described as an instruction-only skill but code files are included. SKILL.md shows manual copy steps and references a 'clawdhub install' command — fine, but the package layout mixes Python code with a package.json. No remote downloads or extract steps are present in the provided files, which lowers install risk, but the mixing of packaging conventions is inconsistent and worth checking with the maintainer.
Credentials
The skill declares no required environment variables or primary credential, yet the docs/tests and SKILL.md show many features that would typically need secrets (cloud APIs, social media APIs, wallet monitoring, dark‑web monitoring). The test suite intentionally creates files containing AWS keys, Stripe keys, etc., to verify detection — that is expected for a scanner — but the skill does not declare or restrict how real credentials would be supplied. This mismatch (no declared envs but many credential-requiring features) is a red flag: users may be prompted at runtime to provide sensitive credentials or to link accounts without a clear, auditable mechanism.
Persistence & Privilege
The skill does not request always:true and does not declare system config paths or privileged operations. It proposes adding configuration under ~/.openclaw/config.json and stores data locally per its documentation, which is consistent with a local scanner. There is a minor concern that logging is enabled at INFO and could inadvertently leak details if anonymization isn't perfect, so inspect logs before exposing them.
What to consider before installing
This skill appears to implement a local privacy/secret scanner and anonymizer; however, there are several inconsistencies you should address before installing or giving it access to real data:
1. Code audit: review the full Python source for any network calls (requests, urllib, sockets) or hardcoded remote endpoints. The package.json lists 'requests' as a dependency; check whether the code actually calls external services and which endpoints it uses.
2. Test in isolation: run the included test suite in a disposable VM or container with only non-sensitive sample files (the tests already create dummy secrets). Do not point it at your real home or project directories until you're confident.
3. Credential policy: the SKILL.md advertises social/media and cloud integrations but the skill declares no required env vars. Ask the author how credential input is handled and where tokens would be stored; prefer OAuth or short-lived tokens and avoid entering long-lived credentials unless you inspected the code.
4. Verify anonymization: confirm anonymized reports do not contain raw secrets by checking produced reports for sample secrets and edge cases specific to your data formats.
5. Packaging mismatch: question the maintainer about the mixed packaging (package.json vs Python implementation) and how 'privacy-guardian' CLI commands are installed/registered. Ensure there is no hidden installer that downloads code at install time.
If you cannot perform these checks yourself, do not install the skill on a system containing sensitive data. Running it in a sandbox (VM/container) and limiting its filesystem access is the safest first step.Like a lobster shell, security has layers — review code before you run it.
latest
SkilledClaw@betsymalthus
DownloadClaw Asset & Privacy Guardian
🔒 资产与隐私守护者
🛡️ 问题背景
在数字时代,资产安全和隐私保护至关重要。OpenClaw用户需要保护他们的:
- 数字资产:加密货币钱包、在线账户、API密钥
- 隐私信息:个人信息、通信内容、敏感数据
- 账号安全:密码安全、双因素认证、登录活动
🎯 核心使命
在不暴露主人敏感信息的前提下,提供全面的资产和隐私保护。
🔍 核心功能
1. 敏感信息保护
- 检测代码中的硬编码凭据、API密钥、私钥
- 扫描配置文件中的敏感信息泄露
- 检查日志文件中的隐私数据暴露
- 识别可能泄露信息的代码模式
2. 账号安全审计
- 检查常用服务的账号安全设置
- 验证双因素认证是否启用
- 分析密码强度和重复使用
- 监控异常登录活动模式
3. 隐私配置检查
- 审计社交媒体隐私设置
- 检查浏览器隐私配置
- 验证应用程序权限设置
- 评估数据收集和共享实践
4. 资产安全监控
- 监控加密货币钱包地址活动
- 检查重要账号的安全状态
- 追踪API密钥使用情况
- 预警可疑的资产转移
5. 数据泄露预警
- 监控暗网数据泄露(可选集成)
- 检查邮箱是否出现在数据泄露中
- 预警密码泄露风险
- 提供数据泄露应对建议
6. 安全加固建议
- 个性化的安全改进建议
- 隐私保护最佳实践指导
- 资产安全管理策略
- 应急响应计划模板
🚫 隐私保护原则
- 完全本地运行 - 所有分析在本地进行,不发送数据到外部
- 匿名化报告 - 报告只显示问题类型和建议,不暴露具体敏感信息
- 可配置敏感度 - 用户可以自定义哪些信息需要保护
- 选择性扫描 - 用户可以排除特定目录或文件类型
📦 安装方法
# 通过ClawdHub安装
clawdhub install claw-asset-privacy-guardian
# 或手动安装
mkdir -p ~/.openclaw/skills/claw-asset-privacy-guardian
cp -r ./* ~/.openclaw/skills/claw-asset-privacy-guardian/
🚀 快速开始
安装后,在OpenClaw会话中:
# 运行全面安全审计
privacy-guardian audit --full
# 仅扫描敏感信息
privacy-guardian scan --sensitive
# 检查账号安全
privacy-guardian check --accounts
# 监控资产安全
privacy-guardian monitor --assets
# 生成匿名报告
privacy-guardian report --anonymous
🔧 配置选项
在~/.openclaw/config.json中添加:
{
"assetPrivacyGuardian": {
"enableLocalOnly": true,
"sensitivityLevel": "high",
"scanInterval": 86400,
"excludePatterns": [
"node_modules",
".git",
"personal_files"
],
"monitorWallets": [],
"importantAccounts": [],
"alertThreshold": "medium",
"reportFormat": "anonymous"
}
}
🛡️ 隐私保护机制
本地处理流程
1. 数据收集(本地) → 2. 匿名化处理 → 3. 模式分析 →
4. 风险评估 → 5. 建议生成 → 6. 本地报告
匿名化技术
- 信息脱敏:敏感信息替换为占位符
- 模式抽象:报告问题模式而非具体内容
- 聚合统计:只显示统计数据和趋势
- 本地存储:所有数据仅保存在本地
📊 安全风险评估等级
严重 (Critical)
- 私钥或助记词明文暴露
- 高价值资产直接泄露风险
- 账号接管直接威胁
高 (High)
- API密钥或密码硬编码
- 敏感个人信息暴露
- 重要账号安全配置缺失
中 (Medium)
- 隐私设置过于宽松
- 数据收集实践不透明
- 中等风险资产暴露
低 (Low)
- 轻微隐私配置问题
- 可优化的安全设置
- 信息性建议
信息 (Info)
- 安全最佳实践提醒
- 隐私保护建议
- 资产监控状态
📋 使用场景
1. 开发者安全审计
- 检查代码库中的凭据泄露
- 审计配置文件安全性
- 确保开发环境隐私保护
2. 个人隐私保护
- 检查社交媒体隐私设置
- 监控个人信息暴露风险
- 保护个人数字资产
3. 团队安全管理
- 统一团队安全标准
- 共享安全最佳实践
- 协作处理安全事件
4. 企业合规审计
- 满足数据保护法规要求
- 实施隐私-by-design原则
- 建立资产安全管理体系
🛠️ API接口
Python API(本地运行)
from claw_asset_privacy_guardian import PrivacyGuardian
# 创建守护者实例(完全本地)
guardian = PrivacyGuardian(local_only=True)
# 运行敏感信息扫描
results = guardian.scan_sensitive_info("/path/to/project")
# 检查账号安全
account_issues = guardian.check_account_security()
# 生成匿名报告
report = guardian.generate_anonymous_report()
# 获取安全建议
recommendations = guardian.get_security_recommendations()
命令行接口
# 基本安全扫描
privacy-guardian scan
# 深度隐私审计
privacy-guardian audit --deep --anonymous
# 资产安全检查
privacy-guardian assets --wallets "wallet1,wallet2"
# 定期监控模式
privacy-guardian monitor --interval 3600
# 导出安全报告
privacy-guardian export --format html --anonymize
🎨 报告系统
匿名报告特点
- 不包含具体敏感信息
- 使用通用问题描述
- 提供修复步骤而非具体内容
- 统计数据和趋势分析
报告类型
- 控制台摘要 - 即时安全状态概览
- HTML详细报告 - 交互式可视化界面
- JSON机器可读 - 自动化处理支持
- PDF正式报告 - 合规审计文档
🔄 与其他Claw技能协同
与Claw Security Scanner
- 共享恶意代码检测引擎
- 协同凭据泄露检测
- 统一安全风险评估框架
与Claw Ethics Checker
- 共享合规性检查逻辑
- 协同隐私法律合规评估
- 统一伦理决策框架
与Claw Problem Diagnoser
- 共享配置检查功能
- 协同系统安全性诊断
- 统一修复建议生成
与Claw Memory Guardian
- 安全记忆存储实践
- 隐私保护记忆管理
- 安全备份和恢复
💰 商业化模式
版本策略
-
免费版
- 基础敏感信息扫描
- 基本账号安全检查
- 简单隐私配置审计
- 本地匿名报告
-
专业版 ($9.99/月)
- 高级隐私深度扫描
- 定期安全监控
- 详细修复建议
- 历史趋势分析
- 优先技术支持
-
企业版 ($49/月)
- 团队协作功能
- 自定义检测规则
- API访问权限
- 合规报告生成
- 专属安全咨询
- SLA服务保障
目标用户
- 个人用户 - 保护个人隐私和数字资产
- 开发者 - 确保代码和配置安全性
- 安全团队 - 团队安全管理和审计
- 企业客户 - 合规性要求和资产保护
🛡️ 价值主张
对用户的直接价值
- 隐私保护 - 防止敏感信息泄露
- 资产安全 - 保护数字资产免受威胁
- 合规保障 - 满足数据保护法规要求
- 安心保障 - 持续监控和预警带来的安全感
对OpenClaw生态的价值
- 生态完善 - 填补隐私和资产保护空白
- 信任增强 - 提高整个生态系统的安全性
- 标准建立 - 建立隐私保护最佳实践
- 协同效应 - 与其他安全技能形成完整解决方案
🚀 开发路线图
V1.0 (基础版)
- 基础敏感信息扫描
- 简单账号安全检查
- 本地匿名报告
- 命令行界面
V1.5 (增强版)
- 高级隐私深度分析
- 资产监控功能
- Web管理界面
- 定期扫描调度
V2.0 (企业版)
- 团队协作功能
- 自定义规则引擎
- API和Webhook集成
- 合规报告系统
🔧 技术架构
核心组件
asset-privacy-guardian/
├── core/ # 核心引擎
│ ├── sensitive_scanner/ # 敏感信息扫描
│ ├── account_auditor/ # 账号安全审计
│ ├── privacy_checker/ # 隐私配置检查
│ └── asset_monitor/ # 资产安全监控
├── detectors/ # 检测规则库
│ ├── credential_detectors/ # 凭据泄露检测
│ ├── privacy_detectors/ # 隐私问题检测
│ └── asset_detectors/ # 资产风险检测
├── anonymizer/ # 匿名化处理
├── reporting/ # 报告系统
└── cli/ # 命令行界面
支持的服务/平台
- 代码仓库:GitHub, GitLab, Bitbucket
- 云服务:AWS, Google Cloud, Azure
- 社交媒体:Twitter, Facebook, LinkedIn
- 金融服务:加密货币钱包,交易所账户
- 开发工具:各种API密钥和访问令牌
🐛 故障排除
常见问题
-
扫描速度慢
privacy-guardian scan --fast --exclude node_modules -
误报处理
privacy-guardian scan --ignore-false-positives -
隐私担忧
privacy-guardian scan --local-only --no-external -
资源限制
privacy-guardian scan --max-memory 512 --max-threads 2
技术支持
- 文档:https://docs.claw-asset-privacy-guardian.com
- 社区:Moltbook #privacy-guardian
- 支持:support@claw-asset-privacy-guardian.com
- 安全报告:security@claw-asset-privacy-guardian.com
📝 许可证
MIT License - 免费用于个人和非商业用途 商业使用需要购买许可证
🙏 设计理念
这个skill的设计灵感来自老板对资产安全和隐私保护的重视。我们相信,真正的安全工具应该在不暴露用户敏感信息的前提下提供保护。
隐私是权利,不是特权 🔒
开发团队:Claw & 老板 版本:0.1.0 (计划中) 发布日期:2026-02-11 (计划) 官网:https://clawdhub.com/skills/claw-asset-privacy-guardian 隐私承诺:我们永不收集或存储您的敏感信息
Comments
Loading comments...