sjht-server-audit
v1.0.0远程服务器安全巡检和环境报告工具。 通过 SSH 免密登录远程主机,全面检查系统信息、运行服务、开放端口、 Web 服务器配置、数据库配置、安全设置(SSH/防火墙/SELinux)、可疑进程和定时任务, 生成结构化的巡检报告。Use when 用户需要检查服务器安全、排查服务器环境、 了解服务器上运行了什么服务...
⭐ 0· 157·0 current·0 all-time
by@aowind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (remote server security audit via SSH) matches what the script does: it SSH-es into the target and collects system info, services, ports, web/db config, cron entries, and produces a local report. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
The SKILL.md instructs running scripts/server-audit.sh which indeed SSH-es to the target and collects config files and logs — appropriate for an audit. However there are two mismatches: SKILL.md states reports are saved to ~/.openclaw/workspac/audits/<IP>-<date>.md, but the shipped script does not write such a persistent file (it writes to a local temporary file $TMPFILE and the trap removes it on exit). Also SKILL.md lists 'ssh-ops' skill as a precondition but that dependency is not declared in metadata. These inconsistencies could lead to surprises (lost report, undeclared dependency).
Install Mechanism
Instruction-only skill with an included shell script; no install spec, no external downloads or package installs. Low install-time risk since nothing is fetched/installed automatically.
Credentials
The skill requests no environment variables or external credentials in metadata. Operationally it requires SSH key-based access to target hosts (private key must be present on the agent or managed by another skill like 'ssh-ops'). This is proportional to its purpose, but the requirement is only documented in SKILL.md (not declared in metadata) so users must ensure their SSH keys are handled securely.
Persistence & Privilege
always is false and the skill does not request persistent privileges or modify other skills/config. It executes remotely over SSH and stores output locally in a temp file; no evidence of attempts to persist beyond that or modify agent-wide settings.
Assessment
This script is coherent for performing a remote server audit, but review and test it before running on production. Specifically:
- Verify SSH key handling: the skill assumes passwordless SSH; ensure the private key is stored and used securely (or provide it via a known credential manager), and confirm which user/account will be used.
- Expect the script to execute commands on the remote host and read config files (e.g., /etc/ssh/sshd_config, /etc/nginx/*, /etc/cron.d/*, site directories). These are necessary for auditing but may expose sensitive configuration—run on hosts you control or have explicit permission to audit.
- Fix the documentation/implementation mismatch: SKILL.md claims reports are saved under ~/.openclaw/workspac/audits/... but the script currently writes to a temporary file and the trap removes it on exit. If you need persistent reports, modify the script to write the structured Markdown to the intended path (and ensure directory exists and permissions are correct).
- The SKILL.md lists a dependency on an 'ssh-ops' skill; the package metadata does not declare this. Confirm how SSH keys/session management is expected to work in your agent environment.
- Test on a non-production host first to confirm output, adjust parsing rules, and verify nothing is transmitted off your environment. If you want stronger guarantees, consider adding explicit logging/consent steps and avoid running on hosts without authorization.Like a lobster shell, security has layers — review code before you run it.
latestvk977ddmsjprkrrn87wyb8swxjx8371kt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.