Security Hardening
v1.0.0Security audit and hardening for AI agents — credential hygiene, secret scanning, prompt injection defense, data leakage prevention, and privacy zones.
⭐ 0· 876·15 current·16 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (security audit & hardening) match the SKILL.md instructions. The checks (credential scan, PII audit, config hardening, prompt-injection review, file-permission review) and the suggested remediations are appropriate for that stated purpose. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
Instructions explicitly direct the agent to scan all files in the agent workspace and to update configuration files (with confirmation). The SKILL.md states it will not access files outside the workspace, make network requests, or modify files without confirmation — this scope is reasonable, but because the skill runs arbitrary scans and suggests file modifications, operators should confirm the agent's runtime permissions and review findings before applying fixes.
Install Mechanism
No install spec and no code files (instruction-only). This is the lowest-risk delivery model: nothing is written to disk by the skill itself and no remote downloads are performed.
Credentials
The skill does not request environment variables, credentials, or config paths. The guidance it offers (move secrets to env vars) is advisory and does not require the skill to access secrets itself.
Persistence & Privilege
always:false and default autonomous invocation are set (normal). The README suggests periodic checks via heartbeat/cron, but no install is provided to set up scheduling; operators should verify how their agent runtime would schedule or enable recurring audits. No evidence the skill attempts to modify other skills or agent-wide settings.
Assessment
This skill is coherent with its stated purpose and contains useful, concrete checks and remediation steps, but it comes from an unverified source and is instruction-only. Before installing or enabling it permanently: (1) review the SKILL.md and references/advanced-patterns.md yourself to ensure the suggested commands and file edits are acceptable; (2) run the audit in a read-only or isolated copy of your workspace first so you can examine findings before any changes; (3) confirm your agent runtime will not transmit findings externally unless you explicitly approve that behavior; (4) ensure the agent process has minimal filesystem permissions (least privilege) so scans and edits cannot touch unrelated data; and (5) if the scan finds leaked credentials, rotate them immediately rather than relying solely on remediation advice in the skill. The unknown/absent homepage and author provenance lower confidence—prefer the same checks from a trusted source or review the content carefully before trusting it.Like a lobster shell, security has layers — review code before you run it.
latestvk973c80g87c7yaenstx19rk2fx82be2d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.