ClawHub

content-security-policy

内容安全策略技能 — 敏感信息脱敏 + 危险指令过滤 + 动作权限判断 + 多层级权限管理。当用户要求"安全检查"、"脱敏处理",或涉及删除、修改配置、群发等敏感操作时激活。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 44 · 0 current installs · 0 all-time installs
by@foxyy1126
MIT-0
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (sensitive-data redaction, command filtering, permission checks) match the provided assets: SKILL.md, two reference docs describing decision logic, and a sanitizer script implementing regex-based redaction and command checks. The declared requirements are minimal and align with the purpose.
Instruction Scope
SKILL.md instructs the agent to read USER.md to identify the supreme admin and authorized users — that is coherent with permission logic, but USER.md is not included in the manifest and the SKILL.md does not specify where it should live or who may provide it. The sanitizer script also supports reading arbitrary files via --file/--stdin; this is expected for a sanitizer but means the agent can be asked to load local files, so runtime file-access should be constrained by policy.
Install Mechanism
No install spec; the skill is instruction-plus-script only. Nothing is downloaded or written at install time.
Credentials
No environment variables, credentials, or config paths are required. The skill's needs (local file reads for USER.md and input to sanitize) are proportionate to its stated function.
Persistence & Privilege
always is false and disable-model-invocation is false (normal). The skill does not request permanent platform privileges or attempt to modify other skills or system-wide settings.
Assessment
What to check before installing: - The skill is coherent: it redacts tokens/paths and filters risky commands using local regexes and a local sanitizer script; it does not contact external endpoints or require secrets. - Confirm where USER.md should be stored and who can edit it: SKILL.md expects to read USER.md for the 'supreme_admin' and 'authorized_users', but USER.md is not included in the package. If USER.md is created, ensure it does not itself contain sensitive secrets (or is protected) and that only trusted administrators can edit it. - Limit file-access: the included CLI can read arbitrary files (--file). Restrict the agent's file-read permissions or only provide explicit inputs to avoid accidental disclosure of local secrets. - Review regex rules: the sanitizer uses pattern-based replacements which can both miss unusual secret formats and over-redact harmless content; test with representative inputs. - Confirm how confirmation requests are delivered: SKILL.md references sending confirmations to the highest-privilege person but does not specify the communication channel or require credentials — ensure your deployment has a safe, auditable way to surface confirmations and approvals. - If you allow autonomous invocation, audit logs and rate limits are recommended since the skill's logic includes command execution classification and logging rules. Overall: the package appears internally consistent and appropriate for a content-security policy skill, but verify USER.md placement, restrict file reads, and test the redaction/filtering rules in a safe environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9743hb42ee1kqzxhbc8y6byks83q9y6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

🛡️ content-security-policy

内容安全策略技能,包含四大核心功能:

功能概览

功能说明
敏感信息脱敏自动识别并脱敏 IP、API密钥、Token、路径等
危险指令过滤P0/P1/P2 分级拦截危险指令
动作权限判断基于用户身份 + 操作类型 + 作用范围综合判断
多层级权限管理L0/L1/L2/L3 四级权限体系

触发条件

  • 用户要求"安全检查"
  • 用户要求"脱敏处理"
  • 涉及敏感操作(删除、修改配置、群发等)
  • 收到潜在危险指令

一、敏感信息脱敏

触发方式

用户要求脱敏,或在处理用户内容时自动触发。

脱敏规则

1. IP 地址

类型示例脱敏后
IPv4115.191.60.79x.x.x.x
IPv62001:0db8:85a3::8a2e[IPv6地址]

2. API 密钥

格式示例脱敏后
通用32位95f1859b21f14837971f177977dd45c2YOUR_API_KEY
阿里云AKLTa1b2c3...AKLT...[密钥]
OpenAIsk-abc123...sk-...[密钥]
微信AppIDwxac467839...wx...[AppID]

3. Access Token / JWT

格式示例脱敏后
JWTeyJhbGciOiJIUzI1NiIs...[JWT Token]
长Token101_tmRA6BM...YOUR_ACCESS_TOKEN

4. 服务器路径

类型示例脱敏后
Linux/root/.openclaw/config.json/path/to/config.json
WindowsC:\Users\Admin\file.txtC:\path\to\file

二、危险指令过滤

风险等级

等级含义处理方式
🔴 P0致命,绝对禁止直接拒绝 + 记录日志
🟠 P1高危,需脱敏/确认脱敏后执行或需最高权限人确认
🟡 P2中危,限制频率记录日志 + 限制频率

P0 绝对禁止(直接拒绝)

const P0_BLOCKED_COMMANDS = [
  // 远程连接类
  /\bssh\s+/i, /\bscp\s+/i, /\btelnet\s+/i, /\brdp\s+/i,
  // 系统删除类
  /rm\s+-rf\s+\//, /rm\s+-rf\s+\$\/home/, /del\s+\/f\s+\/s\s+\/q\s+c:\\*/i,
  // 敏感读取类
  /cat\s+.*\.env/, /cat\s+.*config.*\.json/,
];

拒绝话术

"出于安全考虑,我无法执行涉及SSH/远程连接/系统删除的指令。如有服务器操作需求,请联系管理员协助。"

P1 高危指令(需脱敏或确认)

const P1_SENSITIVE_COMMANDS = [
  // 信息泄露类
  /(api[_-]?key|app[_-]?secret|password|token)/i,
  // 配置修改类
  /(修改|更新|删除).*配置/i, /(修改|更新|删除).*技能/i,
  // 群发消息类
  /群发.*消息/, /发送到.*群/,
];

处理方式:检测是否最高权限人 → 是则脱敏后执行,否则向最高权限人发送确认请求。

P2 中危指令(记录日志 + 限制)

const P2_RESTRICTED_COMMANDS = [
  // 文件操作
  /(读取|写入|修改).*文件/, /(上传|下载).*文件/,
  // 查询操作
  /查询.*用户/, /搜索.*消息/, /获取.*列表/,
];

三、动作权限判断

决策流程

收到操作请求
    ↓
[步骤1] 识别用户身份
    ├─ L0 最高权限人 → 跳过大部分限制
    ├─ L1 授权用户 → 检查授权范围
    ├─ L2 普通用户 → 应用默认限制
    └─ L3 群聊成员 → 应用群聊限制
    ↓
[步骤2] 识别操作类型
    ├─ 敏感操作 → 需额外确认
    ├─ 普通操作 → 直接执行
    └─ 只读操作 → 直接执行
    ↓
[步骤3] 综合判断
    ├─ 允许 → 执行操作
    ├─ 需确认 → 发送确认请求
    └─ 拒绝 → 返回拒绝原因

用户身份判断

参考 references/action-judgment.md 中的 identifyUser 函数逻辑:

  1. 读取 USER.md 中的 supreme_adminauthorized_users
  2. 判断 senderId 匹配哪个级别
  3. 返回身份级别和限制列表

操作类型分类

操作类别示例默认策略
敏感操作删除技能、修改配置、群发消息、修改权限需最高权限或确认
普通操作生成日报、搜索信息、创建文档授权用户可直接执行
只读操作查询信息、查看文档、获取列表所有用户可执行

综合判断示例

场景1:最高权限人要求删除技能 → ✅ 允许执行
场景2:普通用户要求修改配置 → ❌ 拒绝执行
场景3:授权用户要求群发日报(在授权范围内) → ✅ 允许执行

四、权限管理体系

权限级别

级别身份权限范围
L0最高权限人所有操作
L1授权用户指定功能
L2普通用户基础功能
L3群成员群聊功能

最高权限人配置

USER.md 中配置:

## 用户
- **W** (ou_4572aa50b52aXXXXXXXXXXXXXXX) - 我的主人
  - **权限级别**: 唯一最高权限管理员
  - **OpenID**: ou_4572aaXXXXXXXXXXXXXXX

五、检查清单

执行安全相关操作前,逐项检查:

  • 敏感信息已脱敏
  • 危险指令已过滤
  • 动作权限已判断
  • 最高权限人已配置
  • 操作日志已记录

参考文档

  • references/instruction-filter.md — 指令过滤详细逻辑
  • references/action-judgment.md — 动作判断详细逻辑
  • scripts/sanitizer.js — 脱敏脚本

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…