Ops Cert Check
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: ops-cert-check Version: 1.0.1 The skill bundle provides a standard operating procedure (SOP) for SSL/TLS certificate management, including validation, Nginx updates, and Let's Encrypt automation using tools like openssl, keytool, and certbot. The instructions in SKILL.md are well-structured for an operations agent and include security-positive warnings, such as explicitly forbidding the submission of private keys (.key files) to version control. No indicators of malicious intent, data exfiltration, or prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could interrupt HTTPS service or deploy an invalid certificate.
The SOP includes direct server mutation and service reload steps, which are expected for certificate replacement but can break live services if run on the wrong host or with the wrong files.
Login to target server, replace files in `/etc/nginx/ssl/` ... `nginx -s reload`
Run these steps only with explicit authorization, confirm the target host and files, back up current certificates, and use `nginx -t` before reloading.
Overbroad DNS or server credentials could allow unintended certificate issuance, DNS changes, or server configuration changes.
The workflow requires privileged server access and DNS-provider authority, which are appropriate for wildcard certificate issuance but sensitive.
Prerequisites ... Root/sudo access ... DNS provider with API access
Use least-privileged DNS/API credentials, avoid sharing secrets in chat, and ensure only authorized operators perform these steps.
Installing the wrong or untrusted package could add unexpected code to the server.
The SOP includes installing a DNS plugin package without pinning a version or documenting a trusted repository; this is common in ops runbooks but should be verified.
yum install -y certbot-dns-aliyun
Install packages only from trusted repositories, verify package names for your OS, and prefer pinned or approved versions where possible.
A bad hook script or cron entry could repeatedly make unwanted changes or fail silently.
The renewal workflow creates a recurring background task and invokes a root-level deploy hook; this is normal for certificate automation but persistent.
Set up cron job (runs every 2 days) ... certbot renew --deploy-hook "/root/your-hook.sh"
Review the deploy hook contents, ownership, permissions, logging, and rollback behavior before enabling the cron job.