每日安全巡检
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a disclosed, read-only OpenClaw security-check skill, but it will inspect security-related local configuration/logs, run OpenClaw diagnostic commands, and save or optionally send a report.
This skill appears safe for its stated read-only audit purpose. Before installing, make sure you are comfortable letting the agent read OpenClaw security configuration/logs and run OpenClaw diagnostic commands, protect the saved report directory, and only enable cron or Telegram/Feishu delivery if you intentionally want unattended or external reporting.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will run local diagnostic commands and include their summaries in the report.
The skill directs the agent to run local OpenClaw CLI commands, but the commands are central to the audit purpose and explicitly limited to read-only operation.
执行 `openclaw security audit` ... 执行 `openclaw doctor` ... 仅只读检查,不执行 `--fix`
Use it in the intended OpenClaw project root, verify the OpenClaw CLI is trusted, and keep --fix or other repair commands as manual user actions.
The agent may see where credentials or gateway tokens are configured, although the skill instructs it not to print secret values.
The checklist requires reading credential-related configuration and token-related settings to verify security posture.
检查 `openclaw.json` 中是否仍有明文 `apiKey`、`token`、`appSecret` ... `OPENCLAW_GATEWAY_TOKEN` 至少 32 字符
Install only where the agent is allowed to read OpenClaw security configuration, and confirm reports contain only paths/field names, not secret values.
Security findings, paths, and remediation notes may remain on disk and be available to future users or agents with workspace access.
The skill persists a security summary report in the workspace for later reference.
将报告写入 `workspace/docs/security-audit/security-report-YYYY-MM-DD.md`
Protect the report directory, avoid storing secret values in reports, and periodically review or prune retained audit reports.
If enabled, the security report may leave the local workspace and be stored by a third-party messaging provider.
The artifacts disclose optional delivery of the generated report to external messaging services.
结果可发往 Telegram、飞书等(需自行配置)
Enable external delivery only to trusted channels, keep reports redacted, and avoid sending sensitive configuration details.
A configured schedule can run checks without per-run confirmation.
The skill supports unattended scheduled execution when the user configures cron, but does not show any self-installing persistence.
可由 cron 等定时任务在独立会话中触发 ... cron 触发时不要进行交互式询问
Only configure cron if unattended daily checks are desired, and run the scheduled task with the least privileges needed.
Users may have less reliable information about the maintainer or support channel.
The packaged metadata still contains placeholder support and homepage URLs, making provenance and support harder to verify.
"support_url": "https://github.com/YOUR_USERNAME/daily-security-check/issues", "homepage": "https://github.com/YOUR_USERNAME/daily-security-check"
Prefer installing from a package with completed source/homepage metadata, or review the included artifacts before use.