security-audit-assistant

Security checks across malware telemetry and agentic risk

Overview

This server security audit skill needs review because its scanner appears to be a mock that can report success without actually checking the server.

Install only after reviewing the source and testing in a non-production environment. Do not rely on its reports until the publisher replaces the mocked command runner with real OpenClaw node execution, implements the documented CLI options, and adds clear warnings for sudo fix commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (46)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The file is documented as a core scanner that runs CIS-inspired baseline checks, and the comments say the real runtime uses node.exec. However, the actual implemented runCommand function always returns empty output with exit code 0, so no audit commands are truly executed and downstream results are fabricated from stubbed data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The markdown states that each finding includes the exact CLI command to remediate, and the sample output shows commands that modify SSH configuration and perform package upgrades. Because these actions can affect system availability or change user data/system state, the description should include a clear user warning about reviewing and validating fixes before execution.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This code file includes numerous fix commands that would modify critical system configuration, enable firewalls, restart services, change file permissions, and install packages. While the header says the tool outputs a report and fix commands, there is no explicit warning in the code about the operational impact of applying those commands, such as service disruption or lockout risk.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: ❌ HIGH RISK: 1. SSH password authentication is ENABLED Fix: sudo sed -i 's/PasswordAuthentication yes/no/' /etc/ssh/sshd_config && sudo systemctl restart sshd ⚠️ MEDIUM: 2. Security updates available (5 packages)
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: ❌ HIGH RISK: 1. SSH password authentication is ENABLED Fix: sudo sed -i 's/PasswordAuthentication yes/no/' /etc/ssh/sshd_config && sudo systemctl restart sshd ⚠️ MEDIUM: 2. Security updates available (5 packages)
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: - **Script**: `scripts/audit.js` (~150 lines, Node.js) - **Dependencies**: None (uses OpenClaw node.exec) - **Compatible OS**: Ubuntu 20.04+, Debian 11+, CentOS 8+ - **Permissions**: Requires sudo for some checks (prompts user) ---
Confidence: 70% confidence
Finding: sudo

Credential Access

High

Category: Privilege Escalation
Content: | Passwords | Password aging enabled, no default accounts | Medium | | Services | Unnecessary services disabled (telnet, vsftpd) | Low | | Logging | Auditd/rsyslog enabled and rotating | Medium | | File Permissions | /etc/passwd, /etc/shadow correct perms | High | **Total checks**: ~20 per node
Confidence: 60% confidence
Finding: /etc/passwd

Credential Access

High

Category: Privilege Escalation
Content: | Passwords | Password aging enabled, no default accounts | Medium | | Services | Unnecessary services disabled (telnet, vsftpd) | Low | | Logging | Auditd/rsyslog enabled and rotating | Medium | | File Permissions | /etc/passwd, /etc/shadow correct perms | High | **Total checks**: ~20 per node
Confidence: 95% confidence
Finding: /etc/shadow

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'grep -E "^PasswordAuthentication" /etc/ssh/sshd_config | awk \'{print $2}\'', expected: 'no', fix: "sudo sed -i 's/PasswordAuthentication yes/no/' /etc/ssh/sshd_config && sudo systemctl restart sshd", os: ['ubuntu', 'debian', 'centos'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'grep -E "^PasswordAuthentication" /etc/ssh/sshd_config | awk \'{print $2}\'', expected: 'no', fix: "sudo sed -i 's/PasswordAuthentication yes/no/' /etc/ssh/sshd_config && sudo systemctl restart sshd", os: ['ubuntu', 'debian', 'centos'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'grep -E "^PermitRootLogin" /etc/ssh/sshd_config | awk \'{print $2}\'', expected: 'no', fix: "sudo sed -i 's/PermitRootLogin yes/no/' /etc/ssh/sshd_config && sudo systemctl restart sshd", os: ['ubuntu', 'debian', 'centos'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'grep -E "^PermitRootLogin" /etc/ssh/sshd_config | awk \'{print $2}\'', expected: 'no', fix: "sudo sed -i 's/PermitRootLogin yes/no/' /etc/ssh/sshd_config && sudo systemctl restart sshd", os: ['ubuntu', 'debian', 'centos'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'systemctl is-active ufw || echo "inactive"', expected: 'active', fix: "sudo ufw enable && sudo ufw default deny incoming", os: ['ubuntu', 'debian'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'systemctl is-active ufw || echo "inactive"', expected: 'active', fix: "sudo ufw enable && sudo ufw default deny incoming", os: ['ubuntu', 'debian'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'systemctl is-active firewalld || echo "inactive"', expected: 'active', fix: "sudo systemctl enable --now firewalld && sudo firewall-cmd --set-default-zone=drop", os: ['centos', 'rhel'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'systemctl is-active firewalld || echo "inactive"', expected: 'active', fix: "sudo systemctl enable --now firewalld && sudo firewall-cmd --set-default-zone=drop", os: ['centos', 'rhel'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'medium', command: 'apt list --upgradable 2>/dev/null | grep -i security || echo "none"', expected: 'none', fix: "sudo apt update && sudo apt upgrade -y", os: ['ubuntu', 'debian'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'medium', command: 'apt list --upgradable 2>/dev/null | grep -i security || echo "none"', expected: 'none', fix: "sudo apt update && sudo apt upgrade -y", os: ['ubuntu', 'debian'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'medium', command: 'grep -E "^\s*PASS_MAX_DAYS\s+90" /etc/login.defs || echo "not_set"', expected: 'PASS_MAX_DAYS', fix: "sudo sed -i 's/^#*PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs", os: ['ubuntu', 'debian', 'centos'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'medium', command: 'systemctl is-active auditd || echo "inactive"', expected: 'active', fix: "sudo apt install auditd audispd-plugins -y && sudo systemctl enable --now auditd", os: ['ubuntu', 'debian'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'medium', command: 'systemctl is-active auditd || echo "inactive"', expected: 'active', fix: "sudo apt install auditd audispd-plugins -y && sudo systemctl enable --now auditd", os: ['ubuntu', 'debian'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'medium', command: 'systemctl is-active rsyslog || echo "inactive"', expected: 'active', fix: "sudo systemctl enable --now rsyslog", os: ['ubuntu', 'debian'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'grep -E "^Protocol" /etc/ssh/sshd_config | awk \'{print $2}\'', expected: '2', fix: "sudo sed -i 's/^Protocol.*/Protocol 2/' /etc/ssh/sshd_config && sudo systemctl restart sshd", os: ['ubuntu', 'debian', 'centos'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'grep -E "^Protocol" /etc/ssh/sshd_config | awk \'{print $2}\'', expected: '2', fix: "sudo sed -i 's/^Protocol.*/Protocol 2/' /etc/ssh/sshd_config && sudo systemctl restart sshd", os: ['ubuntu', 'debian', 'centos'] }, {
Confidence: 70% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: risk: 'high', command: 'stat -c %a /etc/passwd', expected: '644', fix: "sudo chmod 644 /etc/passwd", os: ['ubuntu', 'debian', 'centos'] }, {
Confidence: 70% confidence
Finding: sudo

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal