ClawHub

ShellWard Security Guide

v1.0.0

OpenClaw 安全部署指南 / Security deployment guide — help users secure their OpenClaw installation

0· 233·0 current·0 all-time
by@jnmetacode
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (OpenClaw security deployment guide) align with the SKILL.md: it instructs checks for network exposure, container hardening, credential management, audit logs, plugins, and patching — all appropriate for a security guide.
Instruction Scope
The runtime instructions explicitly ask the agent to inspect local state (ports, firewall, ~/.env, ~/.bashrc, ~/.ssh, ~/.aws/credentials, ~/.openclaw/shellward/audit.jsonl), list and scan plugin code, and check Node/OpenClaw versions. Those actions are coherent for a security scanner but involve reading sensitive files and potentially sending findings externally; the SKILL.md is somewhat broad ('Check the current system state using available tools') which grants the agent discretionary scope.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest disk/write risk. Nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no required env vars or credentials, yet instructs scanning environment variables and credential files (including AWS creds). Reading those items is reasonable for a security guide, but the skill does not request or document how cloud credentials would be accessed — users should not provide cloud/provider credentials unless explicitly needed and verified.
Persistence & Privilege
Flags show always:false and user-invocable:true; disable-model-invocation:false (normal). The skill does not request persistent presence or modify other skills or global agent config.
Assessment
This skill looks coherent for its stated purpose but it will ask the agent to read sensitive local files (env, SSH keys, AWS creds), audit logs, and plugin code. Before using it: (1) prefer running it on a test or staging host or with read-only access; (2) do not paste cloud/provider credentials unless you trust the source (the package has no homepage/source repo listed); (3) review any 'auto-fix' actions and require manual confirmation before destructive fixes; and (4) if the skill asks to send data to external services (SIEM or other endpoints), validate where data will go and redact secrets if necessary.

Like a lobster shell, security has layers — review code before you run it.

latestvk970e9ewmhzk9kecxzbbxzdqnh830gxy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments