ClawHub

m78armor : openclaw security configuration check

v1.0.0

Read-only local OpenClaw security configuration check and hardening assessment. 本地只读 OpenClaw 安全配置检查与加固评估。

0· 47·0 current·0 all-time
byMove78 AI@move78ai
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binary (node), README, SKILL.md and included script all align: the tool inspects local OpenClaw configuration and reports findings. Required resources are proportional to the stated task; there are no unrelated credentials, binaries or system paths declared.
Instruction Scope
SKILL.md instructs running the bundled Node script with optional --config/--json flags and explicitly states a read-only scope and guardrails (do not upload data, do not request secrets, do not run hardening). The README documents optional environment overrides (OPENCLAW_CONFIG, M78ARMOR_LANG) — these are reasonable. I did not see any instructions that ask the agent to read unrelated host secrets, nor open-ended language that would grant broad discretionary data collection. However the bundled script source in the listing was truncated; confirm the script does not perform network uploads or spawn privileged commands before trusting it.
Install Mechanism
No install spec; this is instruction + bundled script that runs under Node. No external downloads or archive extraction are declared. This is a low-risk installation surface, assuming the script itself is benign.
Credentials
The skill does not require environment variables or credentials. The README documents optional environment variables to override config path or language; these are consistent with the tool's purpose and are not excessive. No secrets/keys are requested in the manifest or SKILL.md.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent platform privileges. The SKILL.md explicitly forbids switching to a hardening mode in this free edition. Nothing indicates it modifies other skills or global configuration.
Assessment
This skill appears coherent for a local, read-only configuration check and is reasonably scoped. Before running: (1) review the full scripts/m78armor-lite.js file locally (search for require('http'|'https'|'net'|'child_process'|'exec'|'spawn'|'fetch'|'axios') or any outbound network calls) to confirm it doesn't send data off-host or execute privileged commands; (2) run it in an isolated environment or with an explicit --config path to target the intended OpenClaw config; (3) if you need higher assurance, run it offline (no network) to ensure no external callbacks, and inspect the code for any hidden telemetry or upgrade-check code that might contact ORDER_URL. If you want me to scan the full script text for network/exec patterns, paste it here and I will analyze it line-by-line.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis
Binsnode
latestvk97e9btvnf0ecdq5qded25csts84wk5p
47downloads
0stars
1versions
Updated 3d ago
v1.0.0
MIT-0
Move78 AI@move78ai
latest
Download

m78armor : openclaw security configuration check

中文说明: 本工具用于本地只读 OpenClaw 实例的安全配置检查与基线评估。执行本地优先 (local-first) 的安全审计与配置加固 (hardening) 建议。重点关注数据隐私 (privacy-first)、暴露面及配置漂移。不上传任何本地数据。

Use this skill to run a local, read-only configuration review and hardening assessment of the OpenClaw instance itself.

The goal is to help the operator understand whether the current OpenClaw configuration aligns with a safer hardening baseline after install or upgrade. Keep the tone calm, factual, and operator-facing. Build trust through evidence, clear reasoning, and explicit limits. Do not use hype, fear theater, or vague security language.

What this skill reviews

Use the bundled script to inspect the local OpenClaw configuration baseline for:

  • misconfiguration findings
  • permission and exposure gaps
  • risky defaults
  • local drift indicators
  • abuse-path explanations for known misconfigurations

Output expectations

When presenting results to the operator:

  • explain what was found in plain language
  • explain how a finding can be abused without exaggeration
  • explain why it matters operationally
  • separate confirmed findings from assumptions
  • avoid absolute claims unless directly supported by the local evidence
  • keep remediation guidance practical and concise

Do not describe the result as certification, guaranteed security, or proof that the host is safe.

Default action

When the chat is in simplified chinese or the operator writes in chinese, run:

node {baseDir}/scripts/m78armor-lite.js --lang zh

When the chat is in english or another non-chinese language, run:

node {baseDir}/scripts/m78armor-lite.js --lang en

Only fall back to:

node {baseDir}/scripts/m78armor-lite.js

when the operator's preferred language is unclear.

Optional arguments

If the operator gives a specific OpenClaw config path, run:

node {baseDir}/scripts/m78armor-lite.js --config "<path>"

If the operator explicitly asks for machine-readable output, run:

node {baseDir}/scripts/m78armor-lite.js --json

Guardrails

  • Stay read-only in this free edition.
  • Do not switch to --harden from this skill.
  • Do not request secrets, API keys, or gateway tokens.
  • Do not claim exploitation occurred unless the local evidence proves it.
  • Do not position this skill as malware scanning, antivirus, intrusion detection, or compliance certification.
  • If node is unavailable, stop and tell the operator to install Node.js first.

Paid boundary

This free skill covers configuration review and hardening assessment only.

Do not claim that the free skill includes:

  • signature-based malicious skill detection
  • deep provenance or bundle analysis
  • advanced memory-file pattern analysis
  • automatic hardening remediation (自动加固修复)
  • backup or rollback
  • evidence-pack outputs

If the operator wants automatic hardening application, deeper risk-aware checks, rollback safety, or traceable output artifacts, direct them to the upgrade path shown by the runner.

Comments

Loading comments...