ClawHub

portable-deployment-audit

v1.0.2

Read-only security auditing for OpenClaw deployments, repositories, and local project directories. Scan an explicit target directory for exposed credentials,...

0· 88·0 current·0 all-time
byWeiHan@otweihan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script. The script inspects repository/project files (env, Dockerfile, compose, source files) and reports findings; this aligns with a portable read-only audit.
Instruction Scope
SKILL.md instructs running the script via node (node command shown), but the registry metadata lists no required binary — declaring 'node' as a required binary would be more accurate. The script collects some host metadata (os.hostname()) which is not mentioned in the prose; it also accepts explicit --env-file and --dockerfile paths (which can point anywhere the invoking user has read access). The script asserts it does not execute external binaries and the code shown contains only filesystem inspection (no child_process or network calls).
Install Mechanism
No install spec is provided and there are no downloads or extract operations — the skill is delivered as files (script + SKILL.md). This is low-risk compared with remote installers.
Credentials
The skill does not request any environment variables or credentials. It does read files discovered under the target directory and will also read any explicit file paths passed via --env-file/--dockerfile, which is reasonable for an auditor but means callers should not point it at sensitive files in shared hosts. The script records hostname and platform in its runtime metadata (minor identifying info).
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges. It does not modify agent/system configuration; execution is on-demand and local.
Assessment
This skill appears to do what it claims: a read-only, file-based audit. Before installing/using it, ensure you have node available (the SKILL.md runs the script with 'node' but the registry metadata doesn't declare node), read the script yourself if you're concerned, and avoid pointing the scanner at sensitive system files or absolute paths you don't want inspected (don't pass --env-file or --dockerfile pointing to secrets unless you intend to). Run it locally or in an isolated environment first and use --format json for CI parsing. If you need higher assurance, confirm (search the script) that there are no network calls or child_process execs (the provided code shows none).

Like a lobster shell, security has layers — review code before you run it.

latestvk9791h26ad3bgkd9zrjp5v8fd183ce6p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments