Firm Runtime Audit Pack
v1.0.0Runtime environment and configuration audit pack. Validates Node.js version, secrets workflow, HTTP headers, allowed commands, trusted proxy, disk budget, an...
⭐ 0· 294·1 current·1 all-time
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (runtime audit of Node.js, secrets workflow, headers, command allowlists, proxy, disk budget, DM allowlist) match the listed 'openclaw_*' tools and the example usage. The declared dependency on mcp-openclaw-extensions >= 3.0.0 reasonably explains where those checks come from.
Instruction Scope
The SKILL.md is instruction-only and simply directs the agent to run named checks against a provided config_path. It does not instruct reading unrelated system paths or sending results to external endpoints. However, several checks (especially the 'secrets_workflow' check) implicitly require reading configuration or workflow definitions that may contain secrets — the skill does not specify how sensitive data is handled or reported.
Install Mechanism
No install spec and no code files — lowest-risk delivery. The skill relies on mcp-openclaw-extensions being available in the environment; the SKILL.md does not provide an install method for that dependency, so installation must be managed separately by the user/agent.
Credentials
The skill does not request environment variables or credentials, which is proportionate. Nonetheless, some checks will need access to configuration files (example shows config_path=/path/to/config.json) and may parse sensitive entries; the SKILL.md does not document how secrets are protected or whether checks will read external secret stores.
Persistence & Privilege
always:false and user-invocable:true. No indication the skill persists or modifies other skills or agent-wide settings. Autonomous invocation is allowed by default but not uniquely privileged here.
Scan Findings in Context
[no_findings] expected: The static scanner had no files to analyze (instruction-only SKILL.md). This is expected for a metadata/instructions-only skill; absence of findings does not guarantee safety — runtime behavior depends on the external mcp-openclaw-extensions implementation that provides the named checks.
Assessment
This skill is mostly a wrapper that documents and calls auditing checks provided by the mcp-openclaw-extensions package. Before installing or running it: 1) Verify and obtain mcp-openclaw-extensions from a trusted source and review its code or documentation so you know exactly what each 'openclaw_*' check does. 2) Avoid running secret-auditing checks directly against production secrets — run against sanitized copies or ensure the check does not exfiltrate sensitive fields. 3) Review where reports are written or sent (local files, logs, external endpoints) and ensure they won't leak sensitive config. 4) If you need higher assurance, request an explicit install spec or signed release for the required extension so you can validate what will be executed.Like a lobster shell, security has layers — review code before you run it.
latest
firm-runtime-audit-pack
⚠️ Contenu généré par IA — validation humaine requise avant utilisation.
Purpose
Audits the runtime environment of OpenClaw deployments: Node.js version compliance, secrets handling, HTTP security headers, command allowlists, proxy configuration, disk budget, and direct message policies.
Tools (7)
| Tool | Description | Severity |
|---|---|---|
openclaw_node_version_check | Verify Node.js runtime version | CRITICAL |
openclaw_secrets_workflow_check | Audit secrets handling in workflows | CRITICAL |
openclaw_http_headers_check | Check HTTP security headers (HSTS, CSP) | HIGH |
openclaw_nodes_commands_check | Validate nodes.allowCommands config | HIGH |
openclaw_trusted_proxy_check | Verify trusted proxy configuration | HIGH |
openclaw_session_disk_budget_check | Check session disk budget limits | MEDIUM |
openclaw_dm_allowlist_check | Audit DM channel allowlist policy | MEDIUM |
Usage
skills:
- firm-runtime-audit-pack
# Run full runtime audit:
openclaw_node_version_check config_path=/path/to/config.json
openclaw_secrets_workflow_check config_path=/path/to/config.json
openclaw_http_headers_check config_path=/path/to/config.json
Requirements
mcp-openclaw-extensions >= 3.0.0- Node.js >= 20.x recommended
Comments
Loading comments...