Firm Advanced Security Pack
Advanced security audit pack covering secrets lifecycle, path canonicalization, exec plan freeze, hook routing, config includes, prototype pollution, safeBin...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 207 · 1 current installs · 1 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and listed tools are coherent with an OpenClaw configuration audit pack. However, the SKILL.md lists eight executable tool names (openclaw_*) yet the skill declares no required binaries and provides no installation or provenance for those executables. The metadata lists a dependency on 'mcp-openclaw-extensions >= 3.0.0' but the skill does not explain how that dependency supplies the tools or how it will be installed.
Instruction Scope
Runtime instructions direct the agent to run specific commands (e.g., openclaw_secrets_lifecycle_check config_path=/path/to/config.json). Those commands would execute arbitrary code on the host if present; the SKILL.md does not say where the commands come from, how to verify them, or any sandboxing/validation. The only file path referenced is a user-supplied config_path, which is reasonable for an audit tool, but the agent is being asked to run external commands without provenance—this is scope creep relative to an instruction-only skill.
Install Mechanism
No install spec is present (low disk-write risk), which is consistent with an instruction-only skill. However, the declared dependency (mcp-openclaw-extensions >= 3.0.0) is not accompanied by an installation or verification mechanism; the skill neither declares required binaries nor how to obtain the listed tools. That gap creates uncertainty about how the tools are expected to appear on the system.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate. Note: the commands it tells the agent to run will likely read user-supplied config files (config_path) — expected for an audit tool, but the skill does not constrain or document what parts of configs are read or transmitted.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or elevated platform privileges. Autonomous invocation is allowed by default but is not combined with other high-risk flags here.
What to consider before installing
This skill is instruction-only and lists eight audit commands but provides no code, no install steps, and no provenance for the dependency it references. Before installing or running it: 1) Ask the publisher where the openclaw_* tools come from and how to obtain and verify 'mcp-openclaw-extensions >= 3.0.0' (signed releases, repository, package registry). 2) Do not run the listed commands on production systems until you can inspect the actual binaries/scripts; run them in a sandbox. 3) Request human-reviewed source code or a trusted install mechanism; if none is provided, treat the skill as untrusted because it could cause arbitrary command execution. 4) If you proceed, verify digitally-signed packages or review the extension code to ensure the tools only read the intended config files and do not exfiltrate secrets.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
firm-advanced-security-pack
⚠️ Contenu généré par IA — validation humaine requise avant utilisation.
Purpose
Deep security auditing for OpenClaw configurations — covers external secrets lifecycle,
channel path canonicalization, execution plan freeze validation, hook session routing,
$include directive guards, prototype pollution detection, safeBins profile enforcement,
and group policy default audit.
Tools (8)
| Tool | Description | Severity |
|---|---|---|
openclaw_secrets_lifecycle_check | External Secrets lifecycle audit | CRITICAL |
openclaw_channel_auth_canon_check | Channel path canonicalization | CRITICAL |
openclaw_exec_approval_freeze_check | Exec plan freeze validation | CRITICAL |
openclaw_hook_session_routing_check | Hook session routing audit | HIGH |
openclaw_config_include_check | $include directive guards | HIGH |
openclaw_config_prototype_check | Prototype pollution detection | HIGH |
openclaw_safe_bins_profile_check | safeBins profile enforcement | HIGH |
openclaw_group_policy_default_check | Group policy default audit | HIGH |
Usage
skills:
- firm-advanced-security-pack
# Run full advanced security audit:
openclaw_secrets_lifecycle_check config_path=/path/to/config.json
openclaw_config_prototype_check config_path=/path/to/config.json
openclaw_safe_bins_profile_check config_path=/path/to/config.json
Requirements
mcp-openclaw-extensions >= 3.0.0
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…