ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Eskills

v3.2.1

运行 ESR OpenClaw 主机安全检查脚本并完整展示结果。用于用户要求“运行ESR安全检查”、“执行 ESR 安全审计”、“检查 OpenClaw 主机安全配置”、“查看 ESR 安全检查结果”或需要调用该 skill 的脚本 `/home/may/.openclaw/skills/ESR_openclaw...

0· 197·0 current·0 all-time
by@xpany37-max

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xpany37-max/esr-openclaw-checklist.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Eskills" (xpany37-max/esr-openclaw-checklist) from ClawHub.
Skill page: https://clawhub.ai/xpany37-max/esr-openclaw-checklist
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install esr-openclaw-checklist

ClawHub CLI

Package manager switcher

npx clawhub@latest install esr-openclaw-checklist
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the Python script all implement an OpenClaw host security checklist: reading ~/.openclaw/openclaw.json, checking listening address, processes, Node.js version, skill inventory, file permissions, and invoking OpenClaw audit commands. The requested operations align with the stated purpose.
Instruction Scope
SKILL.md explicitly instructs running the included Python scripts and to display full script output and request user confirmation before making changes. The runtime instructions and the script read local config files, run local commands (ps, lsof, curl, openclaw, node), and save a JSON result—all expected. Note: the package and docs include scheduled execution that formats and sends reports to a DingTalk group; that transmits audit data off-host via the platform's configured messaging channel and should be accepted by the user before enabling.
Install Mechanism
No install spec (instruction-only with included script). There is no remote download or installer in the provided bundle and no non-standard install behavior in the files shown.
Credentials
The skill does not request secrets or new environment variables. It reads local OpenClaw configuration (~/.openclaw/openclaw.json) and the skills directory—appropriate for an audit. However, it relies on the host's OpenClaw messaging/cron configuration (e.g., DingTalk group id in config.json) to send reports; that means audit output may be delivered using existing platform credentials, so confirm that those messaging endpoints are trusted before enabling automatic reporting.
Persistence & Privilege
always:false and user-invocable; the skill does not demand permanent injection. It documents creating cron jobs via OpenClaw cron, but that is an explicit action the user or admin must take. The script itself does not appear to modify other skills or system-wide agent settings without explicit user confirmation.
Assessment
This package is internally consistent with a host security-audit tool. Before running or scheduling it: (1) review scripts/openclaw_checklist.py yourself (it will run shell commands and read ~/.openclaw/openclaw.json and your skills directory); (2) verify config.json.dingtalk_group_id and your OpenClaw messaging/cron configuration so you know where audit reports will be sent; (3) run the script manually first (python3 scripts/openclaw_checklist.py) to inspect output and produced JSON files; (4) do not enable scheduled automatic runs or message-sending until you accept that the audit output (which can include host and inventory details) will be transmitted to the configured DingTalk channel; (5) run as a non-root user where possible and back up ~/.openclaw/openclaw.json before applying any automated fixes.

Like a lobster shell, security has layers — review code before you run it.

V-3.2.1vk97185tj644sbzrbhqggtk92ex8368pylatestvk97185tj644sbzrbhqggtk92ex8368py
197downloads
0stars
1versions
Updated 21h ago
v3.2.1
MIT-0
@xpany37-max
V-3.2.1latest
Download

ESR OpenClaw 安全检查

执行 ESR 提供的安全检查脚本,并把脚本输出完整呈现给用户。

执行方式

  • 手动执行时,运行:
    • python3 {baseDir}/scripts/openclaw_checklist.py
  • 如果用户明确要求定时任务脚本,再运行:
    • python3 {baseDir}/scripts/openclaw_checklist_scheduled.py

工作要求

  1. 完整显示 Python 脚本输出,不截断、不改写检查项含义。
  2. 基于输出总结风险点,但不要替代原始输出。
  3. 不要自动修改系统配置。
  4. 如果发现需要修复的问题,先说明风险和建议,再征求用户确认。

检查重点

脚本会覆盖以下 8 项检查:

  1. 默认端口使用情况
  2. 服务监听地址检查
  3. 内网穿透工具检测
  4. Node.js 版本检查
  5. 密码登录模式检查
  6. Skill 数量及官方来源检查
  7. 配置文件权限检查
  8. OpenClawd 深度安全审计

输出后处理

  • 先给出原始结果。
  • 再用简洁语言总结:
    • 总体是否安全
    • 发现了几项风险
    • 每项风险的修复建议
  • 若用户要求修复,再逐项执行,并在修改前再次确认。

Comments

Loading comments...