JumpServer

v1.0.0

Use for JumpServer V4 preflight, `.env.local` initialization, org selection, and read-only asset, permission, audit, and access queries through the bundled `...

⭐ 0· 107·0 current·0 all-time

by@liqiang-fit2cloud

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for liqiang-fit2cloud/jumpserver-skills.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "JumpServer" (liqiang-fit2cloud/jumpserver-skills) from ClawHub.
Skill page: https://clawhub.ai/liqiang-fit2cloud/jumpserver-skills
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install jumpserver-skills

ClawHub CLI

Package manager switcher

npx clawhub@latest install jumpserver-skills

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill's name/description say it's a read-only JumpServer preflight/query helper, which matches the included scripts' behavior. However the registry metadata declares no required environment variables or primary credential while the implementation plainly expects JMS_API_URL and either AK/SK or username/password (and will persist them). The manifest omission is an incoherence: a JumpServer integration legitimately needs those env vars, so they should be declared.

Instruction Scope

SKILL.md instructs the agent to run local CLI scripts that will: collect credentials interactively, call the SDK against the JumpServer API, and write a .env.local file (including secrets) via config-write and select-org --confirm. The skill claims 'read-only' for business objects, and the code enforces query-only behavior, but the instructions and code explicitly allow writing .env.local and persisting JMS_ORG_ID (including an automatic special-case write for certain org sets). That means the skill will collect and persist sensitive credentials and perform network calls — this scope is broader than the registry metadata indicates.

ℹ

Install Mechanism

There is no registry install spec, but the code includes a bootstrap helper that will detect missing Python packages from requirements.txt and (if invoked with the confirm flag) call pip to install them. The requirements file only lists jumpserver-sdk-python, and the bootstrap enforces simple requirements, so the install path is typical for Python CLI tools. Automatic pip install via subprocess is a moderate-risk action (it writes code to disk from PyPI), but it is expected for a local CLI script.

Credentials

The implementation requires JMS_API_URL and either JMS_ACCESS_KEY_ID/JMS_ACCESS_KEY_SECRET or JMS_USERNAME/JMS_PASSWORD and will write them into .env.local. None of these required credentials were declared in the skill registry metadata. Additionally, scripts disable HTTPS verification (verify=False) and suppress certificate warnings, which reduces transport security and increases risk if credentials are used against an intercepted connection.

ℹ

Persistence & Privilege

The skill writes persistent configuration (.env.local) and JMS_ORG_ID into its own skill directory and reloads that config. It does not set always:true and does not modify other skills' configs. Persisting secrets to a local file is expected for this tool but is a privileged action (persisting credentials to disk); users should ensure the file's location and filesystem permissions are acceptable.

What to consider before installing

This repository appears to be a legitimate JumpServer read-only helper, but there are several things to consider before installing: (1) the registry metadata declares no required env vars, yet the code will ask for JMS_API_URL and credentials (AK/SK or username/password) and will write them to a local .env.local — be comfortable with storing those secrets on disk in the skill directory. (2) The runtime disables HTTPS certificate verification (verify=False), increasing MITM risk; avoid using production credentials against untrusted networks or ask the maintainer to make verification configurable. (3) The bootstrap can auto-install the jumpserver SDK via pip if you allow it — review and trust the PyPI package/version before confirming installs. (4) The skill enforces read-only query behavior in code, but the agent will persist JMS_ORG_ID automatically in a special-case; review that behavior if you care about persisted organization selection. Recommended actions: inspect the scripts yourself, run them in an isolated environment or container, limit which JumpServer account/credentials you provide (use a least-privilege read-only account), and ensure .env.local is secured or not used for sensitive production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk971neyek11petz431hxtdpmjh83k6zc

107downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

JumpServer Skills

JumpServer 查询型 skill：允许环境初始化写入（.env.local 与 JMS_ORG_ID），但不执行业务对象或权限的创建、更新、删除、追加或移除。

Input / Output / 输入输出

类型	常见输入	返回
环境初始化	`JMS_API_URL`、鉴权信息、可选 `org-id`	配置完整性、`.env.local` 写入结果、连通性、组织写入结果
对象查询	`resource`、`id`、`name`、`filters`	列表、详情、解析结果
权限与审计	`filters`、`audit-type`、时间范围、`command_storage_id`	权限详情、审计详情、最近活动
访问分析	`username`、可选 `asset-name`	用户可访问资产/节点、单资产访问视图

Route / 路由流程

config-status --json
  -> complete=false ? collect env info -> config-write --confirm
  -> ping
  -> org missing/inaccessible ? select-org [--org-id] -> select-org --confirm
  -> read-only query

仅当可访问组织集合恰好是 {0002} 或 {0002,0004} 时，才允许自动写入 0002。

Capability Matrix / 能力矩阵

Intent	Must Use	Precheck	Output	Stop If
初始化环境	`jms_diagnose.py config-status/config-write/ping/select-org`	无	配置状态、`.env.local` 写入结果、连通性、组织持久化结果	地址或鉴权缺失、地址不可达、组织不可访问
查资产与对象	`jms_assets.py list/get`、`jms_diagnose.py resolve/resolve-platform`	`config-status --json` -> 必要时 `config-write --confirm` -> `ping` -> 必要时 `select-org --confirm`	资产类列表、详情、对象解析结果	名称不唯一、对象不清楚、组织未准备好
查权限规则	`jms_permissions.py list/get`	`config-status --json` -> 必要时 `config-write --confirm` -> `ping` -> 必要时 `select-org --confirm`	权限列表、权限详情	组织未准备好
查审计记录	`jms_audit.py list/get`	`config-status --json` -> 必要时 `config-write --confirm` -> `ping` -> 必要时 `select-org --confirm`	登录、操作、会话、命令审计	`audit-type=command` 缺 `command_storage_id`
做访问分析	`jms_diagnose.py user-assets/user-nodes/user-asset-access/recent-audit`	`config-status --json` -> 必要时 `config-write --confirm` -> `ping` -> 必要时 `select-org --confirm`	用户可访问资产/节点、单资产访问、最近审计	用户不存在、候选过多、组织未准备好

Core Rules / 核心规则

Rule	Required Behavior
预检顺序	`config-status --json -> config-write --confirm（如需） -> ping -> select-org --confirm（如需） -> read-only query`
环境写入	允许通过 `config-write --confirm` 生成或更新 `.env.local`
组织写入	允许通过 `select-org --confirm` 持久化 `JMS_ORG_ID`
保留组织特判	可访问组织集合仅在 `{0002}` 或 `{0002,0004}` 时才自动写入 `0002`
范围边界	把这个 skill 当作查询型 skill，而不是通用运维执行器
审计默认窗口	`date_from/date_to` 省略时默认最近 7 天
命令审计	`audit-type=command` 时必须提供 `command_storage_id`
非支持动作	遇到 create/update/delete/append/remove/unblock 时直接说明“业务动作只保留查询”

Canonical Commands / 命令骨架

配置检查与写入：

python3 scripts/jms_diagnose.py config-status --json
python3 scripts/jms_diagnose.py config-write --payload '{"JMS_API_URL":"https://jump.example.com","JMS_ACCESS_KEY_ID":"<ak>","JMS_ACCESS_KEY_SECRET":"<sk>","JMS_VERSION":"4"}' --confirm
python3 scripts/jms_diagnose.py ping

组织选择：

python3 scripts/jms_diagnose.py select-org
python3 scripts/jms_diagnose.py select-org --org-id <org-id>
python3 scripts/jms_diagnose.py select-org --org-id <org-id> --confirm

对象查询：

python3 scripts/jms_assets.py list --resource user --filters '{"username":"openclaw"}'
python3 scripts/jms_assets.py get --resource asset --id <asset-id>
python3 scripts/jms_diagnose.py resolve --resource node --name demo-node
python3 scripts/jms_diagnose.py resolve-platform --value Linux

权限与审计查询：

python3 scripts/jms_permissions.py list --filters '{"limit":20}'
python3 scripts/jms_permissions.py get --id <permission-id>
python3 scripts/jms_audit.py list --audit-type operate --filters '{"limit":30}'
python3 scripts/jms_audit.py get --audit-type command --id <command-id> --filters '{"command_storage_id":"<command-storage-id>"}'

Success Criteria / 成功标准

先完成或明确阻塞在 config-status -> ping -> select-org 预检链路上，不跳步。
配置缺失时，能按字段收集用户回复并在确认后调用 config-write --confirm。
组织缺失时，能先返回候选组织，再在确认后调用 select-org --confirm。
查询请求走正式 jms_*.py 入口，返回结果或明确说明阻塞原因。
对业务写操作直接拒绝，不绕过正式入口另写临时 SDK/HTTP 脚本。

Not For / 不适用

不适用于资产、平台、节点、账号、用户、用户组、组织、权限的创建、更新、删除。
不适用于追加关系、移除关系、解锁用户、改密、批量修改。
不适用于临时 SDK/HTTP 脚本绕过正式入口。

Comments

Loading comments...