ClawHub

m78armor : openclaw security configuration check

v1.0.0

Read-only local OpenClaw security configuration check and hardening assessment. 本地只读 OpenClaw 安全配置检查与加固评估。

0· 36·0 current·0 all-time
byMove78 AI@move78ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binary (node), README, SKILL.md and included script all align: the tool inspects local OpenClaw configuration and reports findings. Required resources are proportional to the stated task; there are no unrelated credentials, binaries or system paths declared.
Instruction Scope
SKILL.md instructs running the bundled Node script with optional --config/--json flags and explicitly states a read-only scope and guardrails (do not upload data, do not request secrets, do not run hardening). The README documents optional environment overrides (OPENCLAW_CONFIG, M78ARMOR_LANG) — these are reasonable. I did not see any instructions that ask the agent to read unrelated host secrets, nor open-ended language that would grant broad discretionary data collection. However the bundled script source in the listing was truncated; confirm the script does not perform network uploads or spawn privileged commands before trusting it.
Install Mechanism
No install spec; this is instruction + bundled script that runs under Node. No external downloads or archive extraction are declared. This is a low-risk installation surface, assuming the script itself is benign.
Credentials
The skill does not require environment variables or credentials. The README documents optional environment variables to override config path or language; these are consistent with the tool's purpose and are not excessive. No secrets/keys are requested in the manifest or SKILL.md.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent platform privileges. The SKILL.md explicitly forbids switching to a hardening mode in this free edition. Nothing indicates it modifies other skills or global configuration.
Assessment
This skill appears coherent for a local, read-only configuration check and is reasonably scoped. Before running: (1) review the full scripts/m78armor-lite.js file locally (search for require('http'|'https'|'net'|'child_process'|'exec'|'spawn'|'fetch'|'axios') or any outbound network calls) to confirm it doesn't send data off-host or execute privileged commands; (2) run it in an isolated environment or with an explicit --config path to target the intended OpenClaw config; (3) if you need higher assurance, run it offline (no network) to ensure no external callbacks, and inspect the code for any hidden telemetry or upgrade-check code that might contact ORDER_URL. If you want me to scan the full script text for network/exec patterns, paste it here and I will analyze it line-by-line.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e9btvnf0ecdq5qded25csts84wk5p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binsnode

Comments