ClawHub

dssb

v1.0.2

Install and configure the security-related plugins required by OpenClaw, including the `ai-assistant-security-openclaw` plugins. Use this skill when you want...

0· 91·0 current·0 all-time
by@qinjianfenghzau-wq·duplicate of @tiger-xzp/senpub
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim to install/configure ai-assistant-security-openclaw; the bundle contains a Node script that installs the plugin (openclaw plugins install), updates OpenClaw plugin configuration, and restarts the gateway — all consistent with the stated purpose.
Instruction Scope
SKILL.md instructs running scripts/bundle.cjs which reads/writes local state under a .state directory, polls a remote login API, exposes a login URL to the user, and writes back ApiKey/AppId into the OpenClaw plugin config. The skill explicitly warns that API responses and logs may contain credential material; the script writes those responses to poll_login.log and may expose values via process args when invoking the openclaw CLI.
Install Mechanism
No external installer or downloads are used in the SKILL.md; the script is bundled with the skill and executed locally via Node. That is lower risk than pulling code from arbitrary URLs, though executing bundled code still requires review before running.
Credentials
The skill requests no environment variables or unrelated credentials. It contacts an embedded baseURL/baseLogUrl to create login tokens and receives ApiKey/AppId from that service — behavior necessary for its purpose, but these secrets are persisted into local OpenClaw configuration and logs.
Persistence & Privilege
The skill modifies OpenClaw plugin configuration, may remove prior entries, installs a plugin package name (@omni-shield/ai-assistant-security-openclaw), and restarts the OpenClaw gateway. It does not request always:true, but it performs privileged local changes that affect runtime behavior of OpenClaw.
Assessment
This skill appears to be what it says: it will install and configure an OpenClaw security plugin and contact the remote service at the embedded endpoints. Before running: 1) Inspect the bundled scripts/bundle.cjs yourself (it is included) to verify endpoints and behavior. 2) Confirm you trust the remote domains (openclaw-innersit.sdk.access-test.clawsentry.cn and console.clawsentry.cn) and the NPM package name used ("@omni-shield/ai-assistant-security-openclaw"). 3) Backup your current OpenClaw plugins configuration because the script will modify it and may remove previous entries. 4) Be aware the script logs API responses and writes ApiKey/AppId into plugin config; these values can appear in poll_login.log and transiently in process arguments when openclaw CLI is invoked. 5) Run the script in a controlled or test environment first (and with Node >= 14 as recommended). If you are not prepared for the plugin installation, restart behavior, or remote-auth flow, do not run the script.

Like a lobster shell, security has layers — review code before you run it.

latestvk971jzyjj81b5jf79ks14jvg89848afb
91downloads
0stars
2versions
Updated 1w ago
v1.0.2
MIT-0
@qinjianfenghzau-wq
latest
Download

ClawSentry

Use Cases

  • Use this skill when you need to install and prepare the ai-assistant-security-openclaw plugins for the OpenClaw environment on the current machine.
  • Trigger this skill when the user mentions requirements such as "install clawSentry / ai-assistant-security-openclaw plugin / 帮我安装clawSentry技能 / 安装clawSentry技能".

Steps

1. Verify Node.js is installed:

Ensure Node.js (version 14 or higher) is installed on the system. You can check with:

node --version

2. Execute the combined script to install plugin and generate login link:

node {baseDir}/scripts/bundle.cjs

After the script completes:

  • The script will display the login URL directly. You can also extract it from the output by looking for the line that starts with [LOGIN_URL]:
  • You can also read the login URL from {baseDir}/.state/login_state.json file (look for the loginUrl field). If the file doesn't exist, try reading it again after a few seconds. If you can't find the files, try looking in .openclaw/skills/ClawSentry/scripts/ directory.
  • Send the login URL to the user along with this message: "After completing login, if you want to check if the installation was successful, please wait one minute and then ask me such as 'view all plugin list / 查看我的本地插件 '"

Data & Privacy

  • The script generates a per-machine device identifier locally, then sends only its SHA-256 hash as X-Ai-Device-Fingerprint for device-binding of the login session.
  • The script does not collect or transmit MAC addresses, hostname, or other hardware identifiers.
  • The script persists login state under {baseDir}/.state/, including loginToken, the hashed deviceFingerprint, expiry metadata, and login progress flags.
  • The polling log written to {baseDir}/.state/poll_login.log records operational output and API responses; once authorization succeeds, those responses may include credential material such as ApiKey and AppId.
  • After authorization, the script writes the received ApiKey and AppId into the local OpenClaw plugin configuration so the installed plugin can call the remote service.
  • That configuration update is performed by invoking the local openclaw CLI with a JSON payload, so credential values may be exposed transiently in local process arguments or shell/audit tooling on the host.

Network Targets

  • The script performs HTTPS requests to the API base URL embedded in the bundle at build time (internalConfig.baseURL) to create a login token and check login status.
  • The login URL shown to the user is generated using the embedded console URL prefix (internalConfig.baseLogUrl).

Local Files

  • {baseDir}/.state/login_state.json: Stores loginUrl, loginToken, deviceFingerprint (hashed), expiry metadata, and login progress flags.
  • {baseDir}/.state/poll_login.log: Stores polling logs for troubleshooting, including request/response-related output from the login-status flow.
  • {baseDir}/.state/device_id: Stores the locally generated device identifier used to derive the fingerprint hash.

Host Changes

  • The script runs openclaw CLI commands to install the plugin, read and update local OpenClaw plugin configuration, and restart openclaw gateway on the machine.

Comments

Loading comments...