Security Guard
Provides role-based access control, input/output content review, sensitive operation confirmation, and comprehensive audit logging for secure system management.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 39 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the actual implementation: PermissionManager, ContentSafety, and AuditLogger implement RBAC, input/output checks, confirmation semantics, and local audit logging. Required capabilities (files, APIs) align with the stated purpose and there are no unexpected external services or credentials requested.
Instruction Scope
SKILL.md instructs local use (npm install, import modules, run tests) and the runtime instructions (SecurityGuard.check/wrap/confirm, ContentSafety checks, AuditLogger logging) stay within the expected domain. The instructions do not direct the agent to read unrelated system files, send data to remote endpoints, or access environment variables beyond those declared (none).
Install Mechanism
The registry metadata lists no formal install spec, but SKILL.md expects running npm install and package.json is included. Installation uses the standard npm workflow (no remote ad-hoc downloads or URL extracts). This is moderate and expected for a packaged JS skill; users should run installs in a controlled environment (sandbox/container) before trusting it in production.
Credentials
The skill requests no environment variables or credentials. Its filesystem usage is limited to creating and writing audit logs (configurable logDir). That file access is proportional to its audit-logging purpose, but logs may contain sensitive data if configured poorly, so log location and retention should be reviewed.
Persistence & Privilege
always is false and model invocation is not disabled (platform default). The skill opens a periodic flush timer and writes audit logs to disk; those are reasonable for an audit logger but do give the skill persistent state on the host. This is expected for its functionality but worth awareness (ensure log directory and rotation policies match your security requirements).
Assessment
This skill appears to implement what it claims and does not request secrets or reach out to remote servers. Before installing: 1) Run npm install and the test suite in an isolated environment (container or sandbox) to verify behavior. 2) Review and configure audit.logDir (default ./audit-logs) so logs are stored securely and rotated/retained according to policy—logs may contain PII or operation details. 3) Ensure your application correctly handles the 'confirmation-required' events emitted by PermissionManager/SecurityGuard (the library emits events but does not implement UI/automated approvals). 4) If you plan to use it in a long-running agent, be aware it starts a periodic flush timer; ensure that lifecycle (close) is called on shutdown. 5) Keep the package source under review (package.json points to a GitHub repo); if you need stronger assurance, audit dependencies and any future changes to the code for added network calls or credential handling.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.1.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Security Guard - OpenClaw 安全守护系统
版本: 0.1.0
功能: 权限管理 + 内容审查 + 审计日志
功能特性
- 权限管理: 基于角色的细粒度权限控制
- 内容安全: 输入/输出内容审查
- 审计日志: 完整操作记录和追踪
- 高风险确认: 敏感操作人工确认
安装
cd skills/security-guard
npm install
快速开始
import { SecurityGuard } from './src/security-guard.js';
// 创建安全守护实例
const guard = new SecurityGuard({
enabled: true,
strictMode: false,
permissions: {
roles: {
admin: { permissions: ['*'] },
user: { permissions: ['read', 'write'] },
guest: { permissions: ['read'] }
}
},
contentSafety: {
enabled: true,
maxInputLength: 10000,
blockedPatterns: ['password', 'secret', 'token']
},
audit: {
logDir: './audit-logs',
bufferSize: 100
}
});
// 执行安全检查
const result = await guard.check('user123', 'write', 'file.txt', 'content');
if (result.allowed) {
console.log('操作允许');
} else {
console.log('拒绝:', result.reason);
}
API 参考
SecurityGuard
构造函数
new SecurityGuard(config)
参数:
config.enabled- 是否启用(默认:true)config.strictMode- 严格模式(默认:false)config.permissions- 权限配置config.contentSafety- 内容安全配置config.audit- 审计日志配置
check(userId, action, resource, content)
执行完整安全检查
const result = await guard.check('user123', 'write', 'file.txt', 'some content');
// 返回: { allowed: true/false, reason: '...', checks: {...} }
PermissionManager
checkPermission(userId, action, resource)
检查用户权限
const result = guard.permissionManager.checkPermission('user123', 'write', 'file.txt');
// 返回: { allowed: true/false, reason: '...' }
ContentSafety
checkInput(content)
检查输入内容
const result = guard.contentSafety.checkInput('user input');
// 返回: { safe: true/false, warnings: [...] }
AuditLogger
log(operation)
记录操作日志
await guard.auditLogger.log({
userId: 'user123',
action: 'write',
resource: 'file.txt',
status: 'success'
});
配置示例
基础配置
const guard = new SecurityGuard({
enabled: true,
permissions: {
defaultRole: 'user',
roles: {
admin: { permissions: ['*'] },
user: { permissions: ['read', 'write'] }
}
}
});
严格模式
const guard = new SecurityGuard({
enabled: true,
strictMode: true, // 所有操作都需要明确授权
contentSafety: {
enabled: true,
blockedPatterns: ['password', 'secret', 'api_key']
}
});
测试
npm test
License
MIT
Files
7 totalSelect a file
Select a file to preview.
Comments
Loading comments…