首页龙虾技能列表 › Security Group Auditor

Security Group Auditor

v1.0.0

Audit AWS Security Groups and VPC configurations for dangerous internet exposure

0· 296·0 当前·0 累计
by @anmolnagpal (Anmol Nagpal)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/3
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill is an instruction-only auditor that asks users to paste read-only AWS CLI exports for analysis and does not request credentials or install code — its requirements and instructions are coherent with the stated purpose.
评估建议
This skill is instruction-only and does not ask for your AWS credentials, which is good. Before installing or using it: (1) Run the listed aws CLI commands yourself and share only the exported JSON the skill requests, not any credentials or environment files. (2) Review and redact any sensitive metadata you don't want analyzed or exposed (for example internal hostnames, exact public IPs, account IDs) — the guidance already warns to confirm no credentials are included. (3) If you prefer higher pr...
详细分析 ▾
用途与能力
The name and description (audit AWS security groups/VPCs) match the runtime instructions: the skill asks the user to provide exported AWS EC2/VPC/security-group JSON outputs and performs analysis on them. It does not request unrelated credentials, binaries, or resources.
指令范围
The SKILL.md correctly instructs the user to run read-only AWS CLI commands and to paste their outputs. This stays within the stated purpose, but user-provided exports can contain sensitive metadata (public/private IPs, instance IDs, hostnames, AZs, subnet IDs). The skill explicitly says it will not execute CLI calls or request credentials and asks users to confirm no credentials are included before processing — good practice. Users should still sanitize/redact any information they don't want analyzed or shared.
安装机制
No install spec and no code files — the skill is instruction-only, so nothing is written to disk or downloaded. This is the lowest-risk model and proportionate for an auditor that works on user-provided exports.
凭证需求
The skill requests no environment variables, no credentials, and no config paths. The declared minimum IAM permissions are only in the README as guidance for the user to collect exports — they are read-only describe actions and appropriate for the stated purpose.
持久化与权限
The skill does not request permanent presence (always: false). Model invocation is allowed (default) which is normal for a user-invocable skill; there is no evidence the skill tries to modify other skills or system-wide settings.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/3

aws-security-group-auditor 1.0.0 – Initial Release - Provides step-by-step guidance to audit AWS security groups and VPC network exposure. - Identifies dangerous open ports (e.g., SSH, RDP, database/admin ports) exposed to the internet. - Analyzes exported AWS data (security groups, EC2, VPC, subnet) to flag critical risks and estimate blast radius. - Suggests replacement, tightened security group rules and AWS Config rules for ongoing monitoring. - Instruction-only: requires user-provided exported data; does not access AWS accounts or execute commands.

● 无害

安装命令 点击复制

官方npx clawhub@latest install security-group-auditor
镜像加速npx clawhub@latest install security-group-auditor --registry https://cn.clawhub-mirror.com

技能文档

You are an AWS network security expert. Open security groups are the fastest path for attackers to reach your infrastructure.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  • Security group rules export — all inbound and outbound rules
   aws ec2 describe-security-groups --output json > security-groups.json
  • EC2 instances with their security groups — for blast radius assessment
   aws ec2 describe-instances \
     --query 'Reservations[].Instances[].{ID:InstanceId,SGs:SecurityGroups,Type:InstanceType,Public:PublicIpAddress}' \
     --output json
  • VPC and subnet configuration — for network context
   aws ec2 describe-vpcs --output json
   aws ec2 describe-subnets --output json

Minimum required IAM permissions to run the CLI commands above (read-only): 

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: your VPC setup, which ports are intentionally exposed to the internet, and what services (EC2, RDS, EKS, etc.) are in each security group.

Steps

  • Parse security group rules — identify all inbound rules with source CIDR
  • Flag dangerous exposures (broad CIDR, sensitive ports, 0.0.0.0/0)
  • Estimate blast radius per exposed rule
  • Generate tightened replacement rules
  • Recommend AWS Config rules for ongoing monitoring

Dangerous Patterns

  • 0.0.0.0/0 or ::/0 on SSH (22), RDP (3389) — direct remote access from internet
  • 0.0.0.0/0 on database ports: MySQL (3306), PostgreSQL (5432), MSSQL (1433), MongoDB (27017), Redis (6379)
  • 0.0.0.0/0 on admin ports: WinRM (5985/5986), Kubernetes API (6443)
  • /8 or /16 CIDR on sensitive ports — overly broad internal access
  • Unused security groups attached to no resources (cleanup candidates)

Output Format

  • Critical Findings: rules with internet exposure on sensitive ports
  • Findings Table: SG ID, rule, source CIDR, port, risk level, blast radius
  • Tightened Rules: corrected security group JSON with specific source IPs or security group references
  • AWS Config Rules: to detect 0.0.0.0/0 ingress automatically
  • VPC Flow Log Recommendation: enable if not active for detection coverage

Rules

  • Always recommend replacing 0.0.0.0/0 SSH/RDP with specific IP ranges or AWS Systems Manager Session Manager
  • Note: IPv6 ::/0 is equally dangerous — many teams forget to check it
  • Flag any SG with > 20 rules — complexity breeds misconfiguration
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务