Ai Company Ciso — 实用工具
v2.0.1公司首席信息安全官技能包。整合STRIDE威胁建模、网络安全评估、渗透测试框架、事件响应、合规审计能力。适用场景:安全审计、威胁评估、漏洞管理、事件响应、合规映射。遵循NIST AI RMF、ISO/IEC 42001、OWASP标准。
0· 86·0 当前·1 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's content and requested runtime permissions broadly match a CISO orchestration role, but a few powerful runtime permissions (sessions_send / subagents + network API access) and some broad, unspecified network/file capabilities raise proportionality and privilege concerns that the user should review before installing.
评估建议
This skill is largely a policy/procedure pack and is internally coherent for a CISO orchestration role, but pay attention to its runtime privileges before enabling it:
- mcp: sessions_send and subagents are powerful: confirm what 'subagents' means in your environment (can it spawn agents with broad rights?) and whether sessions_send can forward sensitive context to other sessions. If possible, restrict or audit these capabilities.
- Network: [api] permission is broad. Require allowlists for ou...详细分析 ▾
✓ 用途与能力
Name/description (company CISO, STRIDE, incident response, governance) align with the skill's assets: policy text, threat-model document, interfaces for calling CEO/CRO/etc. The declared dependencies on other company skills are plausible for a governance/orchestration role.
ℹ 指令范围
SKILL.md is an instruction-only, policy-and-procedure bundle (threat models, interfaces, circuit-breaker design). It does not instruct the agent to read arbitrary host secrets or run commands, but it does define active orchestration flows (calling CEO/CRO, automatic containment, evidence preservation). The instructions implicitly assume the skill can read files and call APIs — that's consistent with the declared 'files: [read]' and 'network: [api]' permissions but gives the skill operational discretion to fetch/forward context and evidence.
✓ 安装机制
No install spec and no code files with executable artifacts — lowest-risk delivery model. Nothing is downloaded or written to disk by an installer in the package.
✓ 凭证需求
The skill declares no required environment variables or credentials, which is proportionate for a governance/policy skill. It does require file read and API network access (declared), which fit a coordinator/orchestrator role. There are no unrelated secrets or config paths requested.
⚠ 持久化与权限
The skill requests/makes use of mcp permissions: sessions_send and subagents. Those are powerful runtime privileges (sending messages to sessions, spawning or delegating to subagents). Combined with network API access and file read, this gives the skill substantial ability to act and coordinate autonomously. always:false mitigates permanent inclusion, but autonomous invocation plus mcp privileges increases blast radius and should be reviewed/limited.
安全有层次,运行前请审查代码。
运行时依赖
OSLinux · macOS · Windows
安装命令
点击复制官方npx clawhub@latest install ai-company-ciso
镜像加速npx clawhub@latest install ai-company-ciso --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Ai Company Ciso — 实用工具 安装说明: 安装命令:["openclaw skills install ai-company-ciso-2-0-0","npx clawhub@latest install ai-company-ciso-2-0-0"]