📦 Firm Gateway Hardening Pack — 网关安全加固包
v1.0.0一站式网关认证加固与凭据审计工具,自动校验设备鉴权、Baileys 凭据、webhook HMAC 签名、日志配置等关键安全项,帮助团队快速发现并修复认证链路隐患,提升整体网关安全等级。
0· 302·2 当前·2 累计
by 下载技能包
最后更新
2026/3/1
安全扫描
OpenClaw
可疑
medium confidenceThe skill's purpose (gateway hardening) matches its instructions at a high level, but it relies on external tooling (mcp-openclaw-extensions) without an install spec, doesn't declare the config paths or credentials it will read, and comes from an unknown source — these inconsistencies warrant caution.
评估建议
This pack broadly matches its stated goal (gateway hardening) but has several red flags you should consider before installing or running it: (1) Source and homepage are missing — you cannot verify the author or review code. (2) It depends on mcp-openclaw-extensions but provides no install or verification steps for that dependency — confirm the origin and integrity of that package. (3) The SKILL.md tells the agent to run tools against a config_path you supply, but the manifest doesn't declare whi...详细分析 ▾
ℹ 用途与能力
The name/description describe gateway hardening and the SKILL.md lists five audit tools that fit that purpose. However, the SKILL.md enumerates CLI commands (openclaw_gateway_auth_check, openclaw_credentials_check, etc.) but the skill's manifest does not declare any required binaries or config paths. The metadata does list a dependency on mcp-openclaw-extensions >= 3.0.0 which likely provides those commands — that is plausible, but the relationship is not made explicit in install instructions.
⚠ 指令范围
Runtime instructions ask the agent to run the named checks against a user-supplied config_path (e.g., /path/to/config.json). The SKILL.md does not enumerate what files, directories, or environment variables those tools will access, nor does it limit the paths. Because the checks target credentials, webhook HMACs, and workspace integrity, the tools will likely read secrets or sensitive config data. The instructions are high-level and give the agent broad discretion to run these tools against arbitrary files, which expands the attack surface if the underlying tooling is untrusted.
ℹ 安装机制
This is an instruction-only skill with no install spec and no code files. The metadata 'requires' mcp-openclaw-extensions >= 3.0.0 but no mechanism is provided to obtain or verify that dependency. That is reasonable for an instruction-only wrapper if the environment already provides the extension, but it creates supply-chain uncertainty: it's unclear how/where mcp-openclaw-extensions will be installed or validated.
⚠ 凭证需求
The skill performs credential and webhook signature audits but declares no required environment variables or config paths. Tools that audit Baileys credentials and webhook HMACs typically need access to secret keys or credential files; the absence of declared secrets/config paths is disproportionate and leaves it unclear what the agent will access at runtime. This mismatch means sensitive data could be read without being explicitly requested in the manifest.
✓ 持久化与权限
The skill does not request always:true and is user-invocable only. Model invocation is not disabled (default) but that is normal. The skill does not request system-wide config changes or persistent privileges in its manifest.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/1
Initial release — 5 tools: gateway auth, credentials, webhook HMAC, logs, workspace integrity
● 无害
安装命令
点击复制官方npx clawhub@latest install firm-gateway-hardening-pack
镜像加速npx clawhub@latest install firm-gateway-hardening-pack --registry https://cn.longxiaskill.com