Runtime Security Guard — 安全防护工具
v2.2.0企业级 AI 运行时安全防护技能 v2.1。提供 406+ 条安全规则,支持跨平台检测(Windows/macOS/Linux),检测 9 大类安全威胁。完全本地运行,无云端 API接口,无配额限制。配备现代化 Web 监控界面和自动化测试系统。
0· 213·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
high confidenceThe skill's code and runtime instructions broadly match a local runtime-security product, but there are multiple incoherences and risky behaviors (prompt-injection artefacts in SKILL.md, broad interception of files/tool results, honeypot/credential-related features, and optional webhook/exfiltration paths) that warrant manual code and deployment review before installing in production.
评估建议
Plain-language next steps and cautions:
- Do not run the remote install scripts (curl | bash) or run the included install scripts on production systems before review. Treat the package like code that requires auditing.
- The skill legitimately needs to intercept file reads and tool outputs to detect threats, but that means it will access anything your OpenClaw agent can access (including secrets, files, tool outputs). Only install in a limited/sandboxed environment (VM or disposable test insta...详细分析 ▾
ℹ 用途与能力
The name/description (a local runtime security guard) aligns with the included hooks, detectors, rules, and web UI. It legitimately needs to intercept file reads, tool outputs, and user input to do detection. However there are inconsistencies: the registry metadata lists 'No install spec — instruction-only', yet the package contains hundreds of source/build files and install scripts; SKILL.md header/version (v2.1.0) differs from registry version 2.2.0 in metadata and other docs reference 1.1.0/v2.0.0. The skill also advertises 'completely local / no cloud API' while the code supports sending alerts to an external webhook (config.webhookUrl), which is not explained or constrained in SKILL.md.
⚠ 指令范围
SKILL.md states the plugin 'automatically' intercepts 'all file reads, tool results, user input, agent responses'. That scope is broad and implies access to arbitrary user data and secrets. The instructions include installing via curl|bash from raw.githubusercontent.com and scripts to start a local web server. SKILL.md also contains pre-scan detected prompt-injection patterns (e.g., 'ignore-previous-instructions' and Unicode control characters), which suggests the skill author attempted to include content that could influence LLM behavior; that is unexpected in a benign README and increases risk when the skill is loaded by an LLM-based agent.
ℹ 安装机制
Installation methods mention ClawHub and direct download from GitHub (raw.githubusercontent.com and GitHub releases). GitHub is a standard host and the included install scripts (install-no-sudo.sh, install.sh) are present inside the package. The registry metadata's 'no install spec' contradicts the presence of these scripts — this mismatch matters because an instruction-only skill has lower risk than one that writes and executes many files. The install scripts should be audited before running; using curl | bash to execute a remote script is higher-risk even when fetched from GitHub.
⚠ 凭证需求
The skill requests no declared environment variables or credentials, but its behavior (hooks that intercept file reads, logs that persist to ./logs, a honeypot system for tokens/keys, and optional webhook sending) implies it will touch sensitive data and may collect secrets. The presence of honeypot descriptions that mention GitHub/OpenAI/AWS credentials means the code is explicitly designed to capture credential-like strings; that capability is reasonable for detection but also increases the blast radius if logs or webhooks are misconfigured. No dedicated justification or safe-defaults for external sinks are provided in SKILL.md.
ℹ 持久化与权限
always:false (not force-included) which is appropriate. However SKILL.md says the skill 'installs and runs automatically' and will 'auto-run' after install and 'intercept' activities. Autonomous invocation is allowed (default) and is expected for skills, but combined with the broad interception scope and potential external alerting, this gives significant runtime reach. The skill does not declare needing to modify other skills or global configs, which is good; still, the automatic, pervasive interception behavior should be reviewed and constrained during deployment.
⚠ build-complete/scripts/check-install.js:59
Shell command execution detected (child_process).
⚠ build-complete/scripts/test-interception.js:54
Shell command execution detected (child_process).
⚠ build-complete/src/monitor/macos/gatekeeper-monitor.ts:34
Shell command execution detected (child_process).
⚠ build-complete/src/monitor/macos/keychain-monitor.ts:87
Shell command execution detected (child_process).
⚠ build-complete/src/monitor/macos/permissions-monitor.ts:81
Shell command execution detected (child_process).
⚠ build-complete/src/monitor/network-monitor.ts:91
Shell command execution detected (child_process).
⚠ build-complete/src/monitor/process-monitor.ts:85
Shell command execution detected (child_process).
⚠ build-complete/src/utils/platform.ts:133
Shell command execution detected (child_process).
⚠ build/scripts/check-install.js:59
Shell command execution detected (child_process).
⚠ build/src/monitor/macos/gatekeeper-monitor.ts:34
Shell command execution detected (child_process).
⚠ build/src/monitor/macos/keychain-monitor.ts:87
Shell command execution detected (child_process).
⚠ build/src/monitor/macos/permissions-monitor.ts:81
Shell command execution detected (child_process).
⚠ build/src/monitor/network-monitor.ts:91
Shell command execution detected (child_process).
⚠ build/src/monitor/process-monitor.ts:85
Shell command execution detected (child_process).
⚠ build/src/utils/platform.ts:133
Shell command execution detected (child_process).
⚠ scripts/check-install.js:59
Shell command execution detected (child_process).
⚠ scripts/test-interception.js:54
Shell command execution detected (child_process).
⚠ src/monitor/macos/gatekeeper-monitor.ts:34
Shell command execution detected (child_process).
⚠ src/monitor/macos/keychain-monitor.ts:87
Shell command execution detected (child_process).
⚠ src/monitor/macos/permissions-monitor.ts:81
Shell command execution detected (child_process).
⚠ src/monitor/network-monitor.ts:91
Shell command execution detected (child_process).
⚠ src/monitor/process-monitor.ts:85
Shell command execution detected (child_process).
⚠ src/utils/platform.ts:133
Shell command execution detected (child_process).
⚠ build-complete/scripts/web-admin-modern.js:11
Environment variable access combined with network send.
⚠ build-complete/scripts/web-server-v2.js:17
Environment variable access combined with network send.
⚠ build/scripts/web-admin-modern.js:11
Environment variable access combined with network send.
⚠ scripts/web-admin-modern.js:11
Environment variable access combined with network send.
⚠ scripts/web-server-v2.js:17
Environment variable access combined with network send.
⚠ build-complete/scripts/web-admin-modern.js:56
File read combined with network send (possible exfiltration).
⚠ build-complete/scripts/web-server-v2.js:45
File read combined with network send (possible exfiltration).
⚠ build-complete/src/rules/patterns/supplyChain.ts:138
File read combined with network send (possible exfiltration).
⚠ build/scripts/web-admin-modern.js:56
File read combined with network send (possible exfiltration).
⚠ build/src/rules/patterns/supplyChain.ts:138
File read combined with network send (possible exfiltration).
⚠ scripts/web-admin-modern.js:56
File read combined with network send (possible exfiltration).
⚠ scripts/web-server-v2.js:45
File read combined with network send (possible exfiltration).
⚠ src/rules/patterns/supplyChain.ts:138
File read combined with network send (possible exfiltration).
⚠ build-complete/docs/AUTO-TEST.md:147
Prompt-injection style instruction pattern detected.
⚠ build-complete/RULES-EXPANDED.md:189
Prompt-injection style instruction pattern detected.
⚠ build-complete/tests/samples.md:40
Prompt-injection style instruction pattern detected.
⚠ docs/AUTO-TEST.md:147
Prompt-injection style instruction pattern detected.
⚠ RULES-EXPANDED.md:189
Prompt-injection style instruction pattern detected.
⚠ TEST-REPORT.md:95
Prompt-injection style instruction pattern detected.
⚠ TEST-RESULT.md:78
Prompt-injection style instruction pattern detected.
⚠ tests/samples.md:40
Prompt-injection style instruction pattern detected.
⚠ VERSION.md:270
Prompt-injection style instruction pattern detected.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install runtime-security-guard
镜像加速npx clawhub@latest install runtime-security-guard --registry https://cn.longxiaskill.com镜像同步中
本土化适配说明
Runtime Security Guard — 安全防护工具 安装说明: 安装命令:["openclaw skills install runtime-security-guard","npx clawhub@latest install runtime-security-guard"]