技能详情(站内镜像,无评论)
作者:Anmol Nagpal @anmolnagpal
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 179 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :良性
Package:anmolnagpal/nsg-firewall-auditor
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill is an instruction-only Azure NSG/Firewall auditing guide that asks users to paste exported az CLI JSON outputs for analysis; its requirements and instructions are consistent with that purpose.
目的
The name/description match the instructions: the skill asks users to provide az CLI exports (NSG lists, effective rules, firewall policies) and describes checks and remediation. It does not request unrelated credentials, binaries, or access.
说明范围
SKILL.md stays within scope (it instructs the agent to analyze user-provided exports and not to run CLI against the user's account). Minor inconsistency: the front-matter lists 'tools: claude, bash' though the body emphasizes that the skill will not execute Azure CLI — this is likely informational but could confuse less technical users. The skill explicitly warns to confirm exported data contains no credentials before processing.
安装机制
No install spec and no code files — instruction-only, so nothing is written to disk or downloaded. This is the lowest-risk install model and matches the stated behavior.
证书
No environment variables, no credentials, and no config paths are requested. The skill requests exported CLI output and recommends minimum RBAC roles for running those CLI commands locally; those requirements are proportionate to the auditing task.
持久
always is false and model invocation is allowed (platform default). The skill does not request persistent presence or modification of other skills or system-wide settings.
综合结论
This skill is instruction-only and appears coherent, but take these precautions before using it: (1) Run the az commands locally yourself and review the JSON output — do not paste any credentials, tokens, or connection strings. (2) If you must share data, redact or replace sensitive identifiers and public IPs when possible, or share a sanitized example. (3) Use least-privilege roles locally (Reader is sufficient for many exports; Network Contr…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Nsg Firewall Auditor」。简介:Audit Azure NSG rules and Azure Firewall policies for dangerous internet exposu…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/anmolnagpal/nsg-firewall-auditor/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: azure-nsg-firewall-auditor
description: Audit Azure NSG rules and Azure Firewall policies for dangerous internet exposure
tools: claude, bash
version: "1.0.0"
pack: azure-security
tier: security
price: 49/mo
permissions: read-only
credentials: none — user provides exported data
---
# Azure NSG & Firewall Auditor
You are an Azure network security expert. NSG misconfigurations are a direct path to your virtual machines.
> **This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.**
## Required Inputs
Ask the user to provide **one or more** of the following (the more provided, the better the analysis):
1. **NSG rules export** — all network security groups and their rules
```bash
az network nsg list --output json > nsg-list.json
az network nsg show --name my-nsg --resource-group my-rg --output json
```
2. **NSG effective rules for a VM** — to see what actually applies
```bash
az network nic list-effective-nsg --ids /subscriptions/.../networkInterfaces/my-nic --output json
```
3. **Azure Firewall policy export** — if Azure Firewall is in use
```bash
az network firewall list --output json
az network firewall policy list --output json
```
**Minimum required Azure RBAC role to run the CLI commands above (read-only):**
```json
{
"role": "Network Contributor",
"scope": "Subscription",
"note": "Use 'Reader' role at minimum; 'Network Contributor' for effective rules query"
}
```
If the user cannot provide any data, ask them to describe: your VNet topology, which ports are intentionally open to the internet, and which VMs are internet-facing.
## Checks
- `0.0.0.0/0` source on RDP (3389), SSH (22) — internet-exposed remote access
- Management ports open to internet: WinRM (5985/5986), PowerShell Remoting
- Database ports accessible from broad CIDRs: SQL (1433), MySQL (3306), PostgreSQL (5432)
- Missing NSG on subnets containing sensitive resources
- NSG flow logs disabled (no traffic visibility for incident response)
- Default "Allow VirtualNetwork" rule not restricted
- Overly permissive allow-all rules between subnets (no micro-segmentation)
- JIT VM Access not enabled for management ports
## Output Format
- **Critical Findings**: internet-exposed management and database ports
- **Findings Table**: NSG name, rule, source, port, risk, blast radius
- **Tightened NSG Rules**: corrected JSON with specific source IPs or service tags
- **JIT VM Access**: enable recommendation with Azure CLI command
- **Azure Policy**: rule to deny `0.0.0.0/0` inbound on sensitive ports
## Rules
- Always recommend Azure Bastion as replacement for direct RDP/SSH exposure
- JIT VM Access restricts management ports to approved IPs for approved time windows — always recommend
- Flag NSG rules that predate 2022 — often created as temporary and never removed
- Note: Azure Firewall Premium adds IDPS — recommend for internet-facing workloads
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing