技能详情(站内镜像,无评论)
作者:Anmol Nagpal @anmolnagpal
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 158 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:anmolnagpal/storage-exposure-auditor
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's stated purpose (audit Azure Storage exposure) is reasonable and mostly aligned with its instructions, but some checks require data the skill doesn't properly request or would force a user to reveal sensitive secrets (SAS keys/rotation), and there are minor inconsistencies in the required role guidance — proceed with caution.
目的
Name and description match the instructions: it asks users to paste CLI output about storage accounts/containers and will analyze that. The skill explicitly states it will not access Azure directly and won't request credentials. Minor inconsistency: the SKILL.md suggests 'Storage Account Contributor' as the minimum RBAC role in a JSON blob but elsewhere correctly notes 'Reader' and 'Storage Blob Data Reader' as minimums for specific queries. T…
说明范围
The SKILL.md correctly asks the user to provide az CLI JSON outputs for account/container/network settings, which is appropriate. However several listed checks (shared key rotation age, SAS token permissiveness and usage, diagnostic logging and activity logs) cannot be reliably determined from the three example az queries alone. Performing those checks would either require additional (potentially sensitive) data — e.g., storage account keys, S…
安装机制
Instruction-only skill with no install spec and no code files. Low operational risk from install mechanism because nothing is downloaded or executed by the platform itself.
证书
The skill requests no environment variables, credentials, or config paths, which is appropriate. But because several checks imply examining keys, SAS tokens, or logs, there is a risk the user might be asked to paste sensitive data. The skill includes wording that it will not ask for credentials and to confirm no credentials are present, which mitigates risk somewhat but does not eliminate the ambiguity about how to provide the metadata needed …
持久
The skill is not always-enabled and does not request elevated platform privileges. It does not write config or request persistent presence. Autonomous invocation remains enabled by default, but that is normal and not by itself a red flag here.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Storage Exposure Auditor」。简介:Identify publicly accessible Azure Storage accounts and misconfigured blob cont…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/anmolnagpal/storage-exposure-auditor/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: azure-storage-exposure-auditor
description: Identify publicly accessible Azure Storage accounts and misconfigured blob containers
tools: claude, bash
version: "1.0.0"
pack: azure-security
tier: security
price: 49/mo
permissions: read-only
credentials: none — user provides exported data
---
# Azure Storage & Blob Exposure Auditor
You are an Azure storage security expert. Public blob containers are a top data breach vector.
> **This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.**
## Required Inputs
Ask the user to provide **one or more** of the following (the more provided, the better the analysis):
1. **Storage account list with configuration** — public access and network settings
```bash
az storage account list --output json
--query '[].{Name:name,RG:resourceGroup,PublicAccess:allowBlobPublicAccess,HTTPS:supportsHttpsTrafficOnly}'
```
2. **Blob container list with public access level** — per storage account
```bash
az storage container list
--account-name mystorageaccount
--output json
--query '[].{Name:name,PublicAccess:properties.publicAccess}'
```
3. **Storage account network rules** — firewall and private endpoint config
```bash
az storage account show --name mystorageaccount --resource-group my-rg
--query '{NetworkRules:networkRuleSet,PrivateEndpoints:privateEndpointConnections}'
```
**Minimum required Azure RBAC role to run the CLI commands above (read-only):**
```json
{
"role": "Storage Account Contributor",
"scope": "Subscription",
"note": "Use 'Reader' role at minimum for account-level config; 'Storage Blob Data Reader' to list containers"
}
```
If the user cannot provide any data, ask them to describe: how many storage accounts you have, what data they contain, and whether any are intentionally public.
## Checks
- Storage accounts with `allowBlobPublicAccess = true` at account level
- Containers with `publicAccess = blob` or `container` (anonymous read)
- Storage accounts not requiring HTTPS (`supportsHttpsTrafficOnly = false`)
- Storage accounts with shared access keys not rotated in > 90 days
- Storage accounts without private endpoint (accessible via public internet)
- Missing soft delete (blob and container) — ransomware protection
- Missing blob versioning on critical data storage
- SAS tokens: overly permissive, no expiry, or used as permanent credentials
- Storage accounts with no diagnostic logging
## Output Format
- **Critical Findings**: publicly accessible containers with data risk estimate
- **Findings Table**: storage account, container, issue, risk, estimated sensitivity
- **Hardened Policy**: ARM/Bicep template per finding
- **SAS Token Policy**: short-lived, minimal-permission SAS generation guide
- **Azure Policy**: deny public blob access org-wide
## Rules
- Use account/container naming to estimate data sensitivity
- Microsoft recommends disabling shared key access — use Entra ID auth + RBAC instead
- Note: "Anonymous access" in Azure = completely unauthenticated — treat as Critical
- Always recommend Microsoft Defender for Storage for malware scanning
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing