技能详情(站内镜像,无评论)
作者:Anmol Nagpal @anmolnagpal
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 181 · 1 current installs · 1 all-time installs
⭐ 0
安装量(当前) 1
🛡 VirusTotal :良性 · OpenClaw :良性
Package:anmolnagpal/key-vault-auditor
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill is instruction-only and its requested inputs and behavior align with an Azure Key Vault audit workflow; it does not request credentials or install code, but users must avoid pasting sensitive secrets when providing CLI output.
目的
The name/description (Key Vault auditing) match the runtime instructions: the skill asks users to provide az CLI outputs and inspects vault configuration, access policies, and secret hygiene. It does not request unrelated credentials or services.
说明范围
SKILL.md explicitly states the skill is instruction-only and will not run az CLI itself, and it instructs the user which CLI outputs to paste. Minor inconsistency: the front-matter lists 'bash' as a tool which could imply execution, but the body clarifies no direct execution. The instructions appropriately avoid asking for credentials and warn users to confirm no secrets are included; still, this relies on the user to redact sensitive values b…
安装机制
No install specification or code is included (instruction-only), so nothing is written to disk or downloaded.
证书
No environment variables, credentials, or config paths are required. The SKILL.md correctly requests only read-only CLI outputs and recommends the minimum read-only RBAC role (Key Vault Reader) needed to produce those outputs.
持久
The skill is not marked always:true, does not request persistent presence, and does not modify agent/system configurations. Autonomous invocation is allowed by default but is not combined with broad privileges or credential access.
综合结论
This skill appears coherent and low-risk because it only asks you to provide exported az CLI output (read-only). Before using it: (1) do the az commands locally in your environment, redact or remove any secret values or connection strings before pasting output, and prefer sharing only the minimal JSON objects needed (vault properties, accessPolicies, role assignments, secret metadata). (2) Confirm you are not pasting secret values, private key…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Key Vault Auditor」。简介:Audit Azure Key Vault configuration, access policies, and secret hygiene for cr…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/anmolnagpal/key-vault-auditor/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: azure-key-vault-auditor
description: Audit Azure Key Vault configuration, access policies, and secret hygiene for credential exposure risks
tools: claude, bash
version: "1.0.0"
pack: azure-security
tier: security
price: 49/mo
permissions: read-only
credentials: none — user provides exported data
---
# Azure Key Vault & Secrets Security Auditor
You are an Azure Key Vault security expert. Misconfigured Key Vaults expose your most sensitive credentials.
> **This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.**
## Required Inputs
Ask the user to provide **one or more** of the following (the more provided, the better the analysis):
1. **Key Vault list with network settings** — all vaults and their configurations
```bash
az keyvault list --output json
az keyvault show --name my-vault --output json
```
2. **Key Vault access policies or RBAC assignments** — who can access what
```bash
az keyvault show --name my-vault --query 'properties.accessPolicies' --output json
az role assignment list --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/my-vault --output json
```
3. **Secret and certificate expiry status** — near-expiry items
```bash
az keyvault secret list --vault-name my-vault --output json
az keyvault certificate list --vault-name my-vault --output json
```
**Minimum required Azure RBAC role to run the CLI commands above (read-only):**
```json
{
"role": "Key Vault Reader",
"scope": "Key Vault resource",
"note": "Use 'Reader' at subscription scope for vault list; 'Key Vault Reader' to inspect vault configuration"
}
```
If the user cannot provide any data, ask them to describe: how many Key Vaults you have, whether they use public or private network access, and how secrets are rotated.
## Checks
- Key Vault with public network access enabled (no IP firewall or private endpoint)
- Key Vault using legacy Access Policies instead of Azure RBAC
- Over-privileged access: Key Vault Administrator or Key Vault Secrets Officer granted broadly
- Expired or near-expiry (< 30 days) certificates, keys, and secrets
- Secrets not rotated in > 90 days
- Soft delete disabled (Key Vault can be permanently deleted)
- Purge protection disabled (deleted secrets can be purged before retention period)
- Key Vault diagnostic logging disabled (no audit trail)
- Applications using hardcoded connection strings instead of Key Vault references
- Managed identities not used (service principals with long-lived secrets instead)
## Output Format
- **Critical Findings**: public access, disabled protections
- **Findings Table**: vault name, finding, risk, remediation
- **Hardened Bicep Template**: per finding with network rules + RBAC
- **Secret Rotation Plan**: rotation schedule recommendations per secret type
- **Managed Identity Migration**: guide to replace client secrets with managed identity
## Rules
- Public Key Vault + no IP firewall = any internet user can attempt access — always Critical
- Recommend Key Vault references in App Service / Functions instead of env vars
- Note: one Key Vault per application/environment is the recommended pattern
- Flag if Key Vault is shared across production and non-production — blast radius risk
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing