技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 1.5k · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:arc-claw-bot/arc-sentinel
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's code and runtime instructions broadly match its stated purpose (local security and secret/token auditing) but there are several mismatches and privacy risks you should understand before installing and running it.
目的
The name/description (arc-sentinel — SSL, breach checks, GitHub audits, secret scanning, token watchdog, permission audits) match the included scripts, which implement those checks. However registry metadata (no required binaries, no env vars listed) does not declare dependencies that SKILL.md and the scripts explicitly require (openssl, gh, curl, python3). This metadata mismatch is unexpected and should be corrected.
说明范围
Runtime instructions tell the agent to run sentinel.sh which executes multiple scanners that read many sensitive locations (e.g., ~/.ssh, ~/.aws/credentials, ~/.docker/config.json, ~/.kube/config, ~/.config/fulcra/token.json, LaunchAgents, other skills under ~/.openclaw/workspace/skills). The scanners also grep repository contents and git history and will write findings (including matched secret strings) to stdout and JSON/text reports in repo…
安装机制
No install spec — instruction-only with bundled scripts. This lowers supply-chain risk (nothing downloaded at install time). All code is present in the package, so reviewable before execution.
证书
Registry metadata declares no required environment variables or primary credential, yet the code reads environment and configuration (HOME, AWS_ACCESS_KEY_ID, KUBECONFIG, and many files under $HOME). SKILL.md documents HIBP API key as optional, but this (and other credentials) are not declared in the skill metadata. The scripts access many sensitive config paths and may include secret values in reports; requiring explicit declaration of which …
持久
always:false (not force-included) and default model invocation settings are used. The skill does not request to modify other skills' configs or set always:true. It will, however, by default scan the skills directory (~/.openclaw/workspace/skills) which reads other skills' files — that is a privileged read action but appears consistent with its auditing purpose and is not the same as persisting or escalating privileges.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Arc Sentinel」。简介:Security monitoring and infrastructure health checks for OpenClaw agents. Run b…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/arc-claw-bot/arc-sentinel/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: arc-sentinel
description: Security monitoring and infrastructure health checks for OpenClaw agents. Run breach monitoring (HaveIBeenPwned), SSL certificate expiry checks, GitHub security audits, credential rotation tracking, secret scanning, git hygiene, token watchdog, and permission audits. Use when performing security scans, checking credential rotation status, auditing repos for leaked secrets, or monitoring SSL certificates and infrastructure health.
---
# Arc Sentinel
Security monitoring toolkit for OpenClaw agents. Runs automated checks against your infrastructure and reports issues.
## Configuration
Before first use, create `sentinel.conf` in the skill directory:
```bash
cp sentinel.conf.example sentinel.conf
```
Edit `sentinel.conf` with your values:
- **DOMAINS** — Space-separated list of domains to check SSL certificates
- **GITHUB_USER** — GitHub username for repo audits
- **KNOWN_REPOS** — Space-separated list of expected repo names (unexpected repos trigger warnings)
- **MONITOR_EMAIL** — Email address for HaveIBeenPwned breach checks
- **HIBP_API_KEY** — Optional; HIBP v3 API key ($3.50/mo) for automated breach lookups
Also customize `credential-tracker.json` with your own credentials and rotation policies. A template is provided.
## Quick Start
### Full scan
```bash
cd <skill-dir>
bash sentinel.sh
```
### Output
- Formatted report to stdout with color-coded severity
- JSON report saved to `reports/YYYY-MM-DD.json`
- Exit codes: `0` = all clear, `1` = warnings, `2` = critical
## Checks
### 1. SSL Certificate Expiry
Check certificate expiry for configured domains. Warns at <30 days, critical at <14 days.
### 2. GitHub Security
- List repos and check Dependabot/vulnerability alert status
- Review recent account activity for anomalies
- Flag unexpected repositories
### 3. Breach Monitoring (HaveIBeenPwned)
- Query HIBP API for breached accounts (requires API key)
- Falls back to manual check URL if no key is set
### 4. Credential Rotation Tracking
Read `credential-tracker.json` and flag credentials that are overdue, approaching expiry, or never rotated. Supports policies: `quarterly` (90d), `6_months` (180d), `annual` (365d), `auto`.
## Additional Scripts
| Script | Purpose |
|--------|---------|
| `scripts/secret-scanner.sh` | Scan repos/files for leaked secrets and API keys |
| `scripts/git-hygiene.sh` | Audit git history for security issues |
| `scripts/token-watchdog.sh` | Monitor token validity and expiry |
| `scripts/permission-auditor.sh` | Audit file and access permissions |
| `scripts/skill-auditor.sh` | Audit installed skills for security |
| `scripts/full-audit.sh` | Run all scripts in sequence |
## Agent Usage
During heartbeats or on request:
1. Run `bash sentinel.sh` from the skill directory
2. Review output for WARN or CRITICAL items
3. Report findings to the human if anything needs attention
4. Update `credential-tracker.json` when credentials are rotated
## Cron Setup
```bash
# Weekly Monday 9am
0 9 * * 1 cd /path/to/arc-sentinel && bash sentinel.sh >> reports/cron.log 2>&1
```
## Requirements
- `openssl` (SSL checks)
- `gh` CLI authenticated (GitHub checks)
- `curl` (HIBP)
- `python3` (JSON processing)