openclaw 网盘下载
OpenClaw

技能详情(站内镜像,无评论)

首页 > 技能库 > Openclaw Triage

Incident response and forensics for agent workspaces. Investigate compromises, build timelines, assess blast radius, and collect evidence. Cross-references data from warden, ledger, signet, and sentinel for unified analysis. Free alert layer — upgrade to openclaw-triage-pro fo…

媒体与内容

许可证:MIT-0

MIT-0 ·免费使用、修改和重新分发。无需归因。

版本:v1.0.2

统计:⭐ 1 · 1.3k · 2 current installs · 2 all-time installs

1

安装量(当前) 2

🛡 VirusTotal :良性 · OpenClaw :良性

Package:atlaspa/openclaw-triage

安全扫描(ClawHub)

  • VirusTotal :良性
  • OpenClaw :良性

OpenClaw 评估

The skill's code and instructions are coherent with an on‑workspace incident response tool: it scans and collects local workspace files, cross‑references OpenClaw security artifacts, and writes evidence into a .triage directory — nothing obviously mismatched or requesting unrelated credentials.

目的

Name/description describe workspace triage and the skill only requires python3 and local filesystem access. Declared cross‑references (.integrity, .ledger, .signet, .sentinel) match the checks implemented in the script.

说明范围

Instructions and the script read the entire workspace, build timelines, compute hashes, and copy security tool data into .triage/evidence. This is expected for forensics, but it will access and collect potentially sensitive files (credentials, skill code, configs). The SKILL.md claims 'no network calls' and the visible code appears local‑only, but the script imports subprocess and other modules — review the remainder of the file for any networ…

安装机制

No install spec; the skill is instruction/code only and requires only python3 on PATH. Nothing is downloaded or written to system locations outside the workspace when run.

证书

The skill requests no environment variables, no external credentials, and only accesses workspace files and known OpenClaw tool paths. The lack of declared secrets is proportionate to the stated purpose.

持久

The tool writes state/evidence and may create quarantine/backups under .triage within the workspace (normal for a triage tool). always:false (not force‑installed). If you run remediation/quarantine actions those will modify workspace files — follow the guidance to take evidence first.

综合结论

This appears to be a coherent local triage tool, but review and treat it carefully before use: 1) Inspect the full scripts/triage.py for any network or subprocess commands that could transmit data; although the SKILL.md says 'no network calls', the code imports subprocess — verify there are none. 2) Run it against a copy of the workspace (or point --workspace to a snapshot) first to avoid accidental changes. 3) Expect it to collect and store p…

安装(复制给龙虾 AI)

将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。

请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Openclaw Triage」。简介:Incident response and forensics for agent workspaces. Investigate compromises, …。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/atlaspa/openclaw-triage/SKILL.md
(来源:yingzhi8.cn 技能库)

SKILL.md

打开原始 SKILL.md(GitHub raw)

---
name: openclaw-triage
user-invocable: true
metadata: {"openclaw":{"emoji":"🚨","requires":{"bins":["python3"]},"os":["darwin","linux","win32"]}}
---

# OpenClaw Triage

Incident response and forensics for agent workspaces. When something goes wrong — a skill behaves unexpectedly, files change without explanation, or another security tool flags an anomaly — triage investigates what happened, assesses the damage, and guides recovery.

This is the "detective" that pulls together evidence from all OpenClaw security tools into a unified incident report.


## Commands

### Full Investigation

Run a comprehensive incident investigation. Collects workspace state, checks for signs of compromise (recently modified critical files, new skills, unusual permissions, off-hours modifications, large files, hidden files), cross-references with warden/ledger/signet/sentinel data, builds an event timeline, and calculates an incident severity score (CRITICAL / HIGH / MEDIUM / LOW).

```bash
python3 {baseDir}/scripts/triage.py investigate --workspace /path/to/workspace
```

### Event Timeline

Build a chronological timeline of all file modifications in the workspace. Groups events by hour, highlights suspicious burst activity (many files modified in a short window), shows which directories and skills were affected, and cross-references with ledger entries if available.

```bash
python3 {baseDir}/scripts/triage.py timeline --workspace /path/to/workspace
```

Look back further than the default 24 hours:

```bash
python3 {baseDir}/scripts/triage.py timeline --hours 72 --workspace /path/to/workspace
```

### Blast Radius (Scope)

Assess the blast radius of a potential compromise. Categorizes all files by risk level (critical, memory, skill, config), checks for credential exposure patterns in recently modified files, scans for outbound exfiltration URLs, and estimates scope as CONTAINED (single area), SPREADING (multiple skills), or SYSTEMIC (workspace-level).

```bash
python3 {baseDir}/scripts/triage.py scope --workspace /path/to/workspace
```

### Evidence Collection

Collect and preserve forensic evidence before remediation. Snapshots the full workspace state (file list with SHA-256 hashes, sizes, timestamps), copies all available security tool data (.integrity/, .ledger/, .signet/, .sentinel/), and generates a summary report. Always run this before any remediation to preserve the forensic trail.

```bash
python3 {baseDir}/scripts/triage.py evidence --workspace /path/to/workspace
```

Save to a custom output directory:

```bash
python3 {baseDir}/scripts/triage.py evidence --output /path/to/evidence/dir --workspace /path/to/workspace
```

### Quick Status

One-line summary of triage state: last investigation timestamp, current threat level, and whether evidence has been collected.

```bash
python3 {baseDir}/scripts/triage.py status --workspace /path/to/workspace
```

## Workspace Auto-Detection

If `--workspace` is omitted, the script tries:
1. `OPENCLAW_WORKSPACE` environment variable
2. Current directory (if AGENTS.md exists)
3. `~/.openclaw/workspace` (default)

## Cross-Reference Sources

Triage automatically checks for data from these OpenClaw tools:

| Tool | Data Path | What Triage Checks |
|------|-----------|-------------------|
| **Warden** | `.integrity/manifest.json` | Baseline deviations — files modified since last known-good state |
| **Ledger** | `.ledger/chain.jsonl` | Chain breaks, unparseable entries, suspicious log entries |
| **Signet** | `.signet/manifest.json` | Tampered skill signatures — skills modified after signing |
| **Sentinel** | `.sentinel/threats.json` | Known threats and high-severity findings |

## Incident Severity Levels

| Level | Meaning | Trigger |
|-------|---------|---------|
| **CRITICAL** | Immediate response required | Any critical finding, or 3+ high findings |
| **HIGH** | Investigation warranted | High-severity findings from any source |
| **MEDIUM** | Review recommended | Multiple medium findings or volume threshold |
| **LOW** | No immediate action | Informational findings only |

## Exit Codes

- `0` — Clean, no actionable findings
- `1` — Findings detected (investigation recommended)
- `2` — Critical findings (immediate action needed)

## No External Dependencies

Python standard library only. No pip install. No network calls. Everything runs locally.

## Cross-Platform

Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.