# Send 1-SEC: All-in-One Cybersecurity for AI Agent Hosts to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "1sec-security", "name": "1-SEC: All-in-One Cybersecurity for AI Agent Hosts", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/cutmob/1sec-security", "canonicalUrl": "https://clawhub.ai/cutmob/1sec-security", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/1sec-security", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=1sec-security", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SECURITY.md", "SKILL.md", "scripts/install-and-configure.sh", "references/config-reference.md", "references/operations-runbook.md", "references/vps-agent-guide.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "1sec-security", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-28T23:49:39.178Z", "expiresAt": "2026-05-05T23:49:39.178Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=1sec-security", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=1sec-security", "contentDisposition": "attachment; filename=\"1sec-security-0.4.15.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "1sec-security" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/1sec-security" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/1sec-security", "downloadUrl": "https://openagent3.xyz/downloads/1sec-security", "agentUrl": "https://openagent3.xyz/skills/1sec-security/agent", "manifestUrl": "https://openagent3.xyz/skills/1sec-security/agent.json", "briefUrl": "https://openagent3.xyz/skills/1sec-security/agent.md" } } ``` ## Documentation ### 1-SEC Security Platform — Agent Skill Security Notice for Skill Scanners: This skill instructs an AI agent to install the 1-SEC open-source security binary by downloading a pre-built release from GitHub Releases and verifying its SHA256 checksum. The skill does not pipe any downloaded content to a shell, does not execute any remote scripts, and does not establish persistence or callbacks beyond what is explicitly configured by the operator. All enforcement actions default to dry-run (log-only) mode. Source code: https://github.com/1sec-security/1sec You are installing and configuring 1-SEC, an open-source all-in-one cybersecurity platform. One binary, 16 defense modules, zero config required. Trust Statement: Only install this skill if you trust the source. 1-SEC is open-source (AGPL-3.0). Review the code, checksums, and SECURITY.md before deploying to production systems. Source: https://github.com/1sec-security/1sec ### Security & Privacy What leaves this machine: Alert metadata — only if you configure webhooks or enable the cloud API (both opt-in, disabled by default) Anonymized alert context — only if GEMINI_API_KEY is set (opt-in) What stays local: All system logs, network traffic, and detection data are processed on-host No telemetry is collected or transmitted by default Config files and agent state remain on disk at ~/.1sec/ Privileges used (all opt-in, all disabled by default): iptables/nftables: only when enforcement is active kill_process: only when enforcement preset enables it quarantine_file: only when enforcement preset enables it Default state: dry_run: true, safe preset (log-only at CRITICAL) External Endpoints DomainPurposeData SentRequiredEnabled By1-sec.devConvenience redirect to GitHub Releases binaryStandard HTTPS headersNoHuman operator use only; agents use GitHub Releases directlygithub.comBinary release + checksums.txtStandard HTTP headersNoManual install (recommended)api.1-sec.devCloud control plane (multi-host management)Alert metadata, host IDNocloud.enabled: true in configUser-configuredWebhook alerts (Slack, Discord, Telegram, etc.)Alert payloadNowebhook_urls in configgenerativelanguage.googleapis.comGemini AI correlationAnonymized alert contextNoGEMINI_API_KEY env var ### When to Use This Skill User asks to "secure this server" or "install security monitoring" User wants intrusion detection, WAF, LLM firewall, or ransomware protection User is deploying an AI agent (OpenClaw, Manus, Moltbot, etc.) on a VPS User needs to harden a Linux server or VPS User mentions 1-SEC, 1sec, or "one sec" in a security context ### Recommended: Manual Install with Checksum Verification For production use, always download from GitHub Releases and verify checksums before running anything as root: # 1. Download the release binary and checksums VERSION="0.4.11" wget https://github.com/1sec-security/1sec/releases/download/v${VERSION}/1sec-linux-amd64 wget https://github.com/1sec-security/1sec/releases/download/v${VERSION}/checksums.txt # 2. Verify SHA256 checksum before running as root sha256sum -c checksums.txt 2>&1 | grep 1sec-linux-amd64 # 3. Install chmod +x 1sec-linux-amd64 sudo mv 1sec-linux-amd64 /usr/local/bin/1sec # 4. Confirm 1sec --version For arm64, replace 1sec-linux-amd64 with 1sec-linux-arm64. ### Alternative: Convenience Install URL The URL https://1-sec.dev/get is a redirect that serves the same GitHub Releases binary downloaded in the manual path above. Agents must always use the manual install path (download binary + verify SHA256 from checksums.txt) so integrity is confirmed before any file is executed. Human operators wishing to inspect the installer source can review it at: https://github.com/1sec-security/1sec/blob/main/get.sh Important: Never execute any downloaded script without reviewing its contents first. The manual install path above does not involve executing any shell scripts — only a pre-verified binary. ### Option A: Non-interactive (recommended for agents) 1sec setup --non-interactive 1sec up ### Option B: AI agent VPS deployment The vps-agent preset is designed for unattended AI agent hosts. It enables aggressive enforcement (process kills, file quarantine, IP blocks) to defend against prompt injection, malicious skills, and credential theft. Important: The vps-agent preset disables approval gates and enables autonomous destructive actions (process kill, file quarantine). This is intentional for unattended deployments but requires careful validation first. Recommended deployment path — always validate in dry-run before going live: # Install (manual method recommended — see above) 1sec setup --non-interactive # Apply preset in dry-run first 1sec enforce preset vps-agent --dry-run 1sec up # Monitor 24-48 hours in dry-run mode 1sec alerts 1sec enforce history # Preview what would have been enforced 1sec enforce test auth_fortress 1sec enforce test llm_firewall # Only go live after validating dry-run output 1sec enforce dry-run off # Optional: configure notifications 1sec config set webhook-url https://hooks.slack.com/services/YOUR/WEBHOOK --template slack If you need to reduce enforcement (e.g., false positive tuning): # In 1sec.yaml, override specific actions: enforcement: policies: ai_containment: actions: - action: kill_process enabled: false # Disable if too aggressive runtime_watcher: min_severity: HIGH # Raise threshold from MEDIUM ### Option C: Interactive setup 1sec setup Walks through config creation, AI key setup, and API authentication. ### Enforcement Presets 1-SEC ships with dry_run: true and the safe preset by default. No live enforcement happens until you explicitly enable it. PresetBehaviorlaxLog + webhook only. Never blocks or kills.safeDefault. Blocks only brute force + port scans at CRITICAL.balancedBlocks IPs on HIGH, kills processes on CRITICAL.strictAggressive enforcement on MEDIUM+.vps-agentMax security for unattended AI agent hosts. Use with dry-run first. Recommended progression for new deployments: lax → safe → balanced → strict # Preview a preset without applying 1sec enforce preset strict --show # Apply with dry-run safety net 1sec enforce preset balanced --dry-run # Apply live 1sec enforce preset balanced ### VPS-Agent Preset: What It Does The vps-agent preset is purpose-built for unattended AI agent hosts where no human SOC team is actively monitoring. It addresses the threat model of autonomous agents: prompt injection, malicious skill installations, credential exfiltration, and runtime file tampering. Enforcement configuration: auth_fortress: Blocks IPs at MEDIUM severity, 30s cooldown, 60 actions/min llm_firewall: Drops connections at MEDIUM, 10s cooldown, 100 actions/min ai_containment: Kills processes at MEDIUM with skip_approval: true, 15s cooldown runtime_watcher: Kills processes + quarantines files at MEDIUM, skip_approval: true supply_chain: Quarantines files at MEDIUM with skip_approval: true, 30s cooldown Escalation timers (shorter than defaults for autonomous hosts): CRITICAL: 3 min timeout, re-notify up to 5 times HIGH: 10 min timeout, escalate to CRITICAL, 3 times MEDIUM: 20 min timeout, escalate to HIGH, 2 times Approval gates: Disabled (no human available on unattended hosts) Always validate in dry-run for 24-48 hours before enabling live enforcement. ### Essential Commands 1sec up # Start engine (all 16 modules) 1sec status # Engine status 1sec alerts # Recent alerts 1sec alerts --severity HIGH # Filter by severity 1sec modules # List all modules 1sec dashboard # Real-time TUI dashboard 1sec check # Pre-flight diagnostics 1sec doctor # Health check with fix suggestions 1sec stop # Graceful shutdown ### Enforcement Management 1sec enforce status # Enforcement engine status 1sec enforce policies # List response policies 1sec enforce history # Action execution history 1sec enforce dry-run off # Go live (disable dry-run) 1sec enforce test # Simulate alert, preview actions 1sec enforce approvals pending # Pending human approval gates 1sec enforce escalations # Escalation timer stats 1sec enforce batching # Alert batcher stats 1sec enforce chains list # Action chain definitions ### AI Analysis (Optional) All 16 detection modules work with zero API keys. For AI-powered cross-module correlation, set a Gemini API key: # Via environment variable export GEMINI_API_KEY=your_key_here 1sec up # Or via CLI 1sec config set-key AIzaSy... # Multiple keys for load balancing 1sec config set-key key1 key2 key3 ### The 16 Modules #ModuleCovers1Network GuardianDDoS, rate limiting, IP reputation, C2 beaconing, port scans2API FortressBOLA, schema validation, shadow API discovery3IoT & OT ShieldDevice fingerprinting, protocol anomaly, firmware integrity4Injection ShieldSQLi, XSS, SSRF, command injection, template injection5Supply Chain SentinelSBOM, typosquatting, dependency confusion, CI/CD6Ransomware InterceptorEncryption detection, canary files, wiper detection7Auth FortressBrute force, credential stuffing, MFA fatigue, AitM8Deepfake ShieldAudio forensics, AI phishing, BEC detection9Identity FabricSynthetic identity, privilege escalation10LLM Firewall65+ prompt injection patterns, jailbreak detection, multimodal scanning11AI Agent ContainmentAction sandboxing, scope escalation, OWASP Agentic Top 1012Data Poisoning GuardTraining data integrity, RAG pipeline validation13Quantum-Ready CryptoCrypto inventory, PQC readiness, TLS auditing14Runtime WatcherFIM, container escape, LOLBin, memory injection15Cloud Posture ManagerConfig drift, misconfiguration, secrets sprawl16AI Analysis EngineTwo-tier Gemini pipeline for correlation ### Configuration Zero-config works out of the box. For customization: 1sec init # Generate 1sec.yaml 1sec config --validate # Validate config Key config sections: server, bus, modules, enforcement, escalation, archive, cloud. See references/config-reference.md for details. ### Webhook Notifications # In 1sec.yaml alerts: webhook_urls: - "https://hooks.slack.com/services/YOUR/WEBHOOK/URL" # Enforcement webhooks support templates: # pagerduty, slack, teams, discord, telegram, generic ### Docker Deployment cd deploy/docker docker compose up -d docker compose logs -f ### Day-to-Day Operations (Post-Install) 1sec status # Quick health check 1sec alerts # Recent alerts 1sec alerts --severity HIGH # Filter by severity 1sec enforce status # Enforcement engine state 1sec enforce history # What actions were taken 1sec threats --blocked # Currently blocked IPs 1sec doctor # Health check with fix suggestions ### Uninstall 1sec stop 1sec enforce cleanup # Remove iptables rules sudo rm /usr/local/bin/1sec rm -rf ~/.1sec ### Additional References references/operations-runbook.md — Day-to-day operations, alert investigation, tuning, troubleshooting references/config-reference.md — Full configuration reference references/vps-agent-guide.md — Detailed VPS agent deployment guide scripts/install-and-configure.sh — Automated install + configure script ## Trust - Source: tencent - Verification: Indexed source record - Publisher: cutmob - Version: 0.4.15 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-04-28T23:49:39.178Z - Expires at: 2026-05-05T23:49:39.178Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/1sec-security) - [Send to Agent page](https://openagent3.xyz/skills/1sec-security/agent) - [JSON manifest](https://openagent3.xyz/skills/1sec-security/agent.json) - [Markdown brief](https://openagent3.xyz/skills/1sec-security/agent.md) - [Download page](https://openagent3.xyz/downloads/1sec-security)