Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub · Security & Compliance
Dont Hack Me
別駭我!基本安全檢測 — Security self-check for Clawdbot/Moltbot. Run a quick audit of your clawdbot.json to catch dangerous misconfigurations — exposed gateway, missing auth, open DM policy, weak tokens, loose file permissions. Auto-fix included. Invoke: "run a security check" or "幫我做安全檢查".
skill openclawclawhub Free
別駭我!基本安全檢測 — Security self-check for Clawdbot/Moltbot. Run a quick audit of your clawdbot.json to catch dangerous misconfigurations — exposed gateway, missing auth, open DM policy, weak tokens, loose file permissions. Auto-fix included. Invoke: "run a security check" or "幫我做安全檢查".
⬇ 0 downloads ★ 0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 1.0.1
Provenance
- Publisher
- peterokase42
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
dont-hack-me
Security self-check skill for Clawdbot / Moltbot. Reads ~/.clawdbot/clawdbot.json and checks 7 items that cover the most common misconfigurations. Outputs a simple PASS / FAIL / WARN report.
How to run
Say any of: "run a security check" "check my security settings" "audit my clawdbot config" "am I secure?"
Checklist — step by step
When this skill is triggered, follow these steps exactly:
Step 0 — Read the config
Use the read tool to open ~/.clawdbot/clawdbot.json. Parse the JSON content. If the file does not exist or is unreadable, report an error and stop. Also run a shell command to get the file permissions: stat -f '%Lp' ~/.clawdbot/clawdbot.json (On Linux: stat -c '%a' ~/.clawdbot/clawdbot.json)
Step 1 — Gateway Bind
Path: gateway.bind Expected: "loopback" or "localhost" or "127.0.0.1" or "::1" PASS if the value is one of the above or the key is absent (default is "loopback") FAIL if the value is "0.0.0.0", "::", or any non-loopback address Severity: CRITICAL — a non-loopback bind exposes your agent to the network
Step 2 — Gateway Auth Mode
Path: gateway.auth.mode Expected: "token" or "password" PASS if the value is "token" or "password", or the key is absent (default is "token") FAIL if the value is "off" or "none" Severity: CRITICAL — without auth anyone who can reach the gateway can control your agent
Step 3 — Token Strength
Path: gateway.auth.token Expected: 32 or more characters PASS if the token is >= 32 characters WARN if the token is 16–31 characters FAIL if the token is < 16 characters or empty SKIP if auth mode is "password" (passwords are user-chosen, don't judge length) Severity: HIGH — short tokens are vulnerable to brute-force
Step 4 — DM Policy (per channel)
Path: channels.<name>.dmPolicy for each channel Expected: "pairing" — or if "open", there must be a non-empty allowFrom array PASS if dmPolicy is "pairing", or if allowFrom has at least one entry FAIL if dmPolicy is "open" and allowFrom is missing or empty SKIP if no channels are configured Severity: HIGH — an open DM policy lets anyone send commands to your agent
Step 5 — Group Policy (per channel)
Path: channels.<name>.groupPolicy for each channel Expected: "allowlist" PASS if groupPolicy is "allowlist" or absent (default is "allowlist") FAIL if groupPolicy is "open" or "any" SKIP if no channels are configured Severity: HIGH — non-allowlist group policy lets any group trigger your agent
Step 6 — File Permissions
Check: file mode of ~/.clawdbot/clawdbot.json Expected: 600 or 400 (owner read/write only) PASS if permissions are 600 or 400 WARN if permissions are 644 or 640 (group/other can read) FAIL if permissions are 777, 755, 666, or anything world-writable Severity: MEDIUM — loose permissions let other users on the system read your tokens
Step 7 — Plaintext Secrets Scan
Check: scan all string values in the JSON for keys named password, secret, apiKey, api_key, privateKey, private_key (case-insensitive) that contain a non-empty string value PASS if no such keys are found WARN if such keys exist — remind the user to consider using environment variables or a secrets manager Note: token fields used for gateway auth are expected and should NOT be flagged Severity: MEDIUM — plaintext secrets in config files can be leaked through backups, logs, or version control
Output format
After completing all checks, output a report in this exact format: 🔒 Security Check Report 1. Gateway Bind <ICON> <STATUS> — <detail> 2. Gateway Auth <ICON> <STATUS> — <detail> 3. Token Strength <ICON> <STATUS> — <detail> 4. DM Policy <ICON> <STATUS> — <detail> 5. Group Policy <ICON> <STATUS> — <detail> 6. File Permissions <ICON> <STATUS> — <detail> 7. Secrets Scan <ICON> <STATUS> — <detail> Score: X/7 PASS, Y WARN, Z FAIL Where: <ICON> is one of: ✅ (PASS), ⚠️ (WARN), ❌ (FAIL), ⏭️ (SKIP) <STATUS> is one of: PASS, WARN, FAIL, SKIP <detail> is a short explanation (e.g., "loopback", "token mode", "48 chars", "permissions 600")
Auto-fix flow
If any item is FAIL or WARN, do the following: Show the report first (as above). List each fixable item with a short description of what will be changed. Ask the user: "Want me to fix these? (yes / no / pick)" yes — fix all FAIL and WARN items automatically. no — stop, do nothing. pick — let the user choose which items to fix. Apply the fixes (see Fix recipes below). After applying, re-read the config and re-run the full check to confirm everything is PASS. If the config was changed, remind the user: "Run clawdbot gateway restart to apply the new settings."
Fix recipes
Use these exact fixes for each item. Edit ~/.clawdbot/clawdbot.json using the edit/write tool. #1 Gateway Bind — FAIL Set gateway.bind to "loopback": { "gateway": { "bind": "loopback" } } #2 Gateway Auth — FAIL Set gateway.auth.mode to "token". If no token exists yet, also generate one: { "gateway": { "auth": { "mode": "token", "token": "<GENERATED>" } } } Generate the token with: openssl rand -hex 24 That produces a 48-character hex string (192-bit entropy). #3 Token Strength — FAIL / WARN Replace the existing token with a new strong one: openssl rand -hex 24 Write the output into gateway.auth.token. #4 DM Policy — FAIL Set dmPolicy to "pairing" for each affected channel: { "channels": { "<name>": { "dmPolicy": "pairing" } } } #5 Group Policy — FAIL Set groupPolicy to "allowlist" for each affected channel: { "channels": { "<name>": { "groupPolicy": "allowlist" } } } #6 File Permissions — FAIL / WARN Run: chmod 600 ~/.clawdbot/clawdbot.json #7 Secrets Scan — WARN This one cannot be auto-fixed safely. Instead, list each flagged key and remind the user: Move the value to an environment variable Or use a secrets manager Reference it in the config as "$ENV_VAR_NAME" if the platform supports it
Important rules for auto-fix
Always back up first. Before writing any changes, copy the original: cp ~/.clawdbot/clawdbot.json ~/.clawdbot/clawdbot.json.bak Merge, don't overwrite. Read the full JSON, modify only the specific keys, write back the complete JSON. Never lose existing settings. Preserve formatting. Write the JSON with 2-space indentation. One write operation. Collect all JSON fixes, apply them in a single write to avoid partial states. Token replacement requires restart. If the gateway token was changed, the user must update any paired clients with the new token. Warn: "Your gateway token was changed. Any paired devices will need the new token to reconnect."
What this skill does NOT check
Sandbox configuration (not needed for most setups) Network isolation / Docker (macOS native setups don't use it) MCP tool permissions (too complex for a basic audit) Whether your OS firewall is configured Whether your agent code has vulnerabilities For a more comprehensive audit, see community tools like clawdbot-security-check.
Reference
Based on the community-compiled "Top 10 Clawdbot/Moltbot Security Vulnerabilities" list. Covers 7 of the 10 items that apply to typical macOS-native deployments. 小安 Ann Agent — Taiwan 台灣 Building skills and local MCP services for all AI agents, everywhere. 為所有 AI Agent 打造技能與在地 MCP 服務,不限平台。
Category context
Identity, auth, scanning, governance, audit, and operational guardrails.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
1 Docs
- SKILL.md