# Send sec-audit to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "sec-audit",
    "name": "sec-audit",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/nx4dm1n/sec-audit",
    "canonicalUrl": "https://clawhub.ai/nx4dm1n/sec-audit",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/sec-audit",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sec-audit",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "package.json",
      "SKILL.md",
      "tools/security-audit.js"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "sec-audit",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-29T20:03:46.608Z",
      "expiresAt": "2026-05-06T20:03:46.608Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sec-audit",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sec-audit",
        "contentDisposition": "attachment; filename=\"sec-audit-1.0.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "sec-audit"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/sec-audit"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/sec-audit",
    "downloadUrl": "https://openagent3.xyz/downloads/sec-audit",
    "agentUrl": "https://openagent3.xyz/skills/sec-audit/agent",
    "manifestUrl": "https://openagent3.xyz/skills/sec-audit/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/sec-audit/agent.md"
  }
}
```
## Documentation

### OpenClaw Security Audit Skill

用途：对 OpenClaw 部署进行安全配置审计，检测已知漏洞和安全隐患
版本：1.0.0
作者：Security Team
风险等级：安全审计工具（仅读取和检测，不修改任何配置）

### 功能概述

本 Skill 是一个安全审计工具，可检测 OpenClaw 部署中的以下安全问题：

### 检测覆盖范围

检测项对应漏洞编号描述环境变量泄露检测SYS-002, OC-008检查 process.env 是否暴露敏感 API Key明文凭据存储检测SYS-005, ECO-012检查 auth-profiles.json 等文件是否明文存储凭据网关认证配置检测SYS-006, ECO-024检查 Gateway 是否启用了认证网关绑定地址检测SYS-006检查 Gateway 是否绑定到 0.0.0.0沙箱配置检测ECO-009, OC-001检查沙箱是否正确启用速率限制检测SYS-007, OC-011检查是否配置速率限制恶意 Skill 扫描ClawHavoc扫描已安装 Skill 是否匹配已知恶意名单IOC 指标检测ClawHavoc IOC检测已知恶意 IP、域名、文件哈希SKILL.md 恶意内容检测ECO-015扫描所有已安装 Skill 的 SKILL.md 是否含可疑命令Base64 编码命令检测OC-009检测 SKILL.md 中隐藏的 Base64 编码命令进程隔离验证SYS-001验证是否存在进程隔离机制WebSocket 加密检测ECO-006检查 WebSocket 通信是否使用 wss://DM/Group 策略检测认证/授权检查频道安全策略配置审计日志检测SYS-004检查是否启用安全审计日志已知恶意攻击者检测ClawHavoc比对已安装 Skill 的作者信息

### 使用方式

运行安全审计：

node tools/security-audit.js

运行完整审计并输出 JSON 报告：

node tools/security-audit.js --format json --output audit-report.json

仅运行特定检测模块：

node tools/security-audit.js --module env,auth,skills,ioc

### 输出说明

🔴 CRITICAL — 严重安全问题，需立即修复
🟠 HIGH — 高危问题，建议 48 小时内修复
🟡 MEDIUM — 中危问题，建议 1 周内修复
🟢 LOW/PASS — 低危或检测通过

### 注意事项

本工具仅进行只读检测，不会修改任何系统配置
所有检测结果仅保存在本地，不会外传任何数据
建议在测试环境中首先运行，确认无误后再在生产环境使用
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: nx4dm1n
- Version: 1.0.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-04-29T20:03:46.608Z
- Expires at: 2026-05-06T20:03:46.608Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/sec-audit)
- [Send to Agent page](https://openagent3.xyz/skills/sec-audit/agent)
- [JSON manifest](https://openagent3.xyz/skills/sec-audit/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/sec-audit/agent.md)
- [Download page](https://openagent3.xyz/downloads/sec-audit)