SKILL.md

---
name: security-audit
description: "Clawdbot部署的全面安全审计。扫描暴露的凭证、开放端口、弱配置和漏洞。包含自动修复模式。"
---

# Security Audit Skill

## When to use

Run a security audit to identify vulnerabilities in your Clawdbot setup before deployment or on a schedule. Use auto-fix to remediate common issues automatically.

## Setup

No external dependencies required. Uses native system tools where available.

## How to

### Quick audit (common issues)

```bash
node skills/security-audit/scripts/audit.cjs
```

### Full audit (comprehensive scan)

```bash
node skills/security-audit/scripts/audit.cjs --full
```

### Auto-fix common issues

```bash
node skills/security-audit/scripts/audit.cjs --fix
```

### Audit specific areas

```bash
node skills/security-audit/scripts/audit.cjs --credentials      # Check for exposed API keys
node skills/security-audit/scripts/audit.cjs --ports            # Scan for open ports
node skills/security-audit/scripts/audit.cjs --configs          # Validate configuration
node skills/security-audit/scripts/audit.cjs --permissions      # Check file permissions
node skills/security-audit/scripts/audit.cjs --docker           # Docker security checks
```

### Generate report

```bash
node skills/security-audit/scripts/audit.cjs --full --json > audit-report.json
```

## Output

The audit produces a report with:

| Level | Description |
|-------|-------------|
| 🔴 CRITICAL | Immediate action required (exposed credentials) |
| 🟠 HIGH | Significant risk, fix soon |
| 🟡 MEDIUM | Moderate concern |
| 🟢 INFO | FYI, no action needed |

## Checks Performed

### Credentials
- API keys in environment files
- Tokens in command history
- Hardcoded secrets in code
- Weak password patterns

### Ports
- Unexpected open ports
- Services exposed to internet
- Missing firewall rules

### Configs
- Missing rate limiting
- Disabled authentication
- Default credentials
- Open CORS policies

### Files
- World-readable files
- Executable by anyone
- Sensitive files in public dirs

### Docker
- Privileged containers
- Missing resource limits
- Root user in container

## Auto-Fix

The `--fix` option automatically:
- Sets restrictive file permissions (600 on .env)
- Secures sensitive configuration files
- Creates .gitignore if missing
- Enables basic security headers

## Related skills

- `security-monitor` - Real-time monitoring (available separately)
Initial commit with translated description 2026-03-29 09:37:07 +08:00			`---`
			`name: security-audit`
			`description: "Clawdbot部署的全面安全审计。扫描暴露的凭证、开放端口、弱配置和漏洞。包含自动修复模式。"`
			`---`

			`# Security Audit Skill`

			`## When to use`

			`Run a security audit to identify vulnerabilities in your Clawdbot setup before deployment or on a schedule. Use auto-fix to remediate common issues automatically.`

			`## Setup`

			`No external dependencies required. Uses native system tools where available.`

			`## How to`

			`### Quick audit (common issues)`

			```bash
			`node skills/security-audit/scripts/audit.cjs`
			```

			`### Full audit (comprehensive scan)`

			```bash
			`node skills/security-audit/scripts/audit.cjs --full`
			```

			`### Auto-fix common issues`

			```bash
			`node skills/security-audit/scripts/audit.cjs --fix`
			```

			`### Audit specific areas`

			```bash
			`node skills/security-audit/scripts/audit.cjs --credentials # Check for exposed API keys`
			`node skills/security-audit/scripts/audit.cjs --ports # Scan for open ports`
			`node skills/security-audit/scripts/audit.cjs --configs # Validate configuration`
			`node skills/security-audit/scripts/audit.cjs --permissions # Check file permissions`
			`node skills/security-audit/scripts/audit.cjs --docker # Docker security checks`
			```

			`### Generate report`

			```bash
			`node skills/security-audit/scripts/audit.cjs --full --json > audit-report.json`
			```

			`## Output`

			`The audit produces a report with:`

			`\| Level \| Description \|`
			`\|-------\|-------------\|`
			`\| 🔴 CRITICAL \| Immediate action required (exposed credentials) \|`
			`\| 🟠 HIGH \| Significant risk, fix soon \|`
			`\| 🟡 MEDIUM \| Moderate concern \|`
			`\| 🟢 INFO \| FYI, no action needed \|`

			`## Checks Performed`

			`### Credentials`
			`- API keys in environment files`
			`- Tokens in command history`
			`- Hardcoded secrets in code`
			`- Weak password patterns`

			`### Ports`
			`- Unexpected open ports`
			`- Services exposed to internet`
			`- Missing firewall rules`

			`### Configs`
			`- Missing rate limiting`
			`- Disabled authentication`
			`- Default credentials`
			`- Open CORS policies`

			`### Files`
			`- World-readable files`
			`- Executable by anyone`
			`- Sensitive files in public dirs`

			`### Docker`
			`- Privileged containers`
			`- Missing resource limits`
			`- Root user in container`

			`## Auto-Fix`

			The `--fix` option automatically:
			`- Sets restrictive file permissions (600 on .env)`
			`- Secures sensitive configuration files`
			`- Creates .gitignore if missing`
			`- Enables basic security headers`

			`## Related skills`

			- `security-monitor` - Real-time monitoring (available separately)