Arc Sentinel
Security monitoring toolkit for OpenClaw agents. Runs automated checks against your infrastructure and reports issues.
Configuration
Before first use, create sentinel.conf in the skill directory:
CODEBLOCK0
Edit sentinel.conf with your values:
- - DOMAINS — Space-separated list of domains to check SSL certificates
- GITHUBUSER — GitHub username for repo audits
- KNOWNREPOS — Space-separated list of expected repo names (unexpected repos trigger warnings)
- MONITOREMAIL — Email address for HaveIBeenPwned breach checks
- HIBPAPI_KEY — Optional; HIBP v3 API key ($3.50/mo) for automated breach lookups
Also customize credential-tracker.json with your own credentials and rotation policies. A template is provided.
Quick Start
Full scan
�CODEBLOCK1
Output
- - Formatted report to stdout with color-coded severity
- JSON report saved to �INLINECODE3
- Exit codes:
0 = all clear, 1 = warnings, 2 = critical
Checks
1. SSL Certificate Expiry
Check certificate expiry for configured domains. Warns at <30 days, critical at <14 days.
2. GitHub Security
- - List repos and check Dependabot/vulnerability alert status
- Review recent account activity for anomalies
- Flag unexpected repositories
3. Breach Monitoring (HaveIBeenPwned)
- - Query HIBP API for breached accounts (requires API key)
- Falls back to manual check URL if no key is set
4. Credential Rotation Tracking
Read
credential-tracker.json and flag credentials that are overdue, approaching expiry, or never rotated. Supports policies:
quarterly (90d),
6_months (180d),
annual (365d),
auto.
Additional Scripts
| Script | Purpose |
|---|
| INLINECODE12 | Scan repos/files for leaked secrets and API keys |
| INLINECODE13 |
Audit git history for security issues |
|
scripts/token-watchdog.sh | Monitor token validity and expiry |
|
scripts/permission-auditor.sh | Audit file and access permissions |
|
scripts/skill-auditor.sh | Audit installed skills for security |
|
scripts/full-audit.sh | Run all scripts in sequence |
Agent Usage
During heartbeats or on request:
- 1. Run
bash sentinel.sh from the skill directory - Review output for WARN or CRITICAL items
- Report findings to the human if anything needs attention
- Update
credential-tracker.json when credentials are rotated
Cron Setup
�CODEBLOCK2
Requirements
- -
openssl (SSL checks) - INLINECODE21� CLI authenticated (GitHub checks)
- INLINECODE22� (HIBP)
- INLINECODE23� (JSON processing)
Arc Sentinel
面向OpenClaw代理的安全监控工具包。对基础设施运行自动化检查并报告问题。
配置
首次使用前,在技能目录中创建sentinel.conf:
bash
cp sentinel.conf.example sentinel.conf
使用您的配置值编辑sentinel.conf:
- - DOMAINS — 用于检查SSL证书的域名列表(以空格分隔)
- GITHUBUSER — 用于仓库审计的GitHub用户名
- KNOWNREPOS — 预期仓库名称列表(以空格分隔,意外仓库会触发警告)
- MONITOREMAIL — 用于HaveIBeenPwned泄露检查的电子邮件地址
- HIBPAPI_KEY — 可选;HIBP v3 API密钥(每月3.50美元),用于自动泄露查询
同时使用您自己的凭据和轮换策略自定义credential-tracker.json。已提供模板。
快速开始
全面扫描
bash
cd <技能目录>
bash sentinel.sh
输出
- - 带颜色编码严重级别的格式化报告输出到标准输出
- JSON报告保存到reports/YYYY-MM-DD.json
- 退出代码:0 = 一切正常,1 = 警告,2 = 严重
检查项
1. SSL证书过期
检查已配置域名的证书过期情况。少于30天发出警告,少于14天标记为严重。
2. GitHub安全
- - 列出仓库并检查Dependabot/漏洞警报状态
- 审查近期账户活动是否存在异常
- 标记意外仓库
3. 泄露监控(HaveIBeenPwned)
- - 查询HIBP API获取已泄露账户(需要API密钥)
- 未设置密钥时回退到手动检查URL
4. 凭据轮换跟踪
读取credential-tracker.json并标记过期、即将到期或从未轮换的凭据。支持策略:quarterly(90天)、6_months(180天)、annual(365天)、auto。
附加脚本
| 脚本 | 用途 |
|---|
| scripts/secret-scanner.sh | 扫描仓库/文件中的泄露密钥和API密钥 |
| scripts/git-hygiene.sh |
审计Git历史中的安全问题 |
| scripts/token-watchdog.sh | 监控令牌有效性和过期时间 |
| scripts/permission-auditor.sh | 审计文件和访问权限 |
| scripts/skill-auditor.sh | 审计已安装技能的安全性 |
| scripts/full-audit.sh | 按顺序运行所有脚本 |
代理使用
在心跳期间或按需执行:
- 1. 从技能目录运行bash sentinel.sh
- 检查输出中的WARN或CRITICAL项目
- 如需关注,向人类报告发现结果
- 凭据轮换时更新credential-tracker.json
Cron设置
bash
每周一上午9点
0 9
1 cd /path/to/arc-sentinel && bash sentinel.sh >> reports/cron.log 2>&1
要求
- - openssl(SSL检查)
- 已认证的gh CLI(GitHub检查)
- curl(HIBP)
- python3(JSON处理)
