Cyber Security Engineer

Requirements

Required tools:

- python3 (>= 3.8)
INLINECODE1 CLI (installed via npm during bootstrap, or pre-installed)
INLINECODE3 (only needed for bootstrap if openclaw is not already installed)
One of lsof, ss, or netstat for port/egress checks
INLINECODE8, readlink (standard on macOS/Linux, used by the runtime hook installer)

Env vars (all optional, documented for configuration):

- OPENCLAW_REQUIRE_POLICY_FILES — set to 1 to block privileged execution when policy files are missing
INLINECODE12 — set to 1 to require a task session id for each privileged action
INLINECODE14 — per-task session id (used when OPENCLAW_REQUIRE_SESSION_ID=1)
INLINECODE16 — if set, requires this token during the approval step
INLINECODE17 — set to 1 to flag the current content source as untrusted
INLINECODE19 — absolute path to a notifier binary (must also be allowlisted)
INLINECODE20 — JSON array of allowed argv arrays, or comma-separated absolute paths
INLINECODE21 — override path to the real sudo binary (used by the runtime hook shim)
INLINECODE22 — override path to python3 (used by the runtime hook shim)
INLINECODE23 — override path to the skill directory (used by the runtime hook shim)
INLINECODE24 — set to 1 to allow non-interactive sudo through the shim (default: blocked)
INLINECODE26 — human-readable reason passed to the guarded execution wrapper
INLINECODE27 — override path to the notification state file
INLINECODE28 — set to 1 to skip the interactive confirmation before modifying the macOS LaunchAgent plist

Policy files (admin reviewed):

- INLINECODE30
INLINECODE31
INLINECODE32
INLINECODE33

Implement these controls in every security-sensitive task:

1. Keep default execution in normal (non-root) mode.
Request explicit user approval before any elevated command.
Scope elevation to the minimum command set required for the active task.
Drop elevated state immediately after the privileged command completes.
Expire elevated state after 30 idle minutes and require re-approval.
Monitor listening network ports and flag insecure or unapproved exposure.
Monitor outbound connections and flag destinations not in the egress allowlist.
If no approved baseline exists, generate one with python3 scripts/generate_approved_ports.py, then review and prune.
Benchmark controls against ISO 27001 and NIST and report violations with mitigations.

Runtime Hook (sudo shim)

The script scripts/install-openclaw-runtime-hook.sh installs an opt-in sudo
shim at ~/.openclaw/bin/sudo. This shim shadows the system sudo binary by
prepending ~/.openclaw/bin to PATH in the OpenClaw gateway process.

What it does:

- Intercepts sudo invocations and routes them through INLINECODE41
Requires explicit interactive user approval before running any privileged command
Enforces command policy allow/deny rules, audit logging, and a 30-minute idle timeout
Blocks non-interactive sudo by default (prevents automated abuse)
Passes through harmless flags (-h, --version, -k, -l) directly to real sudo

What it does NOT do:

- It does not replace or modify the system sudo binary
It does not grant itself any elevated permissions
It only affects processes whose PATH includes ~/.openclaw/bin before INLINECODE48

Opt-in: The hook is not installed by default. To enable it, run bootstrap with
ENFORCE_PRIVILEGED_EXEC=1. On macOS, the installer will prompt for confirmation
before modifying the gateway LaunchAgent plist. The shim can be removed at any time
by deleting ~/.openclaw/bin/sudo.

File Writes

This skill writes only to ~/.openclaw/ and the assessments/ directory inside the
skill folder. No files are written outside these two trees.

Under ~/.openclaw/ (user config/state):

- ~/.openclaw/security/approved_ports.json — generated port baseline (by generate_approved_ports.py)
INLINECODE56 — elevated session state (by root_session_guard.py)
INLINECODE58 — append-only audit log (by audit_logger.py)
INLINECODE60 — notification diff state (by notify_on_violation.py)
INLINECODE62 — opt-in sudo shim (by install-openclaw-runtime-hook.sh, see Runtime Hook section)
INLINECODE64 — auto-cycle run log (by auto_invoke_cycle.sh)

Under assessments/ (inside skill directory):

- assessments/openclaw-assessment.json — compliance check results
INLINECODE68 — structured summary for tools/integrations
INLINECODE69 — human-readable report page
INLINECODE70 — latest open-port scan output
INLINECODE71 — latest outbound connection scan output

Temporary files:

- A short-lived temp file via tempfile.NamedTemporaryFile (by generate_approved_ports.py) — auto-cleaned

No files are written to /usr/, /etc/, or any system directory.

Non-Goals (Web Browsing)

- Do not use web browsing / web search as part of this skill. Keep assessments and recommendations based on local host/OpenClaw state and the bundled references in this skill.

Files To Use

- INLINECODE76
INLINECODE77
INLINECODE78
INLINECODE79
INLINECODE80
INLINECODE81
INLINECODE82
INLINECODE83
INLINECODE84
INLINECODE85
INLINECODE86
INLINECODE87
INLINECODE88
INLINECODE89
INLINECODE90
INLINECODE91
INLINECODE92
INLINECODE93
INLINECODE94
INLINECODE95

Behavior

- Never keep root/elevated access open between unrelated tasks.
Never execute root commands without an explicit approval step in the current flow.
Enforce command allow/deny policy when configured.
Require confirmation when untrusted content sources are detected (OPENCLAW_UNTRUSTED_SOURCE=1 + prompt policy).
Enforce task session id scoping when configured (OPENCLAW_REQUIRE_SESSION_ID=1).
If timeout is exceeded, force session expiration and approval renewal.
Log privileged actions to ~/.openclaw/security/privileged-audit.jsonl (best-effort).
Flag listening ports not present in the approved baseline and recommend secure alternatives for insecure ports.
Flag outbound destinations not present in the egress allowlist.

Output Contract

When reporting status, include:

- The specific check_id(s) affected, status, risk, and concise evidence.
Concrete mitigations (what to change, where) and any owners/due dates if present.
For network findings: port, bind address, process/service, and why it is flagged (unapproved/insecure/public).

网络安全工程师

要求

必需工具：

- python3 (>= 3.8)
openclaw CLI（在引导过程中通过 npm 安装，或预装）
npm（仅在 openclaw 尚未安装时用于引导）
lsof、ss 或 netstat 之一，用于端口/出口检查
stat、readlink（macOS/Linux 标准工具，由运行时钩子安装程序使用）

环境变量（均为可选，记录用于配置）：

- OPENCLAWREQUIREPOLICYFILES — 设置为 1 可在策略文件缺失时阻止特权执行
OPENCLAWREQUIRESESSIONID — 设置为 1 可要求每个特权操作提供任务会话 ID
OPENCLAWTASKSESSIONID — 每个任务的会话 ID（当 OPENCLAWREQUIRESESSIONID=1 时使用）
OPENCLAWAPPROVALTOKEN — 如果设置，则在批准步骤中需要此令牌
OPENCLAWUNTRUSTEDSOURCE — 设置为 1 可将当前内容源标记为不可信
OPENCLAWVIOLATIONNOTIFYCMD — 通知程序二进制文件的绝对路径（也必须在白名单中）
OPENCLAWVIOLATIONNOTIFYALLOWLIST — 允许的 argv 数组的 JSON 数组，或逗号分隔的绝对路径
OPENCLAWREALSUDO — 覆盖真实 sudo 二进制文件的路径（由运行时钩子垫片使用）
OPENCLAWPYTHON3 — 覆盖 python3 的路径（由运行时钩子垫片使用）
OPENCLAWCYBERSKILLDIR — 覆盖技能目录的路径（由运行时钩子垫片使用）
OPENCLAWALLOWNONINTERACTIVESUDO — 设置为 1 可允许通过垫片进行非交互式 sudo（默认：阻止）
OPENCLAWPRIVREASON — 传递给受保护执行包装器的可读原因
OPENCLAWVIOLATIONNOTIFYSTATE — 覆盖通知状态文件的路径
OPENCLAWSKIPPLIST_CONFIRM — 设置为 1 可在修改 macOS LaunchAgent plist 前跳过交互式确认

策略文件（管理员审查）：

- ~/.openclaw/security/approvedports.json
~/.openclaw/security/command-policy.json
~/.openclaw/security/egressallowlist.json
~/.openclaw/security/prompt-policy.json

在每个安全敏感的任务中实施以下控制措施：

1. 保持默认在普通（非 root）模式下执行。
在任何提权命令前请求明确的用户批准。
将提权范围限定为当前任务所需的最小命令集。
特权命令完成后立即放弃提权状态。
空闲 30 分钟后使提权状态过期，并需要重新批准。
监控监听中的网络端口，标记不安全或未经批准的暴露。
监控出站连接，标记不在出口白名单中的目标。
如果没有已批准的基线，使用 python3 scripts/generateapprovedports.py 生成一个，然后审查和精简。
对照 ISO 27001 和 NIST 基准测试控制措施，并报告违规情况及缓解措施。

运行时钩子（sudo 垫片）

脚本 scripts/install-openclaw-runtime-hook.sh 在 ~/.openclaw/bin/sudo 安装一个可选的 sudo 垫片。该垫片通过在 OpenClaw 网关进程中将 ~/.openclaw/bin 前置到 PATH 来遮蔽系统 sudo 二进制文件。

其功能：

- 拦截 sudo 调用并通过 guardedprivilegedexec.py 路由
在执行任何特权命令前要求明确的交互式用户批准
强制执行命令策略允许/拒绝规则、审计日志记录和 30 分钟空闲超时
默认阻止非交互式 sudo（防止自动滥用）
将无害标志（-h、--version、-k、-l）直接传递给真实 sudo

其不执行的操作：

- 不替换或修改系统 sudo 二进制文件
不授予自身任何提权权限
仅影响其 PATH 中 ~/.openclaw/bin 在 /usr/bin 之前的进程

可选加入： 该钩子默认不安装。要启用它，使用 ENFORCEPRIVILEGEDEXEC=1 运行引导程序。在 macOS 上，安装程序在修改网关 LaunchAgent plist 前会提示确认。垫片可随时通过删除 ~/.openclaw/bin/sudo 移除。

文件写入

此技能仅写入 ~/.openclaw/ 和技能文件夹内的 assessments/ 目录。不会在这两个目录树之外写入任何文件。

在 ~/.openclaw/ 下（用户配置/状态）：

- ~/.openclaw/security/approvedports.json — 生成的端口基线（由 generateapprovedports.py 生成）
~/.openclaw/security/root-session-state.json — 提权会话状态（由 rootsessionguard.py 管理）
~/.openclaw/security/privileged-audit.jsonl — 仅追加的审计日志（由 auditlogger.py 管理）
~/.openclaw/security/violation-notify-state.json — 通知差异状态（由 notifyonviolation.py 管理）
~/.openclaw/bin/sudo — 可选的 sudo 垫片（由 install-openclaw-runtime-hook.sh 安装，见运行时钩子部分）
~/.openclaw/logs/cyber-security-engineer-auto.log — 自动循环运行日志（由 autoinvokecycle.sh 管理）

在 assessments/ 下（技能目录内）：

- assessments/openclaw-assessment.json — 合规性检查结果
assessments/compliance-summary.json — 供工具/集成使用的结构化摘要
assessments/compliance-dashboard.html — 可读的报告页面
assessments/port-monitor-latest.json — 最新的开放端口扫描输出
assessments/egress-monitor-latest.json — 最新的出站连接扫描输出

临时文件：

- 通过 tempfile.NamedTemporaryFile 创建的短期临时文件（由 generateapprovedports.py 使用）— 自动清理

不会向 /usr/、/etc/ 或任何系统目录写入文件。

非目标（网页浏览）

- 不要将网页浏览/网页搜索作为此技能的一部分。基于本地主机/OpenClaw 状态以及此技能中附带的参考资料进行评估和建议。

要使用的文件

- references/least-privilege-policy.md
references/port-monitoring-policy.md
references/compliance-controls-map.json
references/approvedports.template.json
references/command-policy.template.json
references/prompt-policy.template.json
references/egress-allowlist.template.json
scripts/preflightcheck.py
scripts/rootsessionguard.py
scripts/auditlogger.py
scripts/commandpolicy.py
scripts/promptpolicy.py
scripts/guardedprivilegedexec.py
scripts/install-openclaw-runtime-hook.sh
scripts/portmonitor.py
scripts/generateapprovedports.py
scripts/egressmonitor.py
scripts/notifyonviolation.py
scripts/compliancedashboard.py
scripts/live_assessment.py

行为

- 绝不在不相关的任务之间保持 root/提权访问开放。
绝不在当前流程中没有明确批准步骤的情况下执行 root 命令。
配置后强制执行命令允许/拒绝策略。
检测到不可信内容源时要求确认（OPENCLAWUNTRUSTEDSOURCE=1 + 提示策略）。
配置后强制执行任务会话 ID 范围限定（OPENCLAWREQUIRESESSION_ID=1）。
如果超时，强制会话过期并重新批准。
将特权操作记录到 ~/.openclaw/security/privileged-audit.jsonl（尽力而为）。
标记不在已批准基线中的监听端口，并为不安全端口推荐安全替代方案。
标记不在出口白名单中的出站目标。

cyber-security-engineer网络安全工程师