OpenClaw · Skill
Fletcher Cyber Security Engineer
Implement these controls in every security-sensitive task:
Coding Agents & IDEs
v0.1.2
VirusTotal: Suspicious
Install
Start with the primary install command. Alternate entrypoints are included below for ClawHub and OpenClaw CLI users.
Primary command
clawhub install fletcherfrimpong/fletcher-cyber-security-engineerClawHub installer
npx clawhub@latest install fletcherfrimpong/fletcher-cyber-security-engineerOpenClaw CLI
openclaw skills install fletcherfrimpong/fletcher-cyber-security-engineerDirect OpenClaw install
openclaw install fletcherfrimpong/fletcher-cyber-security-engineerWhat this skill does
Implement these controls in every security-sensitive task:
Why it matters
Combines runtime privilege governance, network monitoring, and compliance benchmarking in one workflow instead of managing separate tools for each concern.
Typical use cases
- Auditing which ports are exposed before deploying a service
- Generating a privilege escalation audit trail for a security review
- Flagging outbound connections to unapproved destinations during a task
- Running a compliance gap report against ISO 27001 controls
- Enforcing command allow/deny policy in a sensitive automation workflow
Source instructions
Cyber Security Engineer
Implement these controls in every security-sensitive task:
- Keep default execution in normal (non-root) mode.
- Request explicit user approval before any elevated command.
- Scope elevation to the minimum command set required for the active task.
- Drop elevated state immediately after the privileged command completes.
- Expire elevated state after 30 idle minutes and require re-approval.
- Monitor listening network ports and flag insecure or unapproved exposure.
- Monitor outbound connections and flag destinations not in the egress allowlist.
- If no approved baseline exists, generate one and require user review/pruning.
- Benchmark controls against ISO 27001 and NIST and report violations with mitigations.
Non-Goals (Web Browsing)
- Do not use web browsing / web search as part of this skill. Keep assessments and recommendations based on local host/OpenClaw state and the bundled references in this skill.
Files To Use
references/least-privilege-policy.mdreferences/port-monitoring-policy.mdreferences/compliance-controls-map.jsonreferences/approved_ports.template.jsonreferences/command-policy.template.jsonreferences/prompt-policy.template.jsonreferences/egress-allowlist.template.jsonscripts/preflight_check.pyscripts/root_session_guard.pyscripts/audit_logger.pyscripts/command_policy.pyscripts/prompt_policy.pyscripts/guarded_privileged_exec.pyscripts/install-openclaw-runtime-hook.shscripts/port_monitor.pyscripts/generate_approved_ports.pyscripts/egress_monitor.pyscripts/notify_on_violation.pyscripts/compliance_dashboard.pyscripts/live_assessment.py
Behavior
- Never keep root/elevated access open between unrelated tasks.
- Never execute root commands without an explicit approval step in the current flow.
- Enforce command allow/deny policy when configured.
- Require confirmation when untrusted content sources are detected (
OPENCLAW_UNTRUSTED_SOURCE=1+ prompt policy). - Enforce task session id scoping when configured (
OPENCLAW_REQUIRE_SESSION_ID=1). - If timeout is exceeded, force session expiration and approval renewal.
- Log privileged actions to
~/.openclaw/security/privileged-audit.jsonl(best-effort). - Flag listening ports not present in the approved baseline and recommend secure alternatives for insecure ports.
- Flag outbound destinations not present in the egress allowlist.
Output Contract
When reporting status, include:
- The specific
check_id(s) affected,status,risk, and concise evidence. - Concrete mitigations (what to change, where) and any owners/due dates if present.
- For network findings: port, bind address, process/service, and why it is flagged (unapproved/insecure/public).