弧形哨兵

Name: 弧形哨兵
Author: arc-claw-bot

为 OpenClaw 代理提供安全监控和基础设施健康检查。运行泄露监控（HaveIBeenPwned）、SSL 证书到期检查、GitHub 安全审计、凭证轮换跟踪、密钥/机密扫描、git 卫生、令牌监视以及权限审计。在执行安全扫描、检查凭证轮换状态、审计仓库是否有泄露的机密，或监控 SSL 证书和基础设施健康时使用。

作者：arc-claw-bot · 最新版本：1.0.0

收藏：0 · 下载：1.4k

说明文档

# Arc Sentinel

Security monitoring toolkit for OpenClaw agents. Runs automated checks against your infrastructure and reports issues.

## Configuration

Before first use, create `sentinel.conf` in the skill directory:

```bash
cp sentinel.conf.example sentinel.conf
```

Edit `sentinel.conf` with your values:
- **DOMAINS** — Space-separated list of domains to check SSL certificates
- **GITHUB_USER** — GitHub username for repo audits
- **KNOWN_REPOS** — Space-separated list of expected repo names (unexpected repos trigger warnings)
- **MONITOR_EMAIL** — Email address for HaveIBeenPwned breach checks
- **HIBP_API_KEY** — Optional; HIBP v3 API key ($3.50/mo) for automated breach lookups

Also customize `credential-tracker.json` with your own credentials and rotation policies. A template is provided.

## Quick Start

### Full scan
```bash
cd <skill-dir>
bash sentinel.sh
```

### Output
- Formatted report to stdout with color-coded severity
- JSON report saved to `reports/YYYY-MM-DD.json`
- Exit codes: `0` = all clear, `1` = warnings, `2` = critical

## Checks

### 1. SSL Certificate Expiry
Check certificate expiry for configured domains. Warns at <30 days, critical at <14 days.

### 2. GitHub Security
- List repos and check Dependabot/vulnerability alert status
- Review recent account activity for anomalies
- Flag unexpected repositories

### 3. Breach Monitoring (HaveIBeenPwned)
- Query HIBP API for breached accounts (requires API key)
- Falls back to manual check URL if no key is set

### 4. Credential Rotation Tracking
Read `credential-tracker.json` and flag credentials that are overdue, approaching expiry, or never rotated. Supports policies: `quarterly` (90d), `6_months` (180d), `annual` (365d), `auto`.

## Additional Scripts

| Script | Purpose |
|--------|---------|
| `scripts/secret-scanner.sh` | Scan repos/files for leaked secrets and API keys |
| `scripts/git-hygiene.sh` | Audit git history for security issues |
| `scripts/token-watchdog.sh` | Monitor token validity and expiry |
| `scripts/permission-auditor.sh` | Audit file and access permissions |
| `scripts/skill-auditor.sh` | Audit installed skills for security |
| `scripts/full-audit.sh` | Run all scripts in sequence |

## Agent Usage

During heartbeats or on request:
1. Run `bash sentinel.sh` from the skill directory
2. Review output for WARN or CRITICAL items
3. Report findings to the human if anything needs attention
4. Update `credential-tracker.json` when credentials are rotated

## Cron Setup
```bash
# Weekly Monday 9am
0 9 * * 1 cd /path/to/arc-sentinel && bash sentinel.sh >> reports/cron.log 2>&1
```

## Requirements
- `openssl` (SSL checks)
- `gh` CLI authenticated (GitHub checks)
- `curl` (HIBP)
- `python3` (JSON processing)