Fletcher Cyber Security Engineer
by @fletcherfrimpong
Manage and enforce least-privilege execution, approval-based elevation, port and egress monitoring, and ISO 27001/NIST compliance reporting for OpenClaw secu...
clawhub install fletcher-cyber-security-engineerπ About This Skill
name: cyber-security-engineer description: Security engineering workflow for OpenClaw privilege governance and hardening. Use for least-privilege execution, approval-first privileged actions, idle timeout controls, port + egress monitoring, and ISO 27001/NIST-aligned compliance reporting with mitigations.
Cyber Security Engineer
Implement these controls in every security-sensitive task:
1. Keep default execution in normal (non-root) mode. 2. Request explicit user approval before any elevated command. 3. Scope elevation to the minimum command set required for the active task. 4. Drop elevated state immediately after the privileged command completes. 5. Expire elevated state after 30 idle minutes and require re-approval. 6. Monitor listening network ports and flag insecure or unapproved exposure. 7. Monitor outbound connections and flag destinations not in the egress allowlist. 8. If no approved baseline exists, generate one and require user review/pruning. 9. Benchmark controls against ISO 27001 and NIST and report violations with mitigations.
Non-Goals (Web Browsing)
Files To Use
references/least-privilege-policy.mdreferences/port-monitoring-policy.mdreferences/compliance-controls-map.jsonreferences/approved_ports.template.jsonreferences/command-policy.template.jsonreferences/prompt-policy.template.jsonreferences/egress-allowlist.template.jsonscripts/preflight_check.pyscripts/root_session_guard.pyscripts/audit_logger.pyscripts/command_policy.pyscripts/prompt_policy.pyscripts/guarded_privileged_exec.pyscripts/install-openclaw-runtime-hook.shscripts/port_monitor.pyscripts/generate_approved_ports.pyscripts/egress_monitor.pyscripts/notify_on_violation.pyscripts/compliance_dashboard.pyscripts/live_assessment.pyBehavior
OPENCLAW_UNTRUSTED_SOURCE=1 + prompt policy).OPENCLAW_REQUIRE_SESSION_ID=1).~/.openclaw/security/privileged-audit.jsonl (best-effort).Output Contract
When reporting status, include:
check_id(s) affected, status, risk, and concise evidence.