Back to Details

web-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

web-security

Web安全

Purpose

用途

This skill enables developers to implement and audit web security measures based on OWASP Top 10 guidelines, including CSP, CORS, XSS/CSRF prevention, authentication patterns, and dependency scanning. It focuses on protecting web applications from common vulnerabilities like injection attacks and unauthorized access.
本技能可帮助开发者基于OWASP Top 10指南实施和审核Web安全措施,包括CSP、CORS、XSS/CSRF防护、认证模式以及依赖项扫描。它专注于保护Web应用免受注入攻击和未授权访问等常见漏洞的威胁。

When to Use

使用场景

Use this skill during web application development, security audits, or deployments. Apply it when building APIs, handling user authentication, configuring cross-origin requests, or scanning dependencies for known vulnerabilities. Ideal for projects using frameworks like Express.js or React, or when integrating third-party libraries.
在Web应用开发、安全审核或部署阶段使用本技能。适用于构建API、处理用户认证、配置跨域请求或扫描依赖项以查找已知漏洞的场景。非常适合使用Express.js或React等框架的项目,或集成第三方库时使用。

Key Capabilities

核心能力

  • OWASP Top 10 Scanning: Detects issues like SQL injection and broken authentication; use built-in checks via 
    openclaw web-security scan --owasp
    .
  • CSP Configuration: Generates Content Security Policy headers; example: set policy with 
    openclaw web-security csp --policy "default-src 'self'"
  • CORS Management: Enforces Cross-Origin Resource Sharing; configure with 
    openclaw web-security cors --allow "https://example.com"
    .
  • XSS/CSRF Prevention: Provides sanitization functions and token generation; e.g., inject anti-CSRF in code: 
    const token = generateCSRFToken(); res.setHeader('X-CSRF-Token', token);
  • Authentication Patterns: Implements JWT or session-based auth; scan for weaknesses with 
    openclaw web-security auth --check
    .
  • Dependency Scanning: Analyzes npm/yarn packages for vulnerabilities; run with 
    openclaw web-security depscan --path ./package.json
    .
  • OWASP Top 10扫描:检测SQL注入、身份验证失效等问题;可通过
    openclaw web-security scan --owasp
    使用内置检查功能。
  • CSP配置:生成内容安全策略(Content Security Policy)头;示例:使用
    openclaw web-security csp --policy "default-src 'self'"
    设置策略
  • CORS管理:强制实施跨域资源共享(Cross-Origin Resource Sharing);通过
    openclaw web-security cors --allow "https://example.com"
    进行配置。
  • XSS/CSRF防护:提供内容清理函数和令牌生成功能;例如,在代码中注入反CSRF令牌:
    const token = generateCSRFToken(); res.setHeader('X-CSRF-Token', token);
  • 认证模式:实现JWT或基于会话的认证;使用
    openclaw web-security auth --check
    扫描薄弱点。
  • 依赖项扫描:分析npm/yarn包的漏洞;执行
    openclaw web-security depscan --path ./package.json
    运行扫描。

Usage Patterns

使用模式

To accomplish tasks, invoke the skill via OpenClaw's CLI or API. For scanning, provide project paths and flags; for configuration, output directly to code files. Always set environment variables for authentication, e.g., export 
$OPENCLAW_API_KEY
before running commands. Example pattern: Pipe output to a file for integration, like 
openclaw web-security scan --output report.json
. For code snippets, embed generated security code into your app; e.g., add CSP middleware in Express: 
app.use((req, res, next) => { res.setHeader('Content-Security-Policy', "default-src 'self'"); next(); });
通过OpenClaw的CLI或API调用本技能。扫描时需提供项目路径和标记;配置时可直接输出到代码文件。请始终为认证设置环境变量,例如在运行命令前导出
$OPENCLAW_API_KEY
。示例模式:将输出管道传输到文件以进行集成,如
openclaw web-security scan --output report.json
。对于代码片段,将生成的安全代码嵌入到应用中;例如,在Express中添加CSP中间件:
app.use((req, res, next) => { res.setHeader('Content-Security-Policy', "default-src 'self'"); next(); });

Common Commands/API

常用命令/API

  • CLI Commands: Use 
    openclaw web-security [subcommand] [flags]
    . For example, scan a project: 
    openclaw web-security scan --project /path/to/app --key $OPENCLAW_API_KEY
    . API endpoint: POST to 
    /api/web-security/scan
    with JSON body 
    { "projectPath": "/path/to/app", "apiKey": "$OPENCLAW_API_KEY" }
    .
  • Subcommands: 
    • scan --owasp --verbose
      : Runs full OWASP check; outputs vulnerabilities in JSON.
    • csp --generate --domains example.com
      : Creates CSP string; e.g., output: 
      "Content-Security-Policy: default-src 'self' https://example.com"
      .
    • cors --set --origins "http://localhost:3000"
      : Configures CORS in a config file like 
      { "origins": ["http://localhost:3000"], "methods": ["GET", "POST"] }
      .
    • auth --pattern jwt
      : Generates JWT validation code; snippet: 
      const jwt = require('jsonwebtoken'); const verify = token => jwt.verify(token, process.env.JWT_SECRET);
      .
    • depscan --format npm
      : Scans dependencies; e.g., command: 
      openclaw web-security depscan --path package.json --output vulnerabilities.txt
      .
  • API Endpoints: All commands map to 
    /api/web-security/{subcommand}
    , requiring authentication via header 
    Authorization: Bearer $OPENCLAW_API_KEY
    . Response format: JSON with keys like 
    { "status": "success", "data": { ... } }
    .
  • CLI命令:使用
    openclaw web-security [子命令] [标记]
    。例如,扫描项目:
    openclaw web-security scan --project /path/to/app --key $OPENCLAW_API_KEY
    。API端点:向
    /api/web-security/scan
    发送POST请求,JSON请求体为
    { "projectPath": "/path/to/app", "apiKey": "$OPENCLAW_API_KEY" }
  • 子命令: 
    • scan --owasp --verbose
      : 运行完整的OWASP检查;以JSON格式输出漏洞信息。
    • csp --generate --domains example.com
      : 生成CSP字符串;例如输出:
      "Content-Security-Policy: default-src 'self' https://example.com"
    • cors --set --origins "http://localhost:3000"
      : 在配置文件中配置CORS,例如
      { "origins": ["http://localhost:3000"], "methods": ["GET", "POST"] }
    • auth --pattern jwt
      : 生成JWT验证代码;代码片段:
      const jwt = require('jsonwebtoken'); const verify = token => jwt.verify(token, process.env.JWT_SECRET);
    • depscan --format npm
      : 扫描依赖项;例如命令:
      openclaw web-security depscan --path package.json --output vulnerabilities.txt
  • API端点:所有命令对应
    /api/web-security/{subcommand}
    ,需通过请求头
    Authorization: Bearer $OPENCLAW_API_KEY
    进行认证。响应格式:JSON,包含
    { "status": "success", "data": { ... } }
    等键。

Integration Notes

集成说明

Integrate by wrapping OpenClaw calls in your build scripts or CI/CD pipelines. For example, in a GitHub Actions workflow, add: 
run: openclaw web-security scan --project . --key ${{ env.OPENCLAW_API_KEY }}
. Use config files for persistent settings, e.g., a 
.openclawrc
file with JSON: 
{ "web-security": { "defaultFlags": ["--verbose"], "apiKeyEnv": "OPENCLAW_API_KEY" } }
. If combining with other skills, chain outputs; e.g., use web-security scan results as input for a "web-dev" deployment skill. Ensure API keys are stored securely in env vars like 
$OPENCLAW_API_KEY
and never hardcoded.
可通过在构建脚本或CI/CD流水线中封装OpenClaw调用实现集成。例如,在GitHub Actions工作流中添加:
run: openclaw web-security scan --project . --key ${{ env.OPENCLAW_API_KEY }}
。使用配置文件保存持久化设置,例如包含以下JSON的
.openclawrc
文件:
{ "web-security": { "defaultFlags": ["--verbose"], "apiKeyEnv": "OPENCLAW_API_KEY" } }
。如果与其他技能结合使用,可链式传递输出;例如,将Web安全扫描结果作为“web-dev”部署技能的输入。请确保API密钥安全存储在
$OPENCLAW_API_KEY
等环境变量中,切勿硬编码。

Error Handling

错误处理

Handle errors by checking exit codes and response bodies. Common errors: Authentication failure (HTTP 401) if 
$OPENCLAW_API_KEY
is invalid—fix by verifying the key format. Scan failures (e.g., "Project path not found") return code 404; resolve by providing absolute paths. For XSS prevention, if a snippet fails, catch exceptions like: 
try { sanitizeInput(userInput); } catch (e) { console.error(e.message); // e.g., "Invalid input detected" }
. Parse JSON responses for error details, e.g., 
{ "error": "Vulnerability detected", "code": 400 }
, and retry with corrected flags. Always log errors with timestamps for debugging.
通过检查退出码和响应体处理错误。常见错误:若
$OPENCLAW_API_KEY
无效,会出现认证失败(HTTP 401)——可通过验证密钥格式修复。扫描失败(例如“项目路径未找到”)返回码404;可通过提供绝对路径解决。对于XSS防护,如果代码片段执行失败,可捕获异常:
try { sanitizeInput(userInput); } catch (e) { console.error(e.message); // 例如:"检测到无效输入" }
。解析JSON响应获取错误详情,例如
{ "error": "检测到漏洞", "code": 400 }
,并修正标记后重试。请始终记录带时间戳的错误以用于调试。

Concrete Usage Examples

具体使用示例

  1. Scan for OWASP Vulnerabilities: To audit a web app for injection risks, run: 
    openclaw web-security scan --owasp --project /path/to/app
    . This outputs a JSON report; then, fix issues by adding code like: 
    const safeQuery = db.escape(userInput); db.query(safeQuery);
    . Expected output: A list of vulnerabilities, e.g., 
    { "injection": ["SQL in login endpoint"] }
    .
  2. Configure CSP for XSS Prevention: To set up CSP in an Express app, use: 
    openclaw web-security csp --generate --policy "script-src 'self'"
    . Integrate the output into your server code: 
    app.use(helmet.contentSecurityPolicy({ directives: { scriptSrc: ["'self'"] } }));
    . This prevents inline scripts, reducing XSS risks.
  1. 扫描OWASP漏洞:要审核Web应用的注入风险,运行:
    openclaw web-security scan --owasp --project /path/to/app
    。此命令将输出JSON报告;随后可通过添加如下代码修复问题:
    const safeQuery = db.escape(userInput); db.query(safeQuery);
    。预期输出:漏洞列表,例如
    { "injection": ["登录端点存在SQL注入风险"] }
  2. 配置CSP以防护XSS:要在Express应用中设置CSP,使用:
    openclaw web-security csp --generate --policy "script-src 'self'"
    。将输出集成到服务器代码中:
    app.use(helmet.contentSecurityPolicy({ directives: { scriptSrc: ["'self'"] } }));
    。此配置可阻止内联脚本,降低XSS风险。

Graph Relationships

关联关系

  • Related to cluster: "web-dev" (e.g., shares dependencies for web app builds).
  • Connected skills: "auth-management" (for advanced auth patterns), "vulnerability-scanning" (for broader security checks).
  • Inverse relationships: Depends on "api-tools" for endpoint testing; provides input to "deployment-pipeline" for secure releases.
  • 所属集群:“web-dev”(例如,共享Web应用构建的依赖项)。
  • 关联技能:“auth-management”(用于高级认证模式)、“vulnerability-scanning”(用于更全面的安全检查)。
  • 反向依赖:依赖“api-tools”进行端点测试;为“deployment-pipeline”提供输入以实现安全发布。