概述

li_sentry_check

Multi-platform server inspection and health check via SSH.

Security Declaration

This skill is strictly read-only and does NOT:

❌ Modify any server configuration
❌ Install or remove software
❌ Restart or stop services
❌ Write to any file on the remote server
❌ Exfiltrate data to external services
❌ Access local files other than: references/targets.yaml, references/checks.yaml, and the SSH private key specified in keyPath
❌ Make any network connections other than SSH to the target server specified in targets.yaml
❌ Execute arbitrary commands — only commands from references/checks.yaml are allowed

This skill ONLY:

✅ Reads system information via predefined read-only commands
✅ Generates a local Markdown/JSON report
✅ Connects to ONE remote server via SSH using the key specified in targets.yaml

Overview

Read-only inspection of remote Linux hosts over SSH using a dedicated key.

Collects system metrics, service status, security events, and generates

a structured Markdown report with anomaly highlighting.

Platform Support

Platform	Script	Runtime
-----------	-----------------	------------
OpenClaw	`scripts/inspect.mjs`	Node.js 24+
NanoBot	`scripts/inspect.py`	Python 3.10+
Hermes	`scripts/inspect.py`	Python 3.10+

Safety (Default Deny)

Only run commands defined in references/checks.yaml
No state-changing commands (no installs, no config edits, no restarts)
Only SSH key authentication (no passwords)
BatchMode=yes — non-interactive SSH only

Config

Targets: references/targets.yaml
Allowed checks: references/checks.yaml

How To Run

NanoBot / Hermes (Python)

python3 scripts/inspect.py --target bogon --checks daily

OpenClaw (Node.js)

node scripts/inspect.mjs --target bogon --checks daily

Options

Option	Description	Default
------------	------------------------------------------	---------
`--target`	Target name from `targets.yaml`	(required)
`--checks`	Check group: `basic`, `services`, `daily`	`basic`
`--format`	Output format: `markdown`, `json`	`markdown`
`--output`	Write report to file instead of stdout	stdout

Check Groups

Group	Description
------------	------------------------------------------
`basic`	Hardware resources: CPU, memory, disk, network
`services`	Service status and error logs (from targets.yaml)
`daily`	Full inspection: basic + services + security + logs

Extending

Add target: Edit references/targets.yaml
Add checks: Edit references/checks.yaml
Add check group: Define new group in checks.yaml

SSH Key Setup

# Generate key pair
ssh-keygen -t rsa -b 4096 -f ~/.ssh/li_sentry_check -N ""

# Copy to remote server
ssh-copy-id -i ~/.ssh/li_sentry_check.pub inspector@<SERVER_IP>

# Test connection
ssh -i ~/.ssh/li_sentry_check inspector@<SERVER_IP>

Security Best Practices

Key permissions: chmod 600 ~/.ssh/li_sentry_check
Host verification: For production, pre-populate known_hosts instead of accept-new
Service names: Only alphanumeric, hyphens, underscores allowed (validated before use)
Command allowlist: Never modify checks.yaml with state-changing commands
Report handling: Reports may contain system data — do not share publicly

Report Output

Reports are generated in Markdown format with:

Summary section: Overall health status, anomaly count
Anomaly section: ⚠️ Highlighted issues requiring attention
Normal section: Collapsible normal check results
Details: Full command output for each check

Architecture

li_sentry_check/
├── SKILL.md                  # This file
├── _meta.json                # Skill metadata
├── references/
│   ├── targets.yaml          # Target server configuration
│   └── checks.yaml           # Command allowlist
└── scripts/
    ├── inspect.mjs           # Node.js implementation (OpenClaw)
    └── inspect.py            # Python implementation (NanoBot/Hermes)

版本历史

共 1 个版本

v0.4.0 当前

2026-05-07 23:48 安全安全

安全检测

腾讯云安全 (Keen)

安全，无风险

查看报告

腾讯云安全 (Sanbu)