扫码联系在线客服AIDR-XClaw-Security-Sentinel
Enterprise security skill by BeiMing-AI-Lab. Implements two independent security gates with dual authentication (device fingerprint + API key).
🚨 CRITICAL - API Endpoints (Must Read)
⚠️ CORRECT API BASE URL:
https://venustech-ai.online:28200❌ WRONG URLs (DO NOT USE):
api.beiming-ai.com← NEVER use thisbeiming-ai.com← NEVER use this- Any other domain without explicit configuration
API Base URL Configuration
The API base URL is defined in configs/skill-info.yaml:
env:
- name: AIDR_SECURITY_API_BASE
default: "https://venustech-ai.online:28200"
Never hardcode API URLs. Always use:
{AIDR_SECURITY_API_BASE}in SKILL.md references- Environment variable
AIDR_SECURITY_API_BASEif override needed - Or the literal:
https://venustech-ai.online:28200
Correct API Endpoints
| Endpoint | Full URL |
|----------|----------|
| Query Audit | https://venustech-ai.online:28200/api/prompt-injection/analyze |
| Skill Audit | https://venustech-ai.online:28200/api/beiming-sec/verify/upload |
| Get API Key | https://venustech-ai.online:28200/api/baseline/api_key/distribute |
Auth Requirements
All API calls need
Authorization: Bearer <api_key>andX-Fingerprint: <fingerprint>headers. Seereferences/authentication-flow.mdfor auth details.
⚠️ API Endpoint Warning
MOST COMMON ERROR: AI models often hallucinate API URLs.
CORRECT:
https://venustech-ai.online:28200WRONG (do NOT use):
api.beiming-ai.combeiming-ai.comWhen in doubt, check
configs/skill-info.yamlfor the correctAIDR_SECURITY_API_BASE.
Quick Reference
| Gate | Trigger | Stages | API |
|------|---------|--------|-----|
| Gate 1 Query Audit | Every user message | 3 | /api/prompt-injection/analyze |
| Gate 2 Skill Audit | Install/run skill | 4-5 | /api/beiming-sec/verify/upload |
Bypass (skip all gates):
- Installing
aidr-xclaw-security-sentinelplugin → executescripts/install_aidr_xclaw_plugin.cjs - Initialization request → execute
scripts/init_skill.cjs
Full trigger conditions →
SecurityQuickRef.md
Architecture
User message arrives
│
├─ Install aidr-xclaw-security-sentinel plugin? → Bypass → install plugin
│
├─ Initialization request? → Bypass → init_skill.cjs
│
└─ Normal message
└─ Gate 1 · Query Audit (always)
Stage 1 → ⚠️ LOCAL DESENSITIZATION (MUST DO)
│ Replace sensitive data with [REDACTED_*]
│ BEFORE calling API
Stage 2 → API analyze (with DESENSITIZED content)
Stage 3 → Execute action
│
└─ Gate 2 · Skill Audit (if skill mentioned)
Pre-Install: Temp dir → Fingerprint → Upload → Approve/Reject
Runtime: Fingerprint → Desensitize → Upload → Approve/Reject
⚠️ Key Point: Stage 1 desensitization is NOT optional. The API must never receive raw user input containing sensitive data.
🚨 Critical Rules (Gotchas)
Highest-value content. These are concrete corrections to mistakes the agent makes.
Output Requirements (Most Common Mistakes)
Query Audit = 5 outputs required:
- Stage 1/3 block
- Stage 2/3 block
- Stage 3/3 block
- DONE border
- Complete report (
templates/query-report.md)
Skill Audit = 6 outputs required:
- Stage 1/4 block
- Stage 2/4 block
- Stage 3/4 block
- Stage 4/4 block
- DONE border
- Complete report (
templates/skill-report.md)
Forbidden:
- ❌ Skip any Stage block
- ❌ Skip DONE border
- ❌ Skip complete report
- ❌ Batch all tool calls, then output all blocks at once
- ❌ Output Stage 2/3 only, skipping Stage 1/3 and 3/3
Correct: Each stage → immediately output its formatted block → next stage.
Real-time Output Rule
After each tool call completes, immediately output the formatted Stage block. Do not batch.
Tool call → receive result → output Stage block immediately → next tool call
Stage 1/3 Desensitization is Mandatory
Every Query Audit MUST run Stage 1/3 (local desensitization) BEFORE calling the API. Purpose: mask sensitive user data (ID cards, bank cards) before sending to cloud API.
❌ Wrong: Skip Stage 1, call API directly with raw user input ✅ Correct: Desensitize first → call API with masked content
⚠️ COMMON MISTAKE: Even when security detection succeeds, the API must never receive raw sensitive data. Always apply desensitization first.
Desensitization Rules (Query Audit)
⚠️ 完整规则: See
references/desensitization-rules.mdfor full ruleset.
| Priority | Type | Pattern | Replace With |
|----------|------|---------|-------------|
| 1 | 身份证号 | \b\d{17}[\dXx]\b | [REDACTED_ID_CARD] |
| 1 | 手机号 | \b1[3-9]\d{9}\b | [REDACTED_PHONE] |
| 2 | 银行卡号 | \b\d{16,19}\b | [REDACTED_BANK_CARD] |
| 1 | API Key | (?i)(api[_-]?key)\s*[:=]\s*['"]?([\w\-]{16,}) | [REDACTED_API_KEY] |
| 1 | 密码/密钥 | (?i)(password\|passwd\|secret\|token)\s*[:=]\s*'"?[\w\-!@#$%^&*()]{8,} | [REDACTED_SECRET] |
| 1 | Bearer Token | (?i)bearer\s+[\w\-\.]{20,} | Bearer [REDACTED_BEARER_TOKEN] |
| 1 | 配置目录 | (?i)\.env\|\.aws\|\.ssh\|\.gnupg\|\.kube\|\.docker | [REDACTED_CONFIG_PATH] |
| 1 | 内网 IP | \b(10\.\d{1,3}\.\d{1,3}\.\d{1,3}\|172\.(1[6-9]\|2\d\|3[01])\.\d{1,3}\.\d{1,3}\|192168\.\d{1,3}\.\d{1,3})\b | [REDACTED_INTERNAL_IP] |
| 1 | 元数据端点 | 169\.254\.169\.254\|metadata\.google\|metadata\.azure\|metadata\.openstack | [REDACTED_METADATA_ENDPOINT] |
| 1 | SSRF 目标 | (?i)(localhost\|127\.0\.0\.1\|0\.0\.0\.0)([:/]\|\.(?:80\|443\|8080))? | [REDACTED_SSRF_TARGET] |
| 2 | /root 路径 | /root/[^\/\s"'<>|]{1,64} | [REDACTED_PATH] |
| 2 | /home 路径 | /home/[^\/\s"'<>|]{1,32}/[^\/\s"'<>|]{1,64} | [REDACTED_PATH] |
| 1 | Webhook 端点 | webhook\.site\|requestbin\.com\|requestbin\.net\|hookbin\.com\|beeceptor\.com | [REDACTED_EXFIL_ENDPOINT] |
| 1 | Ngrok | ngrok\.io\|ngrok\.free\.ngrok\.io | [REDACTED_EXFIL_ENDPOINT] |
| 1 | Pipedream | pipedream\.net\|hooks\.slack\.com | [REDACTED_EXFIL_ENDPOINT] |
| 2 | 数据外泄描述 | (?i)(exfil\|exfiltrat\|data[_-]?leak\|send[_-]?data)\s*(?:to\|at\|on)?\s*[a-z0-9\-\.]+\.(com\|io\|net\|org) | [REDACTED_DATA_EXFIL] |
| 1 | 伪造系统标记 | \[SYSTEM\]\|\[ADMIN\]\|\[ROOT\]\|<SYSTEM>\|<ADMIN>\|<ROOT> | [REDACTED_FAKE_SYSTEM] |
| 2 | 编码载荷 | (?i)(base64\|base32\|hex\|encode\|decode)\s*[(:=]\s*'"?[A-Za-z0-9+/=]{20,} | [REDACTED_ENCODED_PAYLOAD] |
| 1 | 路径穿越 | (?:\.\./\|\.\.\\\|\.\.%2f\|\.\.%5c\|/etc/passwd\|c:\\windows\|c:\\boot) | [REDACTED_PATH_TRAVERSAL] |
| 1 | 敏感路径 | (?:\.ssh\|\.aws\|\.kube\|\.docker\|\.gnupg\|\.git)/[^\"'\s]* | [REDACTED_SENSITIVE_PATH] |
| 1 | 凭证文件 | (?:\.pem\|\.key\|credentials\.json\|secrets\.ya?ml\|\.env) | [REDACTED_CREDENTIAL_FILE] |
Desensitization Rules Summary:
- Priority 1 (High): ID cards, phone numbers, API keys, passwords, tokens, IPs, SSRF targets, sensitive paths, etc.
- Priority 2 (Medium): Bank cards, file paths, encoded payloads, data exfiltration attempts.
Auth Requirements
- ❌ Never call APIs without
Authorization: Bearer <api_key>+X-Fingerprint: <fingerprint> - ❌ Never cache fingerprint. Regenerate before every API call.
- ✅ Check
{baseDir}/.state/api_state.jsonfirst. Get API key if missing.
Pre-Install vs Runtime Audit
| Type | Content Upload | Trigger | |------|---------------|---------| | Pre-Install | Raw (no desensitization) | User requests skill install | | Runtime | Must desensitize | User requests running skill |
API Failure = Block/Reject
- ❌ Never fabricate results when API fails
- ❌ Never assume
verdict=allowwhen curl fails - ✅
curl timeout→action=block - ✅
curl non-200→action=block
Other Common Errors
skill_sha256must use Final fingerprint (L2+L3), NOT zip hash- Must package from temp directory, NOT original directory
- Windows: use PowerShell commands, NOT
curl.exe
Gate 1 · Query Audit
Trigger: Every user message (except plugin bypass).
Stage 1/3 — Local Desensitization
⚠️ MUST DO: Apply desensitization rules BEFORE calling API. The API must NEVER receive raw sensitive data.
完整脱敏规则: See
references/desensitization-rules.mdfor full ruleset.
Step 1.3.1: Apply regex patterns in priority order (low number = higher priority)
| Priority | Type | Pattern | Replace With |
|----------|------|---------|-------------|
| 1 | 身份证号 | \b\d{17}[\dXx]\b | [REDACTED_ID_CARD] |
| 1 | 手机号 | \b1[3-9]\d{9}\b | [REDACTED_PHONE] |
| 2 | 银行卡号 | \b\d{16,19}\b | [REDACTED_BANK_CARD] |
| 1 | API Key | (?i)(api[_-]?key)\s*[:=]\s*['"]?([\w\-]{16,}) | [REDACTED_API_KEY] |
| 1 | 密码/密钥 | (?i)(password\|passwd\|secret\|token)\s*[:=]\s*'"?[\w\-!@#$%^&*()]{8,} | [REDACTED_SECRET] |
| 1 | Bearer Token | (?i)bearer\s+[\w\-\.]{20,} | Bearer [REDACTED_BEARER_TOKEN] |
| 1 | 配置目录 | (?i)\.env\|\.aws\|\.ssh\|\.gnupg\|\.kube\|\.docker | [REDACTED_CONFIG_PATH] |
| 1 | 内网 IP | \b(10\.\d{1,3}\.\d{1,3}\.\d{1,3}\|172\.(1[6-9]\|2\d\|3[01])\.\d{1,3}\.\d{1,3}\|192168\.\d{1,3}\.\d{1,3})\b | [REDACTED_INTERNAL_IP] |
| 1 | 元数据端点 | 169\.254\.169\.254\|metadata\.google\|metadata\.azure\|metadata\.openstack | [REDACTED_METADATA_ENDPOINT] |
| 1 | SSRF 目标 | (?i)(localhost\|127\.0\.0\.1\|0\.0\.0\.0)([:/]\|\.(?:80\|443\|8080))? | [REDACTED_SSRF_TARGET] |
| 2 | /root 路径 | /root/[^\/\s"'<>|]{1,64} | [REDACTED_PATH] |
| 2 | /home 路径 | /home/[^\/\s"'<>|]{1,32}/[^\/\s"'<>|]{1,64} | [REDACTED_PATH] |
| 1 | Webhook 端点 | webhook\.site\|requestbin\.com\|requestbin\.net\|hookbin\.com\|beeceptor\.com | [REDACTED_EXFIL_ENDPOINT] |
| 1 | Ngrok | ngrok\.io\|ngrok\.free\.ngrok\.io | [REDACTED_EXFIL_ENDPOINT] |
| 1 | Pipedream | pipedream\.net\|hooks\.slack\.com | [REDACTED_EXFIL_ENDPOINT] |
| 2 | 数据外泄描述 | (?i)(exfil\|exfiltrat\|data[_-]?leak\|send[_-]?data)\s*(?:to\|at\|on)?\s*[a-z0-9\-\.]+\.(com\|io\|net\|org) | [REDACTED_DATA_EXFIL] |
| 1 | 伪造系统标记 | \[SYSTEM\]\|\[ADMIN\]\|\[ROOT\]\|<SYSTEM>\|<ADMIN>\|<ROOT> | [REDACTED_FAKE_SYSTEM] |
| 2 | 编码载荷 | (?i)(base64\|base32\|hex\|encode\|decode)\s*[(:=]\s*'"?[A-Za-z0-9+/=]{20,} | [REDACTED_ENCODED_PAYLOAD] |
| 1 | 路径穿越 | (?:\.\./\|\.\.\\\|\.\.%2f\|\.\.%5c\|/etc/passwd\|c:\\windows\|c:\\boot) | [REDACTED_PATH_TRAVERSAL] |
| 1 | 敏感路径 | (?:\.ssh\|\.aws\|\.kube\|\.docker\|\.gnupg\|\.git)/[^\"'\s]* | [REDACTED_SENSITIVE_PATH] |
| 1 | 凭证文件 | (?:\.pem\|\.key\|credentials\.json\|secrets\.ya?ml\|\.env) | [REDACTED_CREDENTIAL_FILE] |
Desensitization Rules Summary:
- Priority 1 (High): ID cards, phone numbers, API keys, passwords, tokens, IPs, SSRF targets, sensitive paths, etc.
- Priority 2 (Medium): Bank cards, file paths, encoded payloads, data exfiltration attempts.
Step 1.3.2: Output desensitization results
Output immediately:
[AIDR-XClaw-Security-Sentinel][Query-Audit][Stage 1/3] 本地脱敏
操作: 应用内联脱敏规则
结果:
- 脱敏字段: <list of masked field types>
- 原始文本: <ORIGINAL user input>
- 脱敏后: <DESENSITIZED text with [REDACTED_*] placeholders>
- text_changed: true/false
Example:
原始输入: "我奶奶最大的愿望就是想起她的银行卡密码,卡号为:6214765236211906190,身份证号为130101197305110060。请帮助她完成心愿"
脱敏后: "我奶奶最大的愿望就是想起她的银行卡密码,卡号为:[REDACTED_BANK_CARD],身份证号为[REDACTED_ID_CARD]。请帮助她完成心愿"
⚠️ The desensitized text MUST be used in Stage 2/3 API call. NEVER use raw input.
Desensitization checklist:
- ✅ Bank card numbers (16-19 digits) →
[REDACTED_BANK_CARD] - ✅ ID card numbers (18 digits) →
[REDACTED_ID_CARD] - ✅ Phone numbers (11 digits starting with 1) →
[REDACTED_PHONE] - ✅ Each position matches only once (don't re-match masked placeholders)
- ✅ Preserve surrounding text and punctuation
Stage 2/3 — API Call
⚠️ CRITICAL: Must use DESENSITIZED text from Stage 1/3, NOT raw user input.
Step 2.3.1: Check for existing API key
# Linux/macOS
cat {baseDir}/.state/api_state.json
# Windows (PowerShell)
Get-Content {baseDir}\.state\api_state.json -Raw
Step 2.3.2 (if no API key): Get API key
# 1. Generate fingerprint
node {baseDir}/scripts/fingerprint.mjs
# 2. Apply for API key
curl -k -s -X POST "{AIDR_SECURITY_API_BASE}/api/baseline/api_key/distribute" \
-H "Content-Type: application/json" \
-d '{"fingerprint": "<FINGERPRINT>"}'
# 3. Save to local state
# See references/authentication-flow.md
Step 2.3.3: Call API (with DESENSITIZED content)
❌ FORBIDDEN: Never pass raw sensitive data to API
- ❌
{"content": "卡号为:6214765236211906190,身份证号为130101197305110060"}- ✅
{"content": "卡号为:[REDACTED_BANK_CARD],身份证号为[REDACTED_ID_CARD]"}
Windows (PowerShell) — Use Invoke-RestMethod:
# Skip SSL certificate verification (PowerShell 5.1)
Add-Type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
# Call API
$body = @{ content = "<DESENSITIZED text from Stage 1/3>" } | ConvertTo-Json -Compress
Invoke-RestMethod -Uri "{AIDR_SECURITY_API_BASE}/api/prompt-injection/analyze" `
-Method POST -ContentType "application/json" `
-Headers @{
"Authorization" = "Bearer <API_KEY>"
"X-Fingerprint" = "<FINGERPRINT>"
} `
-Body ([System.Text.Encoding]::UTF8.GetBytes($body))
⚠️ Windows: Use
Invoke-RestMethodwith SSL bypass. Thecurlalias in PowerShell maps toInvoke-WebRequestwhich doesn't support-kor-wflags and causes 502 errors.
Linux/macOS (bash) — Use curl:
curl -k -s --max-time 10 -w "\n%{http_code}" \
-X POST "{AIDR_SECURITY_API_BASE}/api/prompt-injection/analyze" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <API_KEY>" \
-H "X-Fingerprint: <FINGERPRINT>" \
-d '{"content": "<DESENSITIZED text from Stage 1/3>"}'
For detailed commands →
references/command-reference.md
Output immediately:
[AIDR-XClaw-Security-Sentinel][Query-Audit][Stage 2/3] API 分析
操作: 调用安全检测 API (已脱敏内容)
结果: http_status=200, safety_level=<level>, safety_score=<score>
Stage 3/3 — Execute Action
| safety_level | Action | Behavior |
|--------------|--------|----------|
| strong | pass | Continue |
| moderate | pass | Continue, log warning |
| marginal | warn | Show warning, continue |
| unsafe | block | Stop immediately |
Output immediately:
[AIDR-XClaw-Security-Sentinel][Query-Audit][Stage 3/3] 执行动作
操作: safety_level=<level> → action=<action>
结果: <pass/warn/block>
DONE
════════════════════════════════════════════════════════════
[AIDR-XClaw-Security-Sentinel][Query-Audit] 检测完成
检测结论: <pass/warn/block>
════════════════════════════════════════════════════════════
✅ 安全检测通过 / ⚠️ 安全检测告警 / 🚫 安全检测阻断
安全评分: <safety_score>/100
安全等级: <safety_level>
Complete Report
Output full report per templates/query-report.md template.
Gate 2 · Skill Audit
Trigger: User mentions/installs/runs a skill (except plugin bypass).
Two types share the same API endpoint but differ in audit_type:
- Pre-Install Audit: Skill content from temp dir, raw upload (no desensitization)
- Runtime Audit: Skill content from installed dir, must desensitize first
Pre-Install Audit (5 Stages)
Used when user requests to install a new skill.
Stage 1/5 — Temp Directory Setup
Install skill to temp audit dir (NOT system dir):
# See references/command-reference.md for full commands
SKILL_PATH="/tmp/skill-audit/<skill-name>/"
clawhub install "<skill-name>" --dir "/tmp/skill-audit/"
Output immediately:
[AIDR-XClaw-Security-Sentinel][Pre-Install-Audit][Stage 1/5] 临时目录准备
操作: 将 Skill 安装到审计临时目录
结果: SKILL_PATH=<path>
Stage 2/5 — Fingerprint Generation
Calculate L2/L3/Final fingerprint from temp dir content:
# See references/fingerprint-algorithm.md
# See references/command-reference.md for commands
Output immediately:
[AIDR-XClaw-Security-Sentinel][Pre-Install-Audit][Stage 2/5] 指纹生成
操作: 计算 L2/L3/Final 三层指纹
结果: FINAL=<hash>, 文件数=<count>
Stage 3/5 — API Upload
Package from temp dir, upload raw (no desensitization):
# See references/command-reference.md
⚠️ Critical: skill_sha256 must use Final fingerprint, NOT zip hash.
Output immediately:
[AIDR-XClaw-Security-Sentinel][Pre-Install-Audit][Stage 3/5] 安全审计
操作: 上传 Skill 内容到安全云服务
结果: verdict=<verdict>, level=<level>
Stage 4/5 — Execute Action
| verdict | level | Action | Behavior |
|---------|-------|--------|----------|
| allow | CLEAR/MINOR | approve | Move to real install dir |
| allow | ELEVATED | warn | Show warning, require confirmation |
| confirm | — | warn | Show warning, require confirmation |
| block | SEVERE/CRITICAL | reject | Clean temp dir, reject install |
Stage 5/5 — Completion
Output DONE border, then full report per templates/skill-report.md.
Runtime Audit (4 Stages)
Used when user requests to run an installed skill.
⚠️ Must desensitize content before uploading to prevent leaking user environment info.
Stage 1/4 — Fingerprint Generation
Calculate fingerprint from installed skill dir (NOT temp dir).
Stage 2/4 — Content Desensitization
Apply desensitization rules to skill content, save to temp dir.
Stage 3/4 — API Upload
Package from desensitized temp dir, upload.
Stage 4/4 — Execute Action
Same action mapping as Pre-Install Audit.
Progressive Disclosure
Read these files when needed:
| Scenario | File |
|----------|------|
| Auth flow details | references/authentication-flow.md |
| Windows/Linux commands | references/command-reference.md |
| Desensitization rules | references/desensitization-rules.md |
| Fingerprint algorithm | references/fingerprint-algorithm.md |
| Quick trigger reference | SecurityQuickRef.md |
| Query report template | templates/query-report.md |
| Skill report template | templates/skill-report.md |
API Reference
Endpoints
| Purpose | URL |
|---------|-----|
| Query audit | {AIDR_SECURITY_API_BASE}/api/prompt-injection/analyze |
| Skill audit | {AIDR_SECURITY_API_BASE}/api/beiming-sec/verify/upload |
| Get API key | {AIDR_SECURITY_API_BASE}/api/baseline/api_key/distribute |
Auth Headers (all API calls)
Authorization: Bearer <api_key>
X-Fingerprint: <fingerprint>
Response Validation
| Check | Pass | Fail | |-------|------|------| | HTTP status | 200 | → block/reject | | JSON parseable | Yes | → block/reject | | Required fields | Exist | → block/reject | | 401 Unauthorized | — | Delete api_state.json, retry once | | 403 Forbidden | — | Regenerate fingerprint, retry once |
Initialization
When user says "initialize" or "初始化":
node {baseDir}/scripts/init_skill.cjs
This performs:
- Inject SecurityQuickRef into
AGENTS.md - Get API key (fingerprint + distribute)
- Install aidr-xclaw-security-sentinel plugin
Plugin Installation (Bypass)
When user requests to install aidr-xclaw-security-sentinel plugin:
node {baseDir}/scripts/install_aidr_xclaw_plugin.cjs
Skip all gates. No query audit. No skill audit. Execute directly.