一键导入
system-security-audit
Linux-Sicherheitsaudit: offene Ports, Dienste, Berechtigungen, Firewall, Benutzer, Updates, schnelle Fixes. Mit Dokumentation.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Linux-Sicherheitsaudit: offene Ports, Dienste, Berechtigungen, Firewall, Benutzer, Updates, schnelle Fixes. Mit Dokumentation.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Funny animal podcast creation assistant. Given a topic, automatically generates a comedic podcast video hosted by two animal "hosts." Full pipeline: character design, comedy script, character portraits, TTS voice + Seedance 2.0 video generation, subtitle/pop-text/sound-effect post-production. Trigger words: animal podcast, funny podcast, pet podcast, animal talk show, pet talk show.
Professional anime/2D art style generation skill. Covers 14 sub-styles (modern Japanese anime/moe, retro Japanese cel-shading, Japanese shonen, Japanese shojo, Ghibli, Makoto Shinkai, Chinese xianxia/ink wash, modern Chinese anime, Chinese 3D fantasy, Korean webtoon, Korean impasto, Western cartoon, chibi/moe, 2D cyberpunk) + 5 anti-failure iron laws + cross-style shared rules (character lock / facial proportion spec / stroke consistency / universal negative). Core capabilities: precise style targeting, consistent character identity, cross-style conversion. Trigger: "anime", "2D art", "manga", "illustration", "Japanese anime", "Chinese anime", "Korean webtoon", "webtoon", "Western cartoon", "ghibli", "shinkai", "ufotable", "trigger style", "cel-shading", "impasto", "chibi", "moe", "catgirl", "Chinese 3D fantasy", "xianxia", "ink wash", "hanfu character", "cyberpunk anime", "draw an anime character", "make an anime avatar", "anime character", "anime style". NOT for: photorealistic (use image agent default) / s
Specialized in anime/2D/character stylization for image generation and conversion. Covers Japanese, Chinese, Korean, and Western art style families. Uses provenance analysis to trace reference images' style DNA, performs a 10-dimension analysis → 3-dimension collapse to precisely lock the style's essence, then matches the optimal tool and prompt approach for generation. Trigger on: "anime-ify", "2D style", "convert to anime", "cel-shading", "ghibli style", "Korean watercolor", "fantasy 3D", "chibi", "Japanese anime style", "style conversion", "manga style", "character illustration", "anime style", "webtoon style", or any request involving converting content into a specific anime/2D art style. Key distinction: User requests generation or conversion to a specific anime/2D art style. Do NOT trigger for: photorealistic photography style, pure logo design, general image editing (crop/background removal etc.).
Audiobook creation assistant. Converts book text into multi-character narrated audio, supporting audiobook production, multi-character voiceover, novel narration, TTS voiceover, and read-aloud scenarios. Automatically identifies dialogue and narration, assigns a distinct voice to each character, intelligently adds pause markers, and generates natural, fluent audiobook audio. Trigger phrases: audiobook, read aloud, TTS book, multi-character voiceover, novel narration, book narration, voice acting, narration, 有声书, 朗读, 读书, 多角色配音, 小说朗读, 读书配音. Supports chapter-level generation — user confirms the first chapter, then remaining chapters continue sequentially.
Beat-sync video editing skill. Input music (URL / local file / AI-generated) + video or image assets, automatically performs energy-tension analysis → smart trimming → beat detection → beat-synced timeline generation → asset matching → ffmpeg concatenation, outputting a beat-synced video perfectly aligned to the music. Supports image slideshows, video clips, and mixed assets as input. Supports every-N-beat asset switching, automatic intro/chorus segmentation, user-annotated keypoints, and other beat-sync modes. Trigger words include: music beat sync, beat-sync editing, beat sync, beat-sync video, beat-synced editing, beat-sync video, music rhythm editing, rhythm beat sync, beat detection, edit to the beat, auto beat sync, music sync edit.
Video project push tool. Programmatically creates editing projects via Python scripts, with one-click push to JianyingPro or CapCut. Direct mode creates project files directly in the local JianyingPro/CapCut draft directory — open the app and start editing. Built on pyJianYingDraft (PyPI). Trigger words include: JianyingPro, CapCut, push, push to JianyingPro, capcut, export to JianyingPro.
| name | system-security-audit |
| description | Linux-Sicherheitsaudit: offene Ports, Dienste, Berechtigungen, Firewall, Benutzer, Updates, schnelle Fixes. Mit Dokumentation. |
| version | 1.0.0 |
| author | Yuno |
| license | MIT |
Führe diesen Audit durch, wenn der Benutzer nach Sicherheit, Absicherung, offenen Ports, oder "was kann man schnell lösen" fragt.
# Firewall-Status
sudo ufw status
# Offene Ports (lauschende Dienste)
ss -tlnp
# Dienste die auf 0.0.0.0 lauschen (von außen erreichbar!)
ss -tlnp | grep -E "0.0.0.0:|:::|:\*"
# SSH-Server prüfen
systemctl is-active sshd
Für jeden Dienst auf 0.0.0.0: prüfen: Braucht der wirklich Netzwerkzugriff? Sonst auf localhost beschränken per UFW oder Config.
# Sensitive Configs
ls -la ~/.gmail-organizer.json # sollte 600 sein
ls -la ~/.hermes/config.yaml # sollte 600 sein
ls -la ~/.ssh/ # sollte 700 sein, keine fremden Keys
# HERMES-SPEZIFISCH: Session-DB, Logs, Snapshots
# state.db enthält den kompletten Sitzungsverlauf (~90MB+)
ls -la ~/.hermes/state.db ~/.hermes/kanban.db
# → sollten 600 sein (waren 644 = world-readable!)
# Logs können API-Keys und Tokens enthalten
ls -la ~/.hermes/logs/
# → agent.log, errors.log sollten 600 sein
# Snapshots = Session-Backups (ebenfalls sensitiv!)
ls -lad ~/.hermes/state-snapshots/
ls -la ~/.hermes/state-snapshots/ 2>/dev/null | head -5
# → Verzeichnis sollte 700 sein, dateien 600
# Config-Backups (enthalten oft API-Keys)
ls -la ~/.hermes/config.yaml.bak.* 2>/dev/null
# → sollten 600 sein
# Sicherheitslücken-Ranking: state.db > logs > snapshots > config-backups
# Weltlesbare Dateien in $HOME (außer .py, .md, .txt, Bilder)
find ~ -maxdepth 2 -type f -perm -o+r ! -name "*.py" ! -name "*.md" ! -name "*.txt" 2>/dev/null | head -20
# Alle laufenden Dienste
systemctl list-units --type=service --state=running | head -30
# Kritische Dienste checken:
for svc in nvidia-powerd gamemoded ollama rygel sshd; do
systemctl is-active "$svc" 2>/dev/null
done
Bei jedem Dienst: Wird er gebraucht? Wenn nein, stop + disable.
# Benutzer mit Shell
sudo cat /etc/passwd | grep -E "/home|/bin/bash" | cut -d: -f1,3,7
# Leere Passwörter
awk -F: '($2==""){print}' /etc/shadow 2>/dev/null
# NOPASSWD in sudoers
sudo cat /etc/sudoers 2>/dev/null | grep -i NOPASSWD
sudo cat /etc/sudoers.d/* 2>/dev/null | grep -i NOPASSWD
# Passwort-Hashing (sollte yescrypt oder sha512 sein)
cat /etc/pam.d/common-password | grep pam_unix
apt list --upgradable 2>/dev/null | grep -c "/"
flatpak update 2>/dev/null | grep -c "Updating\|Installing"
Jeden Fund kategorisieren:
| Farbe | Bedeutung |
|---|---|
| 🟢 ✅ | Sicher / korrekt |
| 🟡 ⚠️ | Auffällig — Verbesserung möglich |
| 🔴 ❌ | Kritisch — sofort fixen |
Für jeden 🔴/🟡-Fund notieren:
# Dienst deaktivieren
sudo systemctl stop <dienst>
sudo systemctl disable <dienst>
# Dienst auf localhost beschränken (UFW deny+allow pattern)
# Blockiert ALLE externen Zugriffe, erlaubt nur localhost
sudo ufw deny <port>/tcp
sudo ufw allow from 127.0.0.1 to any port <port> proto tcp
# Vorteil: Dienst bleibt aktiv und nutzbar, aber nicht von extern erreichbar
# SSH deaktivieren (wenn nicht gebraucht)
sudo apt purge openssh-server
# Config-Berechtigungen korrigieren
chmod 600 ~/.gmail-organizer.json ~/.hermes/config.yaml
chmod 700 ~/.ssh/
# HERMES-SPEZIFISCH: Session-DB + Logs härten
chmod 600 ~/.hermes/state.db ~/.hermes/kanban.db ~/.hermes/.hermes_history
chmod 600 ~/.hermes/state.db-wal ~/.hermes/state.db-shm
chmod 600 ~/.hermes/logs/agent.log ~/.hermes/logs/errors.log
chmod 700 ~/.hermes/state-snapshots/
find ~/.hermes/state-snapshots/ -type f -exec chmod 600 {} \;
chmod 600 ~/.hermes/config.yaml.bak.* 2>/dev/null
# Request-Dumps löschen (alte API-Debug-Files, potentiell sensitiv)
find ~/.hermes/ -name 'request_dump_*.json' -delete
# Fail-Close aktivieren (Tool-Ausfall = Ablehnung, nicht Open-Bar)
hermes config set tirith_fail_open false
# DM-Policy schließen (nur bekannte User)
hermes config set telegram.dm_policy closed
# Nach Config-Änderungen: Gateway neustarten
systemctl --user restart hermes-gateway.service
# Config .env Backup vor Edits (Niemals sed -i auf .env!)
cp ~/.hermes/.env ~/.hermes/.env.pre-$(date +%s)
# Config .env aus Pre-Update-Snapshot wiederherstellen (bei Korruption)
# ls ~/.hermes/state-snapshots/ | sort | tail -1 → snapshot-dir
# cp ~/.hermes/state-snapshots/<latest>/.env ~/.hermes/.env
# Ollama Crash-Loop beenden (Port-Konflikt zwischen Snap und systemd)
# 1. Finde was auf Port 11434 läuft
ss -tlnp | grep 11434
# 2. Snap-Version läuft bereits → systemd-Version deaktivieren
sudo systemctl stop ollama && sudo systemctl disable ollama
# ODER: Snap entfernen + systemd-Version nutzen
sudo snap remove ollama
Nach dem Audit eine Datei ~/docs/system/security.md schreiben mit:
Format siehe ~/docs/system/security.md (Beispiel vom 03.06.2026).
references/audit-example.md — Reales Audit-Beispiel mit Befunden und Quick-Fixes von Basti's Zorin OS