← Back to DevOps & Cloud
DevOps & Cloud by @davida-ps

clawsec-suite

Use when users or agents want to explore or set up ClawSec

New
Source Code

ClawSec Suite

This means clawsec-suite can:

  • monitor the ClawSec advisory feed,
  • track which advisories are new since last check,
  • cross-reference advisories against locally installed skills,
  • recommend removal for malicious-skill advisories and require explicit user approval first,
  • and still act as the setup/management entrypoint for other ClawSec protections.

Included vs Optional Protections

Built into clawsec-suite

  • Embedded feed seed file: advisories/feed.json
  • Portable heartbeat workflow in HEARTBEAT.md
  • Advisory polling + state tracking + affected-skill checks
  • OpenClaw advisory guardian hook package: hooks/clawsec-advisory-guardian/
  • Setup scripts for hook and optional cron scheduling: scripts/
  • Guarded installer: scripts/guarded_skill_install.mjs

installed separately

  • openclaw-audit-watchdog
  • soul-guardian
  • clawtributor (explicit opt-in)

Installation

Option A: Via clawhub (recommended)

npx clawhub@latest install clawsec-suite

Option B: Manual download with signature + checksum verification

set -euo pipefail

VERSION="${SKILL_VERSION:?Set SKILL_VERSION (e.g. 0.0.8)}"
INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
DEST="$INSTALL_ROOT/clawsec-suite"
BASE="https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v${VERSION}"

TEMP_DIR="$(mktemp -d)"
DOWNLOAD_DIR="$TEMP_DIR/downloads"
trap 'rm -rf "$TEMP_DIR"' EXIT
mkdir -p "$DOWNLOAD_DIR"

# Pinned release-signing public key (verify fingerprint out-of-band on first use)
# Fingerprint (SHA-256 of SPKI DER): 35866e1b1479a043ae816899562ac877e879320c3c5660be1e79f06241ca0854
RELEASE_PUBKEY_SHA256="35866e1b1479a043ae816899562ac877e879320c3c5660be1e79f06241ca0854"
cat > "$TEMP_DIR/release-signing-public.pem" <<'PEM'
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAtaRGONGp0Syl9EBS17hEYgGTwUtfZgigklS6vAe5MlQ=
-----END PUBLIC KEY-----
PEM

ACTUAL_KEY_SHA256="$(openssl pkey -pubin -in "$TEMP_DIR/release-signing-public.pem" -outform DER | shasum -a 256 | awk '{print $1}')"
if [ "$ACTUAL_KEY_SHA256" != "$RELEASE_PUBKEY_SHA256" ]; then
  echo "ERROR: Release public key fingerprint mismatch" >&2
  exit 1
fi

# 1) Download checksums manifest + detached signature
curl -fsSL "$BASE/checksums.json" -o "$TEMP_DIR/checksums.json"
curl -fsSL "$BASE/checksums.json.sig" -o "$TEMP_DIR/checksums.json.sig"

# 2) Verify checksums manifest signature before trusting any file URLs or hashes
openssl base64 -d -A -in "$TEMP_DIR/checksums.json.sig" -out "$TEMP_DIR/checksums.json.sig.bin"
if ! openssl pkeyutl -verify \
  -pubin \
  -inkey "$TEMP_DIR/release-signing-public.pem" \
  -sigfile "$TEMP_DIR/checksums.json.sig.bin" \
  -rawin \
  -in "$TEMP_DIR/checksums.json" >/dev/null 2>&1; then
  echo "ERROR: checksums.json signature verification failed" >&2
  exit 1
fi

if ! jq -e '.skill and .version and .files' "$TEMP_DIR/checksums.json" >/dev/null 2>&1; then
  echo "ERROR: Invalid checksums.json format" >&2
  exit 1
fi

echo "Checksums manifest signature verified."

# 3) Download every file listed in checksums and verify immediately
DOWNLOAD_FAILED=0
for file in $(jq -r '.files | keys[]' "$TEMP_DIR/checksums.json"); do
  FILE_URL="$(jq -r --arg f "$file" '.files[$f].url' "$TEMP_DIR/checksums.json")"
  EXPECTED="$(jq -r --arg f "$file" '.files[$f].sha256' "$TEMP_DIR/checksums.json")"

  if ! curl -fsSL "$FILE_URL" -o "$DOWNLOAD_DIR/$file"; then
    echo "ERROR: Download failed for $file" >&2
    DOWNLOAD_FAILED=1
    continue
  fi

  if command -v shasum >/dev/null 2>&1; then
    ACTUAL="$(shasum -a 256 "$DOWNLOAD_DIR/$file" | awk '{print $1}')"
  else
    ACTUAL="$(sha256sum "$DOWNLOAD_DIR/$file" | awk '{print $1}')"
  fi

  if [ "$EXPECTED" != "$ACTUAL" ]; then
    echo "ERROR: Checksum mismatch for $file" >&2
    DOWNLOAD_FAILED=1
  else
    echo "Verified: $file"
  fi
done

if [ "$DOWNLOAD_FAILED" -eq 1 ]; then
  echo "ERROR: One or more files failed verification" >&2
  exit 1
fi

# 4) Install files using paths from checksums.json
while IFS= read -r file; do
  [ -z "$file" ] && continue
  REL_PATH="$(jq -r --arg f "$file" '.files[$f].path // $f' "$TEMP_DIR/checksums.json")"
  SRC_PATH="$DOWNLOAD_DIR/$file"
  DST_PATH="$DEST/$REL_PATH"

  mkdir -p "$(dirname "$DST_PATH")"
  cp "$SRC_PATH" "$DST_PATH"
done < <(jq -r '.files | keys[]' "$TEMP_DIR/checksums.json")

chmod 600 "$DEST/skill.json"
find "$DEST" -type f ! -name "skill.json" -exec chmod 644 {} \;

echo "Installed clawsec-suite v${VERSION} to: $DEST"
echo "Next step (OpenClaw): node \"\$DEST/scripts/setup_advisory_hook.mjs\""

OpenClaw Automation (Hook + Optional Cron)

After installing the suite, enable the advisory guardian hook:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_hook.mjs"

Optional: create/update a periodic cron nudge (default every 6h) that triggers a main-session advisory scan:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_cron.mjs"

What this adds:

  • scan on agent:bootstrap and /new (command:new),
  • compare advisory affected entries against installed skills,
  • notify when new matches appear,
  • and ask for explicit user approval before any removal flow.

Restart the OpenClaw gateway after enabling the hook. Then run /new once to force an immediate scan in the next session context.

Guarded Skill Install Flow (Double Confirmation)

When the user asks to install a skill, treat that as the first request and run a guarded install check:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1

Behavior:

  • If no advisory match is found, install proceeds.
  • If --version is omitted, matching is conservative: any advisory that references the skill name is treated as a match.
  • If advisory match is found, the script prints advisory context and exits with code 42.
  • Then require an explicit second confirmation from the user and rerun with --confirm-advisory:
node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1 --confirm-advisory

This enforces:

  1. First confirmation: user asked to install.
  2. Second confirmation: user explicitly approves install after seeing advisory details.

Embedded Advisory Feed Behavior

The embedded feed logic uses these defaults:

  • Remote feed URL: https://raw.githubusercontent.com/prompt-security/clawsec/main/advisories/feed.json
  • Remote feed signature URL: ${CLAWSEC_FEED_URL}.sig (override with CLAWSEC_FEED_SIG_URL)
  • Remote checksums manifest URL: sibling checksums.json (override with CLAWSEC_FEED_CHECKSUMS_URL)
  • Local seed fallback: ~/.openclaw/skills/clawsec-suite/advisories/feed.json
  • Local feed signature: ${CLAWSEC_LOCAL_FEED}.sig (override with CLAWSEC_LOCAL_FEED_SIG)
  • Local checksums manifest: ~/.openclaw/skills/clawsec-suite/advisories/checksums.json
  • Pinned feed signing key: ~/.openclaw/skills/clawsec-suite/advisories/feed-signing-public.pem (override with CLAWSEC_FEED_PUBLIC_KEY)
  • State file: ~/.openclaw/clawsec-suite-feed-state.json
  • Hook rate-limit env (OpenClaw hook): CLAWSEC_HOOK_INTERVAL_SECONDS (default 300)

Fail-closed verification: Both signature and checksum manifest verification are required by default. Set CLAWSEC_ALLOW_UNSIGNED_FEED=1 only as a temporary migration bypass when adopting this version before signed feed artifacts are available upstream.

Quick feed check

FEED_URL="${CLAWSEC_FEED_URL:-https://raw.githubusercontent.com/prompt-security/clawsec/main/advisories/feed.json}"
STATE_FILE="${CLAWSEC_SUITE_STATE_FILE:-$HOME/.openclaw/clawsec-suite-feed-state.json}"

TMP="$(mktemp -d)"
trap 'rm -rf "$TMP"' EXIT

if ! curl -fsSLo "$TMP/feed.json" "$FEED_URL"; then
  echo "ERROR: Failed to fetch advisory feed"
  exit 1
fi

if ! jq -e '.version and (.advisories | type == "array")' "$TMP/feed.json" >/dev/null; then
  echo "ERROR: Invalid advisory feed format"
  exit 1
fi

mkdir -p "$(dirname "$STATE_FILE")"
if [ ! -f "$STATE_FILE" ]; then
  echo '{"schema_version":"1.0","known_advisories":[],"last_feed_check":null,"last_feed_updated":null}' > "$STATE_FILE"
  chmod 600 "$STATE_FILE"
fi

NEW_IDS_FILE="$TMP/new_ids.txt"
jq -r --argfile state "$STATE_FILE" '($state.known_advisories // []) as $known | [.advisories[]?.id | select(. != null and ($known | index(.) | not))] | .[]?' "$TMP/feed.json" > "$NEW_IDS_FILE"

if [ -s "$NEW_IDS_FILE" ]; then
  echo "New advisories detected:"
  while IFS= read -r id; do
    [ -z "$id" ] && continue
    jq -r --arg id "$id" '.advisories[] | select(.id == $id) | "- [\(.severity | ascii_upcase)] \(.id): \(.title)"' "$TMP/feed.json"
  done < "$NEW_IDS_FILE"
else
  echo "FEED_OK - no new advisories"
fi

Heartbeat Integration

Use the suite heartbeat script as the single periodic security check entrypoint:

  • skills/clawsec-suite/HEARTBEAT.md

It handles:

  • suite update checks,
  • feed polling,
  • new-advisory detection,
  • affected-skill cross-referencing,
  • approval-gated response guidance for malicious/removal advisories,
  • and persistent state updates.

Approval-Gated Response Contract

If an advisory indicates a malicious or removal-recommended skill and that skill is installed:

  1. Notify the user immediately with advisory details and severity.
  2. Recommend removing or disabling the affected skill.
  3. Treat the original install request as first intent only.
  4. Ask for explicit second confirmation before deletion/disable action (or before proceeding with risky install).
  5. Only proceed after that second confirmation.

The suite hook and heartbeat guidance are intentionally non-destructive by default.

Optional Skill Installation

Install additional protections as needed:

npx clawhub@latest install openclaw-audit-watchdog
npx clawhub@latest install soul-guardian
# opt-in only:
npx clawhub@latest install clawtributor

Security Notes

  • Always verify checksums.json signature before trusting its file URLs/hashes, then verify each file checksum.
  • Verify advisory feed detached signatures; do not enable CLAWSEC_ALLOW_UNSIGNED_FEED outside temporary migration windows.
  • Keep advisory polling rate-limited (at least 5 minutes between checks).
  • Treat critical and high advisories affecting installed skills as immediate action items.
  • If you migrate off standalone clawsec-feed, keep one canonical state file to avoid duplicate notifications.
  • Pin and verify public key fingerprints out-of-band before first use.