gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat(traffic-guardian): add runtime monitoring skill baselines (#217)

Browse Source 
* feat(traffic-guardian): add runtime monitoring skill baselines

* fix(traffic-guardian): align changelog and i18n fallback docs

* chore(traffic-guardian): prepare beta1 release metadata
This commit is contained in:
davida-ps
2026-05-10 15:04:17 +03:00
committed by GitHub
parent 85caad5601
commit 369745821f
48 changed files with 1420 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/hermes-traffic-guardian/CHANGELOG.md
+8
View File
@@ -0,0 +1,8 @@
# Changelog
## [0.0.1-beta1] - 2026-05-10
- Added baseline skill metadata, frontmatter, and implementation specification.
- Reserved folder structure for Hermes traffic-monitoring runtime code, posture export, and tests.
- Beta release notes: this release is a scaffold/spec baseline and does not yet ship active runtime proxy interception.
- Beta release notes: defaults remain non-invasive (no automatic traffic mutation or enforcement enabled by default).
skills/hermes-traffic-guardian/README.md
+18
View File
@@ -0,0 +1,18 @@
# Hermes Traffic Guardian
Baseline skill for Hermes runtime traffic monitoring.
This package is intentionally a spec scaffold. Builders should add the Hermes-specific monitor implementation here while preserving the safety contract in `SKILL.md` and `SPEC.md`.
## Intended Capability
- detect outbound secret exfiltration in Hermes HTTP/HTTPS traffic
- detect inbound command-injection and tool-abuse payloads
- write redacted local JSONL findings
- export monitor posture for `hermes-attestation-guardian`
- provide explicit start, stop, status, and log-query commands
## Builder Notes
Keep runtime ownership in this skill. `hermes-attestation-guardian` should only attest this skill's state, config, and output fingerprints.
skills/hermes-traffic-guardian/SKILL.md
+68
View File
@@ -0,0 +1,68 @@
---
name: hermes-traffic-guardian
version: 0.0.1-beta1
description: Hermes runtime traffic monitoring baseline for opt-in proxy inspection, egress detection, and attestation-aware traffic posture.
homepage: https://clawsec.prompt.security
author: prompt-security
license: AGPL-3.0-or-later
hermes:
emoji: "TG"
requires:
bins: [node, python3]
---
# Hermes Traffic Guardian
This is a baseline specification skill. It intentionally does not ship a proxy or runtime implementation yet.
## Scope
Builders should use this skill as the Hermes landing zone for runtime traffic monitoring:
- operator-scoped HTTP proxy inspection
- optional HTTPS inspection with per-process CA trust
- outbound exfiltration detection
- inbound injection detection
- redacted local threat logs
- status export for `hermes-attestation-guardian`
Do not add proxy runtime ownership to `hermes-attestation-guardian`. That skill should attest this monitor's status and configuration, not run it.
## Safety Contract
- Opt-in only.
- Detect-and-log by default.
- No automatic system CA installation.
- No global proxy environment changes.
- No blocking in the first implementation.
- Redact secrets before logs, summaries, or attestation-linked outputs.
- Keep all state under `HERMES_TRAFFIC_GUARDIAN_HOME` or `$HERMES_HOME/security/traffic-guardian`.
## Builder Entry Points
Read `SPEC.md` before implementing. Use the placeholder folders as follows:
| Path | Intended use |
|---|---|
| `lib/` | Detector rules, redaction, posture export, report formatting |
| `scripts/` | Start, stop, status, config validation, log query, attestation export helpers |
| `test/` | Unit tests, proxy fixture tests, redaction tests, attestation export tests |
## Required First Implementation Behavior
1. Validate config without starting the proxy.
2. Start monitor in foreground or explicit background mode.
3. Scope proxy environment variables to the target Hermes service or CLI process.
4. Inspect HTTP request/response text up to a bounded byte limit.
5. Support optional HTTPS MITM only when the operator supplies per-process trust configuration.
6. Emit JSONL findings with redacted snippets.
7. Export a small posture JSON file that `hermes-attestation-guardian` can include as a trust anchor or watched file.
## Out of Scope for v0.0.1 Implementation
- automatic system trust-store mutation
- transparent network interception
- default blocking
- sending traffic to external services
- collecting full request/response bodies
skills/hermes-traffic-guardian/SPEC.md
+103
View File
@@ -0,0 +1,103 @@
# Hermes Traffic Guardian Specification
## Goal
Provide Hermes with opt-in runtime traffic monitoring that observes Hermes HTTP/HTTPS traffic for exfiltration and injection signals and exports monitor posture for attestation.
## Required Architecture
Implement three layers:
1. Detector core
- normalized finding schema
- pattern registry
- snippet redaction
- deduplication
- JSONL report writer
2. Hermes adapter
- lifecycle commands for start, stop, status, and threats
- process-scoped proxy environment guidance
- posture export compatible with `hermes-attestation-guardian`
3. Operator interface
- safe setup text
- explicit per-process proxy export commands
- CA fingerprint display when HTTPS inspection is enabled
## Finding Schema
Findings must be JSON objects with these fields:
```json
{
"schema_version": "clawsec-traffic-finding/v1",
"platform": "hermes",
"direction": "outbound",
"protocol": "http",
"threat_type": "EXFIL",
"pattern": "ai_api_key",
"severity": "high",
"source": "127.0.0.1",
"dest": "api.example.com:443",
"snippet": "[REDACTED]",
"timestamp": "2026-04-26T00:00:00.000Z"
}
```
## Posture Export Schema
The first implementation must write a small posture file for attestation:
```json
{
"schema_version": "clawsec-traffic-posture/v1",
"platform": "hermes",
"monitor_status": "running",
"mode": "detect",
"https_inspection": false,
"ca_fingerprint_sha256": null,
"config_sha256": "hex",
"finding_log_sha256": "hex",
"generated_at": "2026-04-26T00:00:00.000Z"
}
```
## Minimum Detection Set
Outbound EXFIL:
- AI API keys
- AWS access key IDs
- private key PEM markers
- SSH key file paths
- sensitive Unix file paths
- dotenv and cloud credential paths
Inbound INJECTION:
- pipe-to-shell commands
- shell exec flags
- reverse shell command shapes
- destructive remove commands
- SSH authorized-key injection shapes
## Safety Requirements
- Default mode is detect-and-log.
- Blocking mode must not exist in the first implementation.
- Snippets must be redacted before persistence.
- Maximum scan bytes must be configurable and bounded.
- CA trust must be per-process by default.
- System trust-store instructions must require explicit operator confirmation and must never run automatically.
## Tests Required Before Release
- detector unit tests for each pattern
- redaction tests proving secrets are not persisted
- proxy fixture tests for HTTP request and response inspection
- no-false-positive tests for common benign traffic
- lifecycle tests for stale PID/state cleanup
- posture export schema and digest tests
- compatibility tests showing `hermes-attestation-guardian` can watch or hash the posture export
skills/hermes-traffic-guardian/lib/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/hermes-traffic-guardian/scripts/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/hermes-traffic-guardian/skill.json
+112
View File
@@ -0,0 +1,112 @@
{
"name": "hermes-traffic-guardian",
"version": "0.0.1-beta1",
"description": "Hermes runtime traffic monitoring baseline for opt-in proxy inspection, egress detection, and attestation-aware traffic posture.",
"author": "prompt-security",
"license": "AGPL-3.0-or-later",
"homepage": "https://clawsec.prompt.security/",
"platform": "hermes",
"keywords": [
"security",
"hermes",
"traffic-monitoring",
"egress",
"exfiltration",
"injection",
"proxy",
"mitm",
"attestation",
"runtime"
],
"sbom": {
"files": [
{
"path": "SKILL.md",
"required": true,
"description": "Hermes traffic guardian skill instructions and operating model"
},
{
"path": "README.md",
"required": true,
"description": "Human-oriented overview and builder handoff notes"
},
{
"path": "CHANGELOG.md",
"required": true,
"description": "Version history and baseline release notes"
},
{
"path": "SPEC.md",
"required": true,
"description": "Implementation specification for Hermes runtime traffic monitoring"
},
{
"path": "lib/.gitkeep",
"required": false,
"description": "Placeholder for shared detector, posture, and report code"
},
{
"path": "scripts/.gitkeep",
"required": false,
"description": "Placeholder for lifecycle, status, and attestation export scripts"
},
{
"path": "test/.gitkeep",
"required": false,
"description": "Placeholder for unit and integration tests"
}
]
},
"hermes": {
"emoji": "TG",
"category": "security",
"requires": {
"bins": [
"node",
"python3"
]
},
"runtime": {
"required_env": [],
"optional_env": [
"HERMES_TRAFFIC_GUARDIAN_HOME",
"HERMES_TRAFFIC_GUARDIAN_CONFIG",
"HERMES_TRAFFIC_GUARDIAN_MODE",
"HERMES_TRAFFIC_GUARDIAN_PROXY_URL",
"HERMES_TRAFFIC_GUARDIAN_CA_BUNDLE",
"HERMES_TRAFFIC_GUARDIAN_LOG_DIR",
"HERMES_TRAFFIC_GUARDIAN_MAX_SCAN_BYTES",
"HERMES_TRAFFIC_GUARDIAN_REDACT_SNIPPETS",
"HERMES_TRAFFIC_GUARDIAN_ATTESTATION_OUTPUT"
]
},
"capabilities": {
"runtime_traffic_monitoring": "spec_baseline",
"http_proxy_inspection": "planned",
"https_mitm_inspection": "planned_optional",
"egress_exfiltration_detection": "planned",
"inbound_injection_detection": "planned",
"attestation_export": "planned",
"blocking": "future_version"
},
"execution": {
"always": false,
"persistence": "Spec baseline only. Builders must keep monitoring opt-in and scheduler-free unless an operator explicitly applies one.",
"network_egress": "Future runtime will proxy operator-scoped Hermes traffic. No runtime network behavior is implemented in v0.0.1."
},
"operator_review": [
"Do not merge proxy runtime into hermes-attestation-guardian.",
"Export traffic-monitor status for hermes-attestation-guardian to attest, but keep runtime ownership in this skill.",
"Do not install a system-wide CA automatically.",
"Default to detect-and-log mode; blocking is out of scope for v0.0.1 implementation.",
"Redact secret snippets before writing logs or attestation-linked summaries."
],
"triggers": [
"hermes traffic guardian",
"hermes traffic monitoring",
"monitor hermes egress",
"inspect hermes http traffic",
"attest hermes traffic monitor"
]
}
}
skills/hermes-traffic-guardian/test/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/nanoclaw-traffic-guardian/CHANGELOG.md
+8
View File
@@ -0,0 +1,8 @@
# Changelog
## [0.0.1-beta1] - 2026-05-10
- Added baseline skill metadata, frontmatter, and implementation specification.
- Reserved folder structure for NanoClaw host services, MCP tools, detector code, and tests.
- Beta release notes: this release is a scaffold/spec baseline and does not yet ship active runtime proxy interception.
- Beta release notes: host-service and MCP contracts are defined, but detection/enforcement behavior is not active by default.
skills/nanoclaw-traffic-guardian/README.md
+18
View File
@@ -0,0 +1,18 @@
# NanoClaw Traffic Guardian
Baseline skill for NanoClaw runtime traffic monitoring.
This package is intentionally a spec scaffold. Builders should add the NanoClaw-specific host-service, IPC, and MCP implementation here while preserving the safety contract in `SKILL.md` and `SPEC.md`.
## Intended Capability
- detect outbound secret exfiltration in NanoClaw host-managed traffic
- detect inbound command-injection and tool-abuse payloads
- keep CA private key material outside the container
- expose redacted status/findings through MCP tools
- provide explicit host-side lifecycle controls
## Builder Notes
Follow the existing `clawsec-nanoclaw` pattern: host services own privileged operations, while MCP tools expose bounded requests and redacted responses.
skills/nanoclaw-traffic-guardian/SKILL.md
+69
View File
@@ -0,0 +1,69 @@
---
name: nanoclaw-traffic-guardian
version: 0.0.1-beta1
description: NanoClaw runtime traffic monitoring baseline for host-side proxy inspection with container-safe MCP and IPC status surfaces.
homepage: https://clawsec.prompt.security
author: prompt-security
license: AGPL-3.0-or-later
nanoclaw:
requires:
node: ">=18.0.0"
---
# NanoClaw Traffic Guardian
This is a baseline specification skill. It intentionally does not ship a proxy or runtime implementation yet.
## Scope
Builders should use this skill as the NanoClaw landing zone for runtime traffic monitoring:
- host-side HTTP proxy inspection
- optional HTTPS inspection with host-held CA material
- outbound exfiltration detection
- inbound injection detection
- redacted local threat logs
- MCP tools for status, findings, and config checks
- IPC handlers for container-safe host communication
Prefer this as an optional companion to `clawsec-nanoclaw`, not as a mandatory extension of the existing advisory/signature/integrity suite.
## Safety Contract
- Opt-in only.
- Detect-and-log by default.
- No automatic system CA installation.
- No CA private key access from the container.
- No blocking in the first implementation.
- Redact secrets before logs or MCP responses.
- Keep all state under `NANOCLAW_TRAFFIC_GUARDIAN_HOME` or the host-managed NanoClaw security data directory.
## Builder Entry Points
Read `SPEC.md` before implementing. Use the placeholder folders as follows:
| Path | Intended use |
|---|---|
| `lib/` | Detector rules, redaction, types, report formatting |
| `host-services/` | Host-side proxy lifecycle, log access, IPC handlers |
| `mcp-tools/` | Container-side MCP tools for status and findings |
| `test/` | Unit tests, host/container IPC tests, redaction tests |
## Required First Implementation Behavior
1. Validate config without starting the proxy.
2. Start monitor through a host-managed lifecycle path.
3. Keep CA key material on the host side.
4. Inspect HTTP request/response text up to a bounded byte limit.
5. Support optional HTTPS MITM only when the operator supplies per-runtime trust configuration.
6. Emit JSONL findings with redacted snippets.
7. Expose MCP tools that return status and redacted findings only.
## Out of Scope for v0.0.1 Implementation
- automatic system trust-store mutation
- transparent network interception
- default blocking
- sending traffic to external services
- exposing raw request/response bodies to the container
skills/nanoclaw-traffic-guardian/SPEC.md
+93
View File
@@ -0,0 +1,93 @@
# NanoClaw Traffic Guardian Specification
## Goal
Provide NanoClaw with opt-in runtime traffic monitoring that observes host-managed NanoClaw traffic for exfiltration and injection signals while preserving container isolation.
## Required Architecture
Implement four layers:
1. Detector core
- normalized finding schema
- pattern registry
- snippet redaction
- deduplication
- JSONL report writer
2. Host service
- proxy lifecycle
- CA key ownership
- log storage
- config validation
- IPC task handling
3. MCP tool surface
- `clawsec_traffic_status`
- `clawsec_traffic_findings`
- `clawsec_traffic_check_config`
4. Operator interface
- safe setup text
- explicit host/container proxy wiring guidance
- CA fingerprint display when HTTPS inspection is enabled
## Finding Schema
Findings must be JSON objects with these fields:
```json
{
"schema_version": "clawsec-traffic-finding/v1",
"platform": "nanoclaw",
"direction": "outbound",
"protocol": "http",
"threat_type": "EXFIL",
"pattern": "ai_api_key",
"severity": "high",
"source": "127.0.0.1",
"dest": "api.example.com:443",
"snippet": "[REDACTED]",
"timestamp": "2026-04-26T00:00:00.000Z"
}
```
## Minimum Detection Set
Outbound EXFIL:
- AI API keys
- AWS access key IDs
- private key PEM markers
- SSH key file paths
- sensitive Unix file paths
- dotenv and cloud credential paths
- WhatsApp session or credential path markers when NanoClaw exposes stable names
Inbound INJECTION:
- pipe-to-shell commands
- shell exec flags
- reverse shell command shapes
- destructive remove commands
- SSH authorized-key injection shapes
## Safety Requirements
- Default mode is detect-and-log.
- Blocking mode must not exist in the first implementation.
- Snippets must be redacted before persistence and before MCP responses.
- Maximum scan bytes must be configurable and bounded.
- CA private key material must stay host-side.
- System trust-store instructions must require explicit operator confirmation and must never run automatically.
## Tests Required Before Release
- detector unit tests for each pattern
- redaction tests proving secrets are not persisted or returned through MCP
- host-service lifecycle tests
- IPC timeout and malformed-task tests
- MCP schema tests
- proxy fixture tests for HTTP request and response inspection
- no-false-positive tests for common benign traffic
skills/nanoclaw-traffic-guardian/host-services/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/nanoclaw-traffic-guardian/lib/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/nanoclaw-traffic-guardian/mcp-tools/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/nanoclaw-traffic-guardian/skill.json
+122
View File
@@ -0,0 +1,122 @@
{
"name": "nanoclaw-traffic-guardian",
"version": "0.0.1-beta1",
"description": "NanoClaw runtime traffic monitoring baseline for host-side proxy inspection with container-safe MCP and IPC status surfaces.",
"author": "prompt-security",
"license": "AGPL-3.0-or-later",
"homepage": "https://clawsec.prompt.security/",
"platform": "nanoclaw",
"keywords": [
"security",
"nanoclaw",
"traffic-monitoring",
"egress",
"exfiltration",
"injection",
"proxy",
"mitm",
"mcp",
"container"
],
"sbom": {
"files": [
{
"path": "SKILL.md",
"required": true,
"description": "NanoClaw traffic guardian skill instructions and operating model"
},
{
"path": "README.md",
"required": true,
"description": "Human-oriented overview and builder handoff notes"
},
{
"path": "CHANGELOG.md",
"required": true,
"description": "Version history and baseline release notes"
},
{
"path": "SPEC.md",
"required": true,
"description": "Implementation specification for NanoClaw runtime traffic monitoring"
},
{
"path": "lib/.gitkeep",
"required": false,
"description": "Placeholder for shared detector, type, and report code"
},
{
"path": "host-services/.gitkeep",
"required": false,
"description": "Placeholder for host-side monitor lifecycle and IPC handlers"
},
{
"path": "mcp-tools/.gitkeep",
"required": false,
"description": "Placeholder for container-side MCP tool definitions"
},
{
"path": "test/.gitkeep",
"required": false,
"description": "Placeholder for unit and integration tests"
}
]
},
"capabilities": [
"Spec baseline for host-side runtime traffic monitoring",
"MCP status and findings query surface",
"Container-safe host/container IPC boundary",
"Optional HTTPS inspection with explicit per-runtime trust",
"Redacted local threat logging"
],
"nanoclaw": {
"mcp_tools": [
"clawsec_traffic_status",
"clawsec_traffic_findings",
"clawsec_traffic_check_config"
],
"requires": {
"node": ">=18.0.0",
"nanoclaw": ">=0.1.0"
},
"runtime": {
"required_env": [],
"optional_env": [
"NANOCLAW_TRAFFIC_GUARDIAN_HOME",
"NANOCLAW_TRAFFIC_GUARDIAN_CONFIG",
"NANOCLAW_TRAFFIC_GUARDIAN_MODE",
"NANOCLAW_TRAFFIC_GUARDIAN_PROXY_URL",
"NANOCLAW_TRAFFIC_GUARDIAN_CA_BUNDLE",
"NANOCLAW_TRAFFIC_GUARDIAN_LOG_DIR",
"NANOCLAW_TRAFFIC_GUARDIAN_MAX_SCAN_BYTES",
"NANOCLAW_TRAFFIC_GUARDIAN_REDACT_SNIPPETS"
]
},
"capabilities": {
"runtime_traffic_monitoring": "spec_baseline",
"http_proxy_inspection": "planned",
"https_mitm_inspection": "planned_optional",
"egress_exfiltration_detection": "planned",
"inbound_injection_detection": "planned",
"mcp_status_tools": "planned",
"blocking": "future_version"
},
"execution": {
"always": false,
"persistence": "Spec baseline only. Builders must keep host-side monitoring opt-in and avoid container persistence without explicit operator action.",
"network_egress": "Future runtime will proxy operator-scoped NanoClaw/WhatsApp-bot traffic. No runtime network behavior is implemented in v0.0.1."
},
"operator_review": [
"Keep proxy runtime on the host side when possible; expose only status and findings into the container.",
"Do not grant container code access to CA private key material.",
"Do not install a system-wide CA automatically.",
"Default to detect-and-log mode; blocking is out of scope for v0.0.1 implementation.",
"Redact secret snippets before writing logs or exposing MCP responses."
],
"integration": {
"mcp_tools_dir": "mcp-tools/",
"host_services_dir": "host-services/",
"result_channel": "/workspace/ipc/clawsec_results"
}
}
}
skills/nanoclaw-traffic-guardian/test/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/openclaw-traffic-guardian/CHANGELOG.md
+8
View File
@@ -0,0 +1,8 @@
# Changelog
## [0.0.1-beta1] - 2026-05-10
- Added baseline skill metadata, frontmatter, and implementation specification.
- Reserved folder structure for OpenClaw traffic-monitoring runtime code, hook integration, and tests.
- Beta release notes: this release is a scaffold/spec baseline and does not yet ship active runtime proxy interception.
- Beta release notes: defaults remain non-invasive (no automatic traffic mutation or enforcement enabled by default).
skills/openclaw-traffic-guardian/README.md
+18
View File
@@ -0,0 +1,18 @@
# OpenClaw Traffic Guardian
Baseline skill for OpenClaw runtime traffic monitoring.
This package is intentionally a spec scaffold. Builders should add the OpenClaw-specific monitor implementation here while preserving the safety contract in `SKILL.md` and `SPEC.md`.
## Intended Capability
- detect outbound secret exfiltration in agent HTTP/HTTPS traffic
- detect inbound command-injection and tool-abuse payloads
- write redacted local JSONL findings
- provide explicit start, stop, status, and log-query commands
- integrate with `clawsec-suite` as an optional add-on
## Builder Notes
Use `SPEC.md` as the implementation contract. Keep runtime changes opt-in and scoped to the OpenClaw process being monitored.
skills/openclaw-traffic-guardian/SKILL.md
+69
View File
@@ -0,0 +1,69 @@
---
name: openclaw-traffic-guardian
version: 0.0.1-beta1
description: OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, and inbound injection detection.
homepage: https://clawsec.prompt.security
author: prompt-security
license: AGPL-3.0-or-later
clawdis:
emoji: "TG"
requires:
bins: [node, python3]
---
# OpenClaw Traffic Guardian
This is a baseline specification skill. It intentionally does not ship a proxy or runtime implementation yet.
## Scope
Builders should use this skill as the OpenClaw landing zone for runtime traffic monitoring:
- operator-scoped HTTP proxy inspection
- optional HTTPS inspection with per-process CA trust
- outbound exfiltration detection
- inbound injection detection
- redacted local threat logs
- optional OpenClaw hook/status integration
Do not merge this capability into `clawsec-scanner`, `openclaw-audit-watchdog`, or `soul-guardian`. Those skills have different trust boundaries and safety contracts.
## Safety Contract
- Opt-in only.
- Detect-and-log by default.
- No automatic system CA installation.
- No global `HTTP_PROXY` or `HTTPS_PROXY` changes.
- No blocking in the first implementation.
- Redact secrets before logs or conversation alerts.
- Keep all state under `OPENCLAW_TRAFFIC_GUARDIAN_HOME` or `~/.openclaw/security/clawsec/traffic-guardian`.
## Builder Entry Points
Read `SPEC.md` before implementing. Use the placeholder folders as follows:
| Path | Intended use |
|---|---|
| `lib/` | Detector rules, redaction, event schema, report formatting |
| `scripts/` | Start, stop, status, config validation, log query helpers |
| `hooks/openclaw-traffic-guardian-hook/` | Optional OpenClaw hook/status integration |
| `test/` | Unit tests, proxy fixture tests, redaction tests, process-scope tests |
## Required First Implementation Behavior
1. Validate config without starting the proxy.
2. Start monitor in foreground or explicit background mode.
3. Scope proxy environment variables to the target OpenClaw process.
4. Inspect HTTP request/response text up to a bounded byte limit.
5. Support optional HTTPS MITM only when the operator supplies per-process trust configuration.
6. Emit JSONL findings with redacted snippets.
7. Provide a `status` command that reports mode, listener, CA fingerprint if present, and last findings.
## Out of Scope for v0.0.1 Implementation
- automatic system trust-store mutation
- transparent network interception
- default blocking
- sending traffic to external services
- collecting full request/response bodies
skills/openclaw-traffic-guardian/SPEC.md
+85
View File
@@ -0,0 +1,85 @@
# OpenClaw Traffic Guardian Specification
## Goal
Provide OpenClaw with opt-in runtime traffic monitoring that observes agent HTTP/HTTPS traffic for exfiltration and injection signals without changing global host networking.
## Required Architecture
Implement three layers:
1. Detector core
- normalized finding schema
- pattern registry
- snippet redaction
- deduplication
- JSONL report writer
2. OpenClaw adapter
- lifecycle commands for start, stop, status, and threats
- process-scoped proxy environment guidance
- optional hook/status integration under `hooks/openclaw-traffic-guardian-hook/`
3. Operator interface
- safe setup text
- explicit per-process proxy export commands
- CA fingerprint display when HTTPS inspection is enabled
## Finding Schema
Findings must be JSON objects with these fields:
```json
{
"schema_version": "clawsec-traffic-finding/v1",
"platform": "openclaw",
"direction": "outbound",
"protocol": "http",
"threat_type": "EXFIL",
"pattern": "ai_api_key",
"severity": "high",
"source": "127.0.0.1",
"dest": "api.example.com:443",
"snippet": "[REDACTED]",
"timestamp": "2026-04-26T00:00:00.000Z"
}
```
## Minimum Detection Set
Outbound EXFIL:
- AI API keys
- AWS access key IDs
- private key PEM markers
- SSH key file paths
- sensitive Unix file paths
- dotenv and cloud credential paths
Inbound INJECTION:
- pipe-to-shell commands
- shell exec flags
- reverse shell command shapes
- destructive remove commands
- SSH authorized-key injection shapes
## Safety Requirements
- Default mode is detect-and-log.
- Blocking mode must not exist in the first implementation.
- Snippets must be redacted before persistence.
- Maximum scan bytes must be configurable and bounded.
- CA trust must be per-process by default.
- System trust-store instructions must require explicit operator confirmation and must never run automatically.
## Tests Required Before Release
- detector unit tests for each pattern
- redaction tests proving secrets are not persisted
- proxy fixture tests for HTTP request and response inspection
- no-false-positive tests for common benign traffic
- lifecycle tests for stale PID/state cleanup
- status output tests
- OpenClaw hook integration tests if hook files are added
skills/openclaw-traffic-guardian/hooks/openclaw-traffic-guardian-hook/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/openclaw-traffic-guardian/lib/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/openclaw-traffic-guardian/scripts/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/openclaw-traffic-guardian/skill.json
+114
View File
@@ -0,0 +1,114 @@
{
"name": "openclaw-traffic-guardian",
"version": "0.0.1-beta1",
"description": "OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, and inbound injection detection.",
"author": "prompt-security",
"license": "AGPL-3.0-or-later",
"homepage": "https://clawsec.prompt.security/",
"platform": "openclaw",
"keywords": [
"security",
"openclaw",
"traffic-monitoring",
"egress",
"exfiltration",
"injection",
"proxy",
"mitm",
"runtime"
],
"sbom": {
"files": [
{
"path": "SKILL.md",
"required": true,
"description": "OpenClaw traffic guardian skill instructions and operating model"
},
{
"path": "README.md",
"required": true,
"description": "Human-oriented overview and builder handoff notes"
},
{
"path": "CHANGELOG.md",
"required": true,
"description": "Version history and baseline release notes"
},
{
"path": "SPEC.md",
"required": true,
"description": "Implementation specification for OpenClaw runtime traffic monitoring"
},
{
"path": "lib/.gitkeep",
"required": false,
"description": "Placeholder for shared detector and report code"
},
{
"path": "scripts/.gitkeep",
"required": false,
"description": "Placeholder for proxy lifecycle and status scripts"
},
{
"path": "hooks/openclaw-traffic-guardian-hook/.gitkeep",
"required": false,
"description": "Placeholder for optional OpenClaw hook integration"
},
{
"path": "test/.gitkeep",
"required": false,
"description": "Placeholder for unit and integration tests"
}
]
},
"openclaw": {
"emoji": "TG",
"category": "security",
"requires": {
"bins": [
"node",
"python3"
]
},
"runtime": {
"required_env": [],
"optional_env": [
"OPENCLAW_TRAFFIC_GUARDIAN_HOME",
"OPENCLAW_TRAFFIC_GUARDIAN_CONFIG",
"OPENCLAW_TRAFFIC_GUARDIAN_MODE",
"OPENCLAW_TRAFFIC_GUARDIAN_PROXY_URL",
"OPENCLAW_TRAFFIC_GUARDIAN_CA_BUNDLE",
"OPENCLAW_TRAFFIC_GUARDIAN_LOG_DIR",
"OPENCLAW_TRAFFIC_GUARDIAN_MAX_SCAN_BYTES",
"OPENCLAW_TRAFFIC_GUARDIAN_REDACT_SNIPPETS"
]
},
"capabilities": {
"runtime_traffic_monitoring": "spec_baseline",
"http_proxy_inspection": "planned",
"https_mitm_inspection": "planned_optional",
"egress_exfiltration_detection": "planned",
"inbound_injection_detection": "planned",
"blocking": "future_version"
},
"execution": {
"always": false,
"persistence": "Spec baseline only. Builders must keep monitoring opt-in and avoid installing persistent hooks or schedulers without explicit operator action.",
"network_egress": "Future runtime will proxy operator-scoped agent traffic. No runtime network behavior is implemented in v0.0.1."
},
"operator_review": [
"Do not install a system-wide CA automatically.",
"Default to detect-and-log mode; blocking is out of scope for v0.0.1 implementation.",
"Scope HTTP_PROXY/HTTPS_PROXY to the OpenClaw process being monitored.",
"Redact secret snippets before writing logs or sending conversation alerts.",
"Integrate with clawsec-suite as an optional add-on, not a default install."
],
"triggers": [
"openclaw traffic guardian",
"openclaw traffic monitoring",
"monitor openclaw egress",
"inspect openclaw http traffic",
"detect openclaw exfiltration"
]
}
}
skills/openclaw-traffic-guardian/test/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/picoclaw-traffic-guardian/CHANGELOG.md
+8
View File
@@ -0,0 +1,8 @@
# Changelog
## [0.0.1-beta1] - 2026-05-10
- Added baseline skill metadata, frontmatter, and implementation specification.
- Reserved folder structure for Picoclaw traffic-monitoring runtime code, profile export, and tests.
- Beta release notes: this release is a scaffold/spec baseline and does not yet ship active runtime proxy interception.
- Beta release notes: defaults remain non-invasive (no automatic traffic mutation or enforcement enabled by default).
skills/picoclaw-traffic-guardian/README.md
+18
View File
@@ -0,0 +1,18 @@
# Picoclaw Traffic Guardian
Baseline skill for Picoclaw runtime traffic monitoring.
This package is intentionally a spec scaffold. Builders should add the Picoclaw-specific monitor implementation here while preserving the safety contract in `SKILL.md` and `SPEC.md`.
## Intended Capability
- detect outbound secret exfiltration in Picoclaw gateway HTTP/HTTPS traffic
- detect inbound command-injection and tool-abuse payloads
- write redacted local JSONL findings
- export monitor posture for `picoclaw-security-guardian`
- provide explicit start, stop, status, and log-query commands
## Builder Notes
Keep runtime ownership in this skill. `picoclaw-security-guardian` should only profile and drift-check this skill's state, config, and output fingerprints.
skills/picoclaw-traffic-guardian/SKILL.md
+68
View File
@@ -0,0 +1,68 @@
---
name: picoclaw-traffic-guardian
version: 0.0.1-beta1
description: Picoclaw runtime traffic monitoring baseline for lightweight AI gateway proxy inspection, egress detection, and posture integration.
homepage: https://clawsec.prompt.security
author: prompt-security
license: AGPL-3.0-or-later
picoclaw:
emoji: "TG"
requires:
bins: [node, python3]
---
# Picoclaw Traffic Guardian
This is a baseline specification skill. It intentionally does not ship a proxy or runtime implementation yet.
## Scope
Builders should use this skill as the Picoclaw landing zone for runtime traffic monitoring:
- lightweight AI gateway HTTP proxy inspection
- optional HTTPS inspection with per-process CA trust
- outbound exfiltration detection
- inbound injection detection
- redacted local threat logs
- profile export for `picoclaw-security-guardian`
Do not add proxy runtime ownership to `picoclaw-security-guardian` or `picoclaw-self-pen-testing`. Those skills should profile, drift-check, or review this monitor's status, not run it.
## Safety Contract
- Opt-in only.
- Detect-and-log by default.
- No automatic system CA installation.
- No global proxy environment changes.
- No blocking in the first implementation.
- Redact secrets before logs, summaries, or profile outputs.
- Keep all state under `PICOCLAW_TRAFFIC_GUARDIAN_HOME` or `$PICOCLAW_HOME/security/clawsec/traffic-guardian`.
## Builder Entry Points
Read `SPEC.md` before implementing. Use the placeholder folders as follows:
| Path | Intended use |
|---|---|
| `lib/` | Detector rules, redaction, profile export, report formatting |
| `scripts/` | Start, stop, status, config validation, log query, profile export helpers |
| `test/` | Unit tests, proxy fixture tests, redaction tests, profile integration tests |
## Required First Implementation Behavior
1. Validate config without starting the proxy.
2. Start monitor in foreground or explicit background mode.
3. Scope proxy environment variables to the target Picoclaw gateway process.
4. Inspect HTTP request/response text up to a bounded byte limit.
5. Support optional HTTPS MITM only when the operator supplies per-process trust configuration.
6. Emit JSONL findings with redacted snippets.
7. Export a small profile fragment that `picoclaw-security-guardian` can include in deterministic posture profiles.
## Out of Scope for v0.0.1 Implementation
- automatic system trust-store mutation
- transparent network interception
- default blocking
- sending traffic to external services
- collecting full request/response bodies
skills/picoclaw-traffic-guardian/SPEC.md
+104
View File
@@ -0,0 +1,104 @@
# Picoclaw Traffic Guardian Specification
## Goal
Provide Picoclaw with opt-in runtime traffic monitoring that observes lightweight AI gateway HTTP/HTTPS traffic for exfiltration and injection signals and exports monitor posture for Picoclaw profiles.
## Required Architecture
Implement three layers:
1. Detector core
- normalized finding schema
- pattern registry
- snippet redaction
- deduplication
- JSONL report writer
2. Picoclaw adapter
- lifecycle commands for start, stop, status, and threats
- process-scoped proxy environment guidance
- profile fragment compatible with `picoclaw-security-guardian`
3. Operator interface
- safe setup text
- explicit per-process proxy export commands
- CA fingerprint display when HTTPS inspection is enabled
## Finding Schema
Findings must be JSON objects with these fields:
```json
{
"schema_version": "clawsec-traffic-finding/v1",
"platform": "picoclaw",
"direction": "outbound",
"protocol": "http",
"threat_type": "EXFIL",
"pattern": "ai_api_key",
"severity": "high",
"source": "127.0.0.1",
"dest": "api.example.com:443",
"snippet": "[REDACTED]",
"timestamp": "2026-04-26T00:00:00.000Z"
}
```
## Profile Fragment Schema
The first implementation must write a small profile fragment:
```json
{
"schema_version": "clawsec-traffic-posture/v1",
"platform": "picoclaw",
"monitor_status": "running",
"mode": "detect",
"https_inspection": false,
"ca_fingerprint_sha256": null,
"config_sha256": "hex",
"finding_log_sha256": "hex",
"generated_at": "2026-04-26T00:00:00.000Z"
}
```
## Minimum Detection Set
Outbound EXFIL:
- AI API keys
- AWS access key IDs
- private key PEM markers
- SSH key file paths
- sensitive Unix file paths
- dotenv and cloud credential paths
- gateway config/token path markers when Picoclaw exposes stable names
Inbound INJECTION:
- pipe-to-shell commands
- shell exec flags
- reverse shell command shapes
- destructive remove commands
- SSH authorized-key injection shapes
## Safety Requirements
- Default mode is detect-and-log.
- Blocking mode must not exist in the first implementation.
- Snippets must be redacted before persistence.
- Maximum scan bytes must be configurable and bounded.
- CA trust must be per-process by default.
- System trust-store instructions must require explicit operator confirmation and must never run automatically.
## Tests Required Before Release
- detector unit tests for each pattern
- redaction tests proving secrets are not persisted
- proxy fixture tests for HTTP request and response inspection
- no-false-positive tests for common benign traffic
- lifecycle tests for stale PID/state cleanup
- profile fragment schema and digest tests
- compatibility tests showing `picoclaw-security-guardian` can include the profile fragment
skills/picoclaw-traffic-guardian/lib/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/picoclaw-traffic-guardian/scripts/.gitkeep
+1
View File
@@ -0,0 +1 @@
skills/picoclaw-traffic-guardian/skill.json
+112
View File
@@ -0,0 +1,112 @@
{
"name": "picoclaw-traffic-guardian",
"version": "0.0.1-beta1",
"description": "Picoclaw runtime traffic monitoring baseline for lightweight AI gateway proxy inspection, egress detection, and posture integration.",
"author": "prompt-security",
"license": "AGPL-3.0-or-later",
"homepage": "https://clawsec.prompt.security/",
"platform": "picoclaw",
"keywords": [
"security",
"picoclaw",
"ai-gateway",
"traffic-monitoring",
"egress",
"exfiltration",
"injection",
"proxy",
"mitm",
"runtime"
],
"sbom": {
"files": [
{
"path": "SKILL.md",
"required": true,
"description": "Picoclaw traffic guardian skill instructions and operating model"
},
{
"path": "README.md",
"required": true,
"description": "Human-oriented overview and builder handoff notes"
},
{
"path": "CHANGELOG.md",
"required": true,
"description": "Version history and baseline release notes"
},
{
"path": "SPEC.md",
"required": true,
"description": "Implementation specification for Picoclaw runtime traffic monitoring"
},
{
"path": "lib/.gitkeep",
"required": false,
"description": "Placeholder for shared detector, profile, and report code"
},
{
"path": "scripts/.gitkeep",
"required": false,
"description": "Placeholder for lifecycle, status, and profile export scripts"
},
{
"path": "test/.gitkeep",
"required": false,
"description": "Placeholder for unit and integration tests"
}
]
},
"picoclaw": {
"emoji": "TG",
"category": "security",
"requires": {
"bins": [
"node",
"python3"
]
},
"runtime": {
"required_env": [],
"optional_env": [
"PICOCLAW_TRAFFIC_GUARDIAN_HOME",
"PICOCLAW_TRAFFIC_GUARDIAN_CONFIG",
"PICOCLAW_TRAFFIC_GUARDIAN_MODE",
"PICOCLAW_TRAFFIC_GUARDIAN_PROXY_URL",
"PICOCLAW_TRAFFIC_GUARDIAN_CA_BUNDLE",
"PICOCLAW_TRAFFIC_GUARDIAN_LOG_DIR",
"PICOCLAW_TRAFFIC_GUARDIAN_MAX_SCAN_BYTES",
"PICOCLAW_TRAFFIC_GUARDIAN_REDACT_SNIPPETS",
"PICOCLAW_TRAFFIC_GUARDIAN_PROFILE_OUTPUT"
]
},
"capabilities": {
"runtime_traffic_monitoring": "spec_baseline",
"http_proxy_inspection": "planned",
"https_mitm_inspection": "planned_optional",
"egress_exfiltration_detection": "planned",
"inbound_injection_detection": "planned",
"profile_export": "planned",
"blocking": "future_version"
},
"execution": {
"always": false,
"persistence": "Spec baseline only. Builders must keep monitoring opt-in and scheduler-free unless an operator explicitly applies one.",
"network_egress": "Future runtime will proxy operator-scoped Picoclaw gateway traffic. No runtime network behavior is implemented in v0.0.1."
},
"operator_review": [
"Do not merge proxy runtime into picoclaw-security-guardian or picoclaw-self-pen-testing.",
"Export traffic-monitor status for picoclaw-security-guardian to profile and drift-check, but keep runtime ownership in this skill.",
"Do not install a system-wide CA automatically.",
"Default to detect-and-log mode; blocking is out of scope for v0.0.1 implementation.",
"Redact secret snippets before writing logs or profile summaries."
],
"triggers": [
"picoclaw traffic guardian",
"picoclaw traffic monitoring",
"monitor picoclaw egress",
"inspect picoclaw http traffic",
"picoclaw proxy inspection"
]
}
}
skills/picoclaw-traffic-guardian/test/.gitkeep
+1
View File
@@ -0,0 +1 @@