From 8c7ccc2ea202946a6ee2cf670b69d91cae4197ba Mon Sep 17 00:00:00 2001
From: David Abutbul <David.a@prompt.security>
Date: Mon, 16 Feb 2026 15:58:48 +0200
Subject: [PATCH] auto-claude: subtask-5-1 - Update README.md with suppression
 feature

---
 skills/openclaw-audit-watchdog/README.md | 78 ++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

diff --git a/skills/openclaw-audit-watchdog/README.md b/skills/openclaw-audit-watchdog/README.md
index c8666a0..dff6c88 100644
--- a/skills/openclaw-audit-watchdog/README.md
+++ b/skills/openclaw-audit-watchdog/README.md
@@ -37,6 +37,84 @@ export PROMPTSEC_HOST_LABEL="prod-agent-1"
 | `PROMPTSEC_EMAIL_TO` | Email recipient for reports | `target@example.com` |
 | `PROMPTSEC_HOST_LABEL` | Host identifier in reports | hostname |
 | `PROMPTSEC_GIT_PULL` | Pull latest before audit (0/1) | `0` |
+| `OPENCLAW_AUDIT_CONFIG` | Path to suppression config file | Auto-detected |
+
+## Suppression Configuration
+
+Manage false-positive findings with the built-in suppression mechanism. Suppressed findings remain visible in reports but don't count toward critical/warning totals.
+
+### Config File Location
+
+The audit scanner checks these locations (in priority order):
+
+1. `--config` flag argument
+2. `OPENCLAW_AUDIT_CONFIG` environment variable
+3. `~/.openclaw/security-audit.json` (primary)
+4. `.clawsec/allowlist.json` (fallback)
+
+### Example Configuration
+
+```json
+{
+  "suppressions": [
+    {
+      "checkId": "skills.code_safety",
+      "skill": "clawsec-suite",
+      "reason": "First-party security tooling, reviewed 2026-02-13",
+      "suppressedAt": "2026-02-13"
+    },
+    {
+      "checkId": "skills.permissions",
+      "skill": "my-internal-tool",
+      "reason": "Broad permissions required for legitimate functionality",
+      "suppressedAt": "2026-02-16"
+    }
+  ]
+}
+```
+
+### Required Fields
+
+- **checkId**: Security check identifier (e.g., `skills.code_safety`)
+- **skill**: Exact skill name to suppress
+- **reason**: Justification for audit trail (required)
+- **suppressedAt**: ISO 8601 date (YYYY-MM-DD)
+
+### Usage
+
+```bash
+# Use default config location
+./scripts/runner.sh
+
+# Specify custom config
+./scripts/runner.sh --config /path/to/config.json
+
+# Or set via environment
+export OPENCLAW_AUDIT_CONFIG=~/.openclaw/custom-audit.json
+./scripts/runner.sh
+```
+
+### Report Output
+
+Suppressed findings appear in a separate section:
+
+```
+CRITICAL (0):
+  (none)
+
+WARNINGS (1):
+  [skills.network] some-skill: Unrestricted network access
+
+INFO - SUPPRESSED (2):
+  ℹ [skills.code_safety] clawsec-suite: dangerous-exec detected
+    Reason: First-party security tooling, reviewed 2026-02-13
+  ℹ [skills.permissions] my-tool: Broad permission scope
+    Reason: Validated by security team, suppressedAt 2026-02-16
+```
+
+**Important**: Suppressions require BOTH `checkId` AND `skill` to match. This prevents over-suppression and maintains audit integrity.
+
+See `examples/security-audit-config.example.json` for a complete template.
 
 ## Scripts