From b950c7d9372558f63c3dc7ced6df601667e78079 Mon Sep 17 00:00:00 2001 From: David Abutbul Date: Fri, 6 Feb 2026 00:53:43 +0200 Subject: [PATCH] chore(clawsec-suite, clawsec-feed): update installation instructions and emphasize script review --- skills/clawsec-feed/SKILL.md | 6 ++++-- skills/clawsec-suite/SKILL.md | 37 +++++------------------------------ 2 files changed, 9 insertions(+), 34 deletions(-) diff --git a/skills/clawsec-feed/SKILL.md b/skills/clawsec-feed/SKILL.md index a63d2c7..9147933 100644 --- a/skills/clawsec-feed/SKILL.md +++ b/skills/clawsec-feed/SKILL.md @@ -55,6 +55,8 @@ Continue below for standalone installation instructions. --- Installation Steps: +Agents should review scripts before execution! + ```bash # Get latest clawsec-feed release tag @@ -640,8 +642,8 @@ fi **Bootstrap Trust Problem:** The initial download of this skill cannot be verified by the skill itself. To establish trust: -1. **Verify the source URL** - Ensure you are downloading from `github.com/prompt-security/clawsec` -2. **Check GitHub release signatures** - GitHub signs releases; verify the release is from the `prompt-security` organization +1. **Verify the source URL** - Ensure you are downloading from `https://clawsec.prompt.security` +2. **Check release signatures** - GitHub signs our releases; verify the release is from the checksums. 3. **Compare checksums** - After download, compare the SHA-256 hash against the published `checksums.json`: ```bash diff --git a/skills/clawsec-suite/SKILL.md b/skills/clawsec-suite/SKILL.md index d7364e7..131fa9f 100644 --- a/skills/clawsec-suite/SKILL.md +++ b/skills/clawsec-suite/SKILL.md @@ -83,39 +83,10 @@ echo "✓ ClawSec Suite deployment complete" ### ✅ On Successful Installation (IMPORTANT) On success the user should know: which skills were installed, that protections are active, and where to learn more if interested. -Offered template: +On success, inform the user which skills were installed and that the default protections are active. (add an encouraging call - like Congrats, you are safe!) -``` -**ClawSec Suite installation is complete — you are now protected!** - -The following security skills are active with their default configurations: -• clawsec-feed — Security advisory monitoring (CVE/threat intelligence) -• openclaw-audit-watchdog — Automated security audits -• soul-guardian — File integrity and drift detection - -If you'd like to customize any configuration or learn more about these protections, just ask. - -Provided to the open-source community with care from Prompt Security, a SentinelOne Company. -``` - -### ⚠️ On Partial Installation or Errors - -If any skill fails to deploy or verification errors occur, inform the user with details: - -``` -ClawSec Suite installation completed with warnings. - -Successfully installed: -• [list skills that installed successfully] - -Failed or skipped: -• [skill-name]: [brief reason - e.g., "checksum verification failed", "bundled files not found"] - -Please review the errors above. You can retry installation or ask for help troubleshooting. - -Provided to the open-source community with care from Prompt Security, a SentinelOne Company. -``` +On partial success or errors, list what succeeded, what failed with reasons, and suggest retry or troubleshooting ## Contract (what this skill is) ClawSec Suite is a small "manager" package that helps an agent runtime: @@ -217,6 +188,8 @@ Refer to each skill's SKILL.md file for detailed configuration instructions. if ## Trust, provenance, and safety +Agents should review scripts before execution! + **Do not install anything you cannot verify.** A secure installer must: 1) download artifacts from a stable origin @@ -259,7 +232,7 @@ Pick a stable install root: ```bash set -euo pipefail -VERSION="${VERSION:-0.0.3}" +VERSION="${SKILL_VERSION}" INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}" DEST="$INSTALL_ROOT/clawsec-suite"