gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-22 18:01:21 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
dependabot/github_actions/github/codeql-action-4.36.2
clawsec/skills/picoclaw-security-guardian/README.md
T
David Abutbul 0d2e38ddfd Add Picoclaw guardian + posture-review skills at v0.0.1 with wiki docs (#208) 
* Add Picoclaw guardian + posture-review skills at v0.0.1 with wiki docs

* fix(feed): add picoclaw to core platform taxonomy and filters

* fix(picoclaw): resolve eslint errors in new skills

* chore(nvd): include picoclaw in CVE polling and cleanup report

---------

Co-authored-by: David Abutbul <David.a@prompt.security>
2026-04-26 14:19:18 +03:00

2.2 KiB
Raw Permalink Blame History

picoclaw-security-guardian

Picoclaw security posture skill for ClawSec.

Status: implemented (v0.0.1), Picoclaw-specific.

Detailed architecture/operator docs: wiki/modules/picoclaw-security-guardian.md.

Support matrix mapping

Skill name supported platform security feed config drift agent posture-review lane chain of supply verification
picoclaw-security-guardian Picoclaw Yes Yes Separate package Yes

Capabilities

  • Picoclaw-aware advisory filtering from a verified ClawSec feed/cache.
  • Deterministic local posture profile generation for configs, gateway exposure, tools, MCP, credentials/security files, and release artifacts.
  • Baseline drift comparison with critical/high/medium/low/info findings.
  • Supply-chain verification for release artifacts using SHA-256 manifests plus required Ed25519 detached signatures for passing provenance verdicts.

Quickstart

node scripts/generate_profile.mjs --output ~/.picoclaw/security/clawsec/current-profile.json
node scripts/check_drift.mjs --baseline ~/.picoclaw/security/clawsec/baseline-profile.json --current ~/.picoclaw/security/clawsec/current-profile.json
node scripts/verify_supply_chain.mjs --artifact ./picoclaw --checksums ./checksums.json --signature ./checksums.json.sig --public-key ./feed-signing-public.pem
node scripts/check_advisories.mjs --feed ~/.picoclaw/security/clawsec/feed.json --state ~/.picoclaw/security/clawsec/feed-verification-state.json

All scripts are read-only except profile/report outputs explicitly requested by --output.

Tests

node test/profile.test.mjs
node test/drift.test.mjs
node test/supply_chain.test.mjs
bash -n test/picoclaw_security_guardian_sandbox_regression.sh

Pre-release install regression

Run this before cutting v0.0.1 release artifacts:

test/picoclaw_security_guardian_sandbox_regression.sh

It uses Docker to publish the skill through a local ClawHub-compatible registry, installs it with Picoclaw's own find_skills / install_skill flow into an isolated Picoclaw workspace, confirms Picoclaw's skill loader can list/load it, then verifies the installed copy's profile, drift, advisory, and supply-chain paths.

Reference in New Issue View Git Blame Copy Permalink