gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-01 15:52:26 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
clawsec/wiki/modules/picoclaw-security-guardian.md
T
David Abutbul 0d2e38ddfd Add Picoclaw guardian + posture-review skills at v0.0.1 with wiki docs (#208) 
* Add Picoclaw guardian + posture-review skills at v0.0.1 with wiki docs

* fix(feed): add picoclaw to core platform taxonomy and filters

* fix(picoclaw): resolve eslint errors in new skills

* chore(nvd): include picoclaw in CVE polling and cleanup report

---------

Co-authored-by: David Abutbul <David.a@prompt.security>
2026-04-26 14:19:18 +03:00

2.9 KiB
Raw Permalink Blame History

Picoclaw Security Guardian

Summary

Current package version: v0.0.1.

picoclaw-security-guardian is the core Picoclaw package for:

  1. advisory awareness (fail-closed on unverified feed state),
  2. deterministic profile generation + drift detection,
  3. release artifact supply-chain verification.

Self-pen-testing checks were intentionally split out into picoclaw-self-pen-testing so moderation-sensitive logic can be published/managed independently.

Responsibilities

  • Filter Picoclaw-relevant advisories from verified ClawSec feed state/cache.
  • Build deterministic posture profiles from Picoclaw config/security files and optional release artifacts.
  • Compare baseline vs current profile with severity-ranked findings.
  • Verify release artifacts with checksum manifest + required detached signature for passing provenance verdicts.

Default safety posture

  • Read-only by default
  • No scheduler creation
  • No outbound network by default
  • Advisory checks fail closed unless verification state is verified (or explicit --allow-unsigned override)
  • Supply-chain verification requires detached-signature verification for a passing provenance result

Verification commands

python utils/validate_skill.py skills/picoclaw-security-guardian
node skills/picoclaw-security-guardian/test/profile.test.mjs
node skills/picoclaw-security-guardian/test/drift.test.mjs
node skills/picoclaw-security-guardian/test/supply_chain.test.mjs
bash -n skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh

Picoclaw-native sandbox regression

skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh publishes the package via a local ClawHub-compatible registry, installs through Picoclaw find_skills / install_skill, validates skill-loader visibility, and runs installed profile/drift/advisory/supply-chain flows against isolated Picoclaw fixtures.

Related package

  • skills/picoclaw-self-pen-testing/ (optional separate self-pen-testing package)

Source references

  • skills/picoclaw-security-guardian/skill.json
  • skills/picoclaw-security-guardian/SKILL.md
  • skills/picoclaw-security-guardian/README.md
  • skills/picoclaw-security-guardian/lib/profile.mjs
  • skills/picoclaw-security-guardian/lib/drift.mjs
  • skills/picoclaw-security-guardian/lib/advisories.mjs
  • skills/picoclaw-security-guardian/lib/supply_chain.mjs
  • skills/picoclaw-security-guardian/scripts/generate_profile.mjs
  • skills/picoclaw-security-guardian/scripts/check_drift.mjs
  • skills/picoclaw-security-guardian/scripts/check_advisories.mjs
  • skills/picoclaw-security-guardian/scripts/verify_supply_chain.mjs
  • skills/picoclaw-security-guardian/test/profile.test.mjs
  • skills/picoclaw-security-guardian/test/drift.test.mjs
  • skills/picoclaw-security-guardian/test/supply_chain.test.mjs
  • skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh
Reference in New Issue View Git Blame Copy Permalink