gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
5ee8587b1ea149ee227390884d194fb596abb529
clawsec/skills/clawsec-suite/skill.json
T
davida-ps 5ee8587b1e Integration/signing work (#20) 
* ci: sign advisory feed and checksums in workflows

* feat(clawsec-suite): add verifier-side signature and checksum enforcement

Implements cryptographic verification for advisory feed loading:

- Ed25519 detached signature verification for feed.json
- Supports raw base64 and JSON-wrapped signature formats
- Pinned public key at advisories/feed-signing-public.pem

- SHA-256 checksum manifest (checksums.json) verification
- Signed checksums.json.sig prevents partial artifact substitution
- Verifies feed.json, feed.json.sig, and public key against manifest

- Remote feed: returns null on verification failure (triggers fallback)
- Local feed: throws on verification failure (hard fail)
- No silent bypass of verification

- CLAWSEC_ALLOW_UNSIGNED_FEED=1 temporarily bypasses verification
- Warning logged when bypass mode is enabled
- Intended for transition period only

- guarded_skill_install without --version matches any advisory for skill
- Encourages explicit version specification

- scripts/sign_detached_ed25519.mjs - signing utility
- scripts/verify_detached_ed25519.mjs - verification utility
- scripts/generate_checksums_json.mjs - checksum manifest generator
- test/feed_verification.test.mjs - 14 verification tests
- test/guarded_install.test.mjs - 6 install flow tests

- hooks/.../lib/feed.mjs - full rewrite with verification
- hooks/.../handler.ts - verification options integration
- scripts/guarded_skill_install.mjs - verification integration
- skill.json - v0.0.9, new SBOM entries, openssl requirement
- SKILL.md - signed install flow, env vars documentation
- HOOK.md - new environment variables
- ci.yml - added verification test job

Refs: fail-closed verification, Ed25519 signatures, checksum manifests

* fix: update action versions in CI workflows for improved stability

* chore(clawsec-suite): bump version to 0.0.10

* feat: enhance security measures in asset deployment and add changelog for version history

* feat: add dry-run signing for advisory artifacts and generate checksums

* fix: enhance error handling in loadRemoteFeed for security policy violations

* feat: implement Ed25519 signing and verification for advisory artifacts and checksums

* feat: implement signing and verification for advisory artifacts and checksums in workflows

* feat: update dry-run signing key generation to use Ed25519 algorithm

* feat: update Ed25519 signing and verification to use -rawin flag for compatibility

* feat: add public key copying to advisory directory and implement safe basename extraction for URLs

* feat: remove Product Hunt promotion section from README and Home page
2026-02-12 18:49:34 +02:00

240 lines
7.2 KiB
JSON
Raw Blame History

{
"name": "clawsec-suite",
"version": "0.0.10",
"description": "ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.",
"author": "prompt-security",
"license": "MIT",
"homepage": "https://clawsec.prompt.security/",
"keywords": [
"security",
"skills",
"catalog",
"installer",
"integrity",
"advisory",
"feed",
"threat-intel",
"hooks",
"approval",
"agents",
"ai",
"suite",
"openclaw",
"signature",
"verification"
],
"sbom": {
"files": [
{
"path": "SKILL.md",
"required": true,
"description": "Suite skill documentation and installation guide"
},
{
"path": "CHANGELOG.md",
"required": true,
"description": "Version history and security improvements changelog"
},
{
"path": "HEARTBEAT.md",
"required": true,
"description": "Portable heartbeat and update-check procedure"
},
{
"path": "advisories/feed.json",
"required": true,
"description": "Embedded advisory feed seed (merged from clawsec-feed)"
},
{
"path": "advisories/feed.json.sig",
"required": true,
"description": "Detached Ed25519 signature for advisory feed"
},
{
"path": "advisories/checksums.json",
"required": true,
"description": "SHA-256 checksum manifest for advisory artifacts"
},
{
"path": "advisories/checksums.json.sig",
"required": true,
"description": "Detached Ed25519 signature for checksum manifest"
},
{
"path": "advisories/feed-signing-public.pem",
"required": true,
"description": "Pinned Ed25519 public key for feed signature verification"
},
{
"path": "hooks/clawsec-advisory-guardian/HOOK.md",
"required": true,
"description": "OpenClaw hook metadata for advisory-driven malicious-skill checks"
},
{
"path": "hooks/clawsec-advisory-guardian/handler.ts",
"required": true,
"description": "OpenClaw hook handler for approval-gated advisory actions with signature verification"
},
{
"path": "hooks/clawsec-advisory-guardian/lib/utils.mjs",
"required": true,
"description": "Shared utility functions (isObject, normalizeSkillName, uniqueStrings)"
},
{
"path": "hooks/clawsec-advisory-guardian/lib/version.mjs",
"required": true,
"description": "Shared semver parsing and version matching logic"
},
{
"path": "hooks/clawsec-advisory-guardian/lib/feed.mjs",
"required": true,
"description": "Advisory feed loading with Ed25519 signature and checksum manifest verification"
},
{
"path": "hooks/clawsec-advisory-guardian/lib/types.ts",
"required": true,
"description": "TypeScript type definitions for hook and feed structures"
},
{
"path": "hooks/clawsec-advisory-guardian/lib/state.ts",
"required": true,
"description": "Advisory state persistence and loading"
},
{
"path": "hooks/clawsec-advisory-guardian/lib/matching.ts",
"required": true,
"description": "Advisory-to-skill matching and alert message generation"
},
{
"path": "scripts/setup_advisory_hook.mjs",
"required": true,
"description": "Installer script for enabling the advisory guardian hook"
},
{
"path": "scripts/setup_advisory_cron.mjs",
"required": true,
"description": "Installer script for optional periodic advisory scan cron"
},
{
"path": "scripts/guarded_skill_install.mjs",
"required": true,
"description": "Two-step confirmation installer with signature verification that blocks risky skill installs"
},
{
"path": "scripts/sign_detached_ed25519.mjs",
"required": false,
"description": "Utility script for generating Ed25519 detached signatures"
},
{
"path": "scripts/verify_detached_ed25519.mjs",
"required": false,
"description": "Utility script for verifying Ed25519 detached signatures"
},
{
"path": "scripts/generate_checksums_json.mjs",
"required": false,
"description": "Utility script for generating SHA-256 checksum manifests"
}
]
},
"embedded_components": {
"clawsec-feed": {
"source_skill": "clawsec-feed",
"source_version": "0.0.4",
"paths": [
"advisories/feed.json",
"advisories/feed.json.sig",
"advisories/checksums.json",
"advisories/checksums.json.sig",
"advisories/feed-signing-public.pem"
],
"capabilities": [
"advisory-feed monitoring",
"new-advisory detection",
"affected-skill cross-reference",
"approval-gated malicious-skill removal recommendations",
"double-confirmation gating for risky skill installs",
"Ed25519 signature verification",
"checksum manifest verification"
],
"standalone_available": true,
"deprecation_plan": "standalone skill may be retired after suite migration is verified"
}
},
"catalog": {
"description": "Available protections in the ClawSec suite",
"base_url": "https://clawsec.prompt.security/releases/download",
"skills": {
"clawsec-feed": {
"description": "Advisory monitoring is now embedded in clawsec-suite",
"integrated_in_suite": true,
"standalone_available": true,
"compatible": [
"openclaw",
"moltbot",
"clawdbot",
"other"
]
},
"openclaw-audit-watchdog": {
"description": "Automated daily audits with email reporting",
"default_install": true,
"compatible": [
"openclaw",
"moltbot",
"clawdbot"
],
"note": "Tailored for OpenClaw/MoltBot family"
},
"soul-guardian": {
"description": "Drift detection and file integrity guard",
"default_install": false,
"compatible": [
"openclaw",
"moltbot",
"clawdbot",
"other"
]
},
"clawtributor": {
"description": "Community incident reporting (shares anonymized data)",
"default_install": false,
"requires_explicit_consent": true,
"compatible": [
"openclaw",
"moltbot",
"clawdbot",
"other"
]
}
}
},
"openclaw": {
"emoji": "📦",
"category": "security",
"requires": {
"bins": [
"curl",
"jq",
"shasum",
"openssl"
]
},
"triggers": [
"clawsec suite",
"security suite",
"security advisories",
"malicious skill alert",
"remove malicious skills",
"safe skill install",
"confirm skill install",
"check advisories",
"advisory feed",
"install security skills",
"verify skills",
"check skill integrity",
"update skills"
]
}
}
Reference in New Issue View Git Blame Copy Permalink