mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-13 05:28:02 +03:00
davida-ps
63de5ce08d
* auto-claude: subtask-1-1 - Create config loading utility with multi-path fallback Created load_suppression_config.mjs with: - Multi-path fallback: ~/.openclaw/security-audit.json -> .clawsec/allowlist.json - Environment variable support (OPENCLAW_AUDIT_CONFIG) - Custom path support via CLI argument - Schema validation (checkId, skill, reason, suppressedAt required) - Malformed JSON error handling - Graceful fallback to empty suppressions when no config exists - ISO 8601 date format validation with warnings Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * auto-claude: subtask-1-2 - Create example config file template - Added security-audit-config.example.json with two suppression examples - Included examples for clawsec-suite and openclaw-audit-watchdog - Created comprehensive README.md explaining configuration format - All required fields documented (checkId, skill, reason, suppressedAt) - ISO 8601 date format demonstrated - JSON validated successfully * auto-claude: subtask-1-3 - Add unit tests for config loading Added comprehensive unit tests for suppression config loading: - Valid config with all required fields - Malformed date warning (non-blocking) - Missing required field validation - Malformed JSON error handling - File not found graceful fallback - Custom path priority - Environment variable override - Missing/empty suppressions array handling All 10 tests passing. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * auto-claude: subtask-2-1 - Add suppression filtering to render_report.mjs Implements suppression filtering logic for security audit findings: - Import loadSuppressionConfig for config loading - Add --config CLI argument for custom config paths - Create extractSkillName() to extract skill names from findings (tries multiple fields) - Create filterFindings() to split findings into active/suppressed - Match suppressions by BOTH checkId AND skill name (exact match required) - Attach suppression metadata (reason, suppressedAt) to suppressed findings - Modify render() to accept suppressedFindings parameter - Apply filtering in main execution before rendering Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * auto-claude: subtask-2-2 - Add INFO-SUPPRESSED section to report output - Added lineForSuppressedFinding() to format suppressed findings - Added INFO-SUPPRESSED section showing suppressed findings with reason and date - Suppressed findings are not counted in summary (already filtered) - Follows existing code patterns for report sections Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * auto-claude: subtask-3-1 - Add --config flag to run_audit_and_format.sh - Added --config flag to accept path to config file - Added --help flag with usage documentation - Config flag is passed to openclaw audit commands when provided - Follows existing pattern for --label flag * auto-claude: subtask-4-1 - Create integration tests for render_report with suppressions Created comprehensive integration tests covering: - Suppressed findings appear in INFO-SUPPRESSED section - Active findings appear in CRITICAL/WARN section - Summary counts exclude suppressed findings - Backward compatibility (no config) - Partial matches don't suppress (checkId or skill alone) - Multiple suppressions work correctly - Skill name extraction from path field - Skill name extraction from title field - Empty suppressions array behaves like no config Bug fix in render_report.mjs: - Summary counts now recalculated after filtering suppressed findings - Previously summary showed original counts instead of filtered counts All 10 tests passing. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * auto-claude: subtask-4-2 - Manual E2E test with real openclaw audit - Fixed run_audit_and_format.sh to pass --config flag to render_report.mjs - Enhanced lineForFinding() to display skill names for better clarity - Enhanced lineForSuppressedFinding() to display skill names consistently - Created comprehensive E2E test documentation in E2E-TEST-RESULTS.md - All E2E verification points passed: * Config loading from custom paths * Suppression matching by checkId + skill name * INFO-SUPPRESSED section display * Suppression reason and date display * Summary count accuracy (excludes suppressed findings) * Non-suppressed findings preservation * Skill name display in all findings - All integration tests still passing (10/10) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * auto-claude: subtask-5-1 - Update README.md with suppression feature * auto-claude: subtask-5-2 - Update SKILL.md with usage examples * - Add backslash escaping before quote escaping in oneline() function - Prevents incomplete string escaping vulnerability - Resolves CodeQL alert: https://github.com/prompt-security/clawsec/security/code-scanning/16 * Fix regex in extractSkillName function and simplify error handling in suppression config tests * Enhance suppression mechanism in OpenClaw Audit Watchdog - Updated README.md to clarify suppression configuration and activation requirements. - Improved SKILL.md with examples for suppressing known findings. - Refactored load_suppression_config.mjs to implement opt-in gating for suppressions. - Modified render_report.mjs to support suppression flag in report generation. - Enhanced run_audit_and_format.sh and runner.sh scripts to accept --enable-suppressions flag. - Added test cases for suppression configuration, including validation for enabledFor sentinel and opt-in behavior. - Introduced new test files for empty and invalid suppression configurations. * Fix type assertion for checksums file entries in Checksums component * Update ESLint configuration and dependencies to pin @eslint/js to version 9.28.0 * Update CHANGELOG.md for advisory suppression module and OpenClaw Audit Watchdog enhancements * Refactor finding comparison logic in render_report.mjs to simplify equality checks * chore(clawsec-suite): bump version to 0.1.2 * chore(openclaw-audit-watchdog): bump version to 0.1.0 * Remove suppressed matches tracking from state to prevent re-evaluation alerts --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
ClawSec: Security Skill Suite for AI Agents
Secure Your OpenClaw Bots with a Complete Security Skill Suite
Brought to you by Prompt Security, the Platform for AI Security
🦞 What is ClawSec?
ClawSec is a complete security skill suite for the OpenClaw family of agents (Moltbot, Clawdbot, some clones). It provides a unified installer that deploys, verifies, and maintains security skills-protecting your agent's cognitive architecture against prompt injection, drift, and malicious instructions.
Core Capabilities
- 📦 Suite Installer - One-command installation of all security skills with integrity verification
- 🛡️ File Integrity Protection - Drift detection and auto-restore for critical agent files (SOUL.md, IDENTITY.md, etc.)
- 📡 Live Security Advisories - Automated NVD CVE polling and community threat intelligence
- 🔍 Security Audits - Self-check scripts to detect prompt injection markers and vulnerabilities
- 🔐 Checksum Verification - SHA256 checksums for all skill artifacts
- Health Checks - Automated updates and integrity verification for all installed skills
🚀 Quick Start
For AI Agents
# Fetch and install the ClawSec security suite
curl -sL https://clawsec.prompt.security/releases/latest/download/SKILL.md
The skill file contains deployment instructions. Your agent will:
- Detect its agent family (OpenClaw/MoltBot/ClawdBot or other)
- Install appropriate skills from the catalog
- Verify integrity using checksums
- Set up cron update checks
For Humans
Copy this instruction to your AI agent:
Read https://clawsec.prompt.security/releases/latest/download/SKILL.md and follow the instructions to install the protection skill suite.
📦 ClawSec Suite
The clawsec-suite is a skill-of-skills manager that installs, verifies, and maintains security skills from the ClawSec catalog.
Skills in the Suite
| Skill | Description | Installation | Compatibility |
|---|---|---|---|
| 📡 clawsec-feed | Security advisory feed monitoring with live CVE updates | ✅ Included by default | All agents |
| 🔭 openclaw-audit-watchdog | Automated daily audits with email reporting | ⚙️ Optional (install separately) | OpenClaw/MoltBot/ClawdBot |
| 👻 soul-guardian | Drift detection and file integrity guard with auto-restore | ⚙️ Optional | All agents |
| 🤝 clawtributor | Community incident reporting | ❌ Optional (Explicit request) | All agents |
⚠️ clawtributor is not installed by default as it may share anonymized incident data. Install only on explicit user request.
⚠️ openclaw-audit-watchdog is tailored for the OpenClaw/MoltBot/ClawdBot agent family. Other agents receive the universal skill set.
Suite Features
- Integrity Verification - Every skill package includes
checksums.jsonwith SHA256 hashes - Updates - Automatic checks for new skill versions
- Self-Healing - Failed integrity checks trigger automatic re-download from trusted releases
- Advisory Cross-Reference - Installed skills are checked against the security advisory feed
📡 Security Advisory Feed
ClawSec maintains a continuously updated security advisory feed, automatically populated from NIST's National Vulnerability Database (NVD).
Feed URL
# Fetch latest advisories
curl -s https://clawsec.prompt.security/advisories/feed.json | jq '.advisories[] | select(.severity == "critical" or .severity == "high")'
Monitored Keywords
The feed polls CVEs related to:
OpenClawclawdbotMoltbot- Prompt injection patterns
- Agent security vulnerabilities
Advisory Schema
NVD CVE Advisory:
{
"id": "CVE-2026-XXXXX",
"severity": "critical|high|medium|low",
"type": "vulnerable_skill",
"title": "Short description",
"description": "Full CVE description from NVD",
"published": "2026-02-01T00:00:00Z",
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-XXXXX",
"references": ["..."],
"action": "Recommended remediation"
}
Community Advisory:
{
"id": "CLAW-2026-0042",
"severity": "high",
"type": "prompt_injection|vulnerable_skill|tampering_attempt",
"title": "Short description",
"description": "Detailed description from issue",
"published": "2026-02-01T00:00:00Z",
"affected": ["skill-name@1.0.0"],
"source": "Community Report",
"github_issue_url": "https://github.com/.../issues/42",
"action": "Recommended remediation"
}
🔄 CI/CD Pipelines
ClawSec uses automated pipelines for continuous security updates and skill distribution.
Automated Workflows
| Workflow | Trigger | Description |
|---|---|---|
| poll-nvd-cves.yml | Daily cron (06:00 UTC) | Polls NVD for new CVEs, updates feed |
| community-advisory.yml | Issue labeled advisory-approved |
Processes community reports into advisories |
| skill-release.yml | <skill>-v*.*.* tags |
Packages individual skills with checksums to GitHub Releases |
| deploy-pages.yml | Push to main | Builds and deploys the web interface to GitHub Pages |
Skill Release Pipeline
When a skill is tagged (e.g., soul-guardian-v1.0.0), the pipeline:
- Validates - Checks
skill.jsonversion matches tag - Enforces key consistency - Verifies pinned release key references are consistent across repo PEMs and
skills/clawsec-suite/SKILL.md - Generates Checksums - Creates
checksums.jsonwith SHA256 hashes for all SBOM files - Signs + verifies - Signs
checksums.jsonand validates the generatedsigning-public.pemfingerprint against canonical repo key material - Releases - Publishes to GitHub Releases with all artifacts
- Supersedes Old Releases - Marks older versions (same major) as pre-releases
- Triggers Pages Update - Refreshes the skills catalog on the website
Signing Key Consistency Guardrails
To prevent supply-chain drift, CI now fails fast when signing key references diverge.
Guardrail script:
scripts/ci/verify_signing_key_consistency.sh
What it checks:
skills/clawsec-suite/SKILL.mdinline public key fingerprint matchesRELEASE_PUBKEY_SHA256- Canonical PEM files all match the same fingerprint:
clawsec-signing-public.pemadvisories/feed-signing-public.pemskills/clawsec-suite/advisories/feed-signing-public.pem
- Generated public key in workflows matches canonical key:
release-assets/signing-public.pem(release workflow)public/signing-public.pem(pages workflow)
Where enforced:
.github/workflows/skill-release.yml.github/workflows/deploy-pages.yml
Release Versioning & Superseding
ClawSec follows semantic versioning. When a new version is released:
| Scenario | Behavior |
|---|---|
| New patch/minor (e.g., 1.0.1, 1.1.0) | Previous releases with same major version are deleted |
| New major (e.g., 2.0.0) | Previous major version (1.x.x) remains for backwards compatibility |
Why do old releases disappear?
When you release skill-v0.0.2, the previous skill-v0.0.1 release is automatically deleted to keep the releases page clean. Only the latest version within each major version is retained.
- Git tags are preserved - You can always recreate a release from an existing tag if needed
- Major versions coexist - Both
skill-v1.x.xandskill-v2.x.xlatest releases remain available for backwards compatibility
Release Artifacts
Each skill release includes:
checksums.json- SHA256 hashes for integrity verificationskill.json- Skill metadataSKILL.md- Main skill documentation- Additional files from SBOM (scripts, configs, etc.)
Signing Operations Documentation
For feed/release signing rollout and operations guidance:
SECURITY-SIGNING.md- key generation, GitHub secrets, rotation/revocation, incident responseMIGRATION-SIGNED-FEED.md- phased migration from unsigned feed, enforcement gates, rollback plan
🛠️ Offline Tools
ClawSec includes Python utilities for local skill development and validation.
Skill Validator
Validates a skill folder against the required schema:
python utils/validate_skill.py skills/clawsec-feed
Checks:
skill.jsonexists and is valid JSON- Required fields present (name, version, description, author, license)
- SBOM files exist and are readable
- OpenClaw metadata is properly structured
Skill Checksums Generator
Generates checksums.json with SHA256 hashes for a skill:
python utils/package_skill.py skills/clawsec-feed ./dist
Outputs:
checksums.json- SHA256 hashes for verification
🛠️ Local Development
Prerequisites
- Node.js 20+
- Python 3.10+ (for offline tools)
- npm
Setup
# Install dependencies
npm install
# Start development server
npm run dev
Populate Local Data
# Populate skills catalog from local skills/ directory
./scripts/populate-local-skills.sh
# Populate advisory feed with real NVD CVE data
./scripts/populate-local-feed.sh --days 120
Build
npm run build
📁 Project Structure
├── advisories/
│ └── feed.json # Main advisory feed (auto-updated from NVD)
├── components/ # React components
├── pages/ # Page components
├── scripts/
│ ├── populate-local-feed.sh # Local CVE feed populator
│ ├── populate-local-skills.sh # Local skills catalog populator
│ └── release-skill.sh # Manual skill release helper
├── skills/
│ ├── clawsec-suite/ # 📦 Suite installer (skill-of-skills)
│ ├── clawsec-feed/ # 📡 Advisory feed skill
│ ├── clawtributor/ # 🤝 Community reporting skill
│ ├── openclaw-audit-watchdog/ # 🔭 Automated audit skill
│ └── soul-guardian/ # 👻 File integrity skill
├── utils/
│ ├── package_skill.py # Skill packager utility
│ └── validate_skill.py # Skill validator utility
├── .github/workflows/
│ ├── poll-nvd-cves.yml # CVE polling pipeline
│ ├── skill-release.yml # Skill release pipeline
│ └── deploy-pages.yml # Pages deployment
└── public/ # Static assets and published skills
🤝 Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
Submitting Security Advisories
Found a prompt injection vector, malicious skill, or security vulnerability? Report it via GitHub Issues:
- Open a new issue using the Security Incident Report template
- Fill out the required fields (severity, type, description, affected skills)
- A maintainer will review and add the
advisory-approvedlabel - The advisory is automatically published to the feed as
CLAW-{YEAR}-{ISSUE#}
See CONTRIBUTING.md for detailed guidelines.
Adding New Skills
- Create a skill folder under
skills/ - Add
skill.jsonwith required metadata and SBOM - Add
SKILL.mdwith agent-readable instructions - Validate with
python utils/validate_skill.py skills/your-skill - Submit a PR for review
📄 License
- Source code: MIT License - See LICENSE for details.
- Fonts in
font/: Licensed separately - Seefont/README.md.
ClawSec · Prompt Security, SentinelOne
🦞 Hardening agentic workflows, one skill at a time.