mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-13 05:28:02 +03:00
David Abutbul
73dd63f714
* Add NanoClaw platform support to ClawSec ## Changes ### CI/CD Pipeline Updates - Added NanoClaw keywords to NVD CVE monitoring - Keywords: "NanoClaw", "WhatsApp-bot", "baileys" - GitHub pattern now matches NanoClaw repositories ### Documentation - Added NANOCLAW.md with integration guide - Documented platform-specific advisory schema - Credited 8-agent team that designed the integration ### Advisory Schema Enhancement - Added optional `platforms` field support - Enables platform-specific advisories (openclaw/nanoclaw) - Maintains backward compatibility (empty = all platforms) ## Team Credits Designed and implemented by specialized agent team: - pioneer-repo-scout: ClawSec architecture analysis - pioneer-nanoclaw-scout: NanoClaw architecture analysis - architect: Integration design - advisory-specialist: Feed integration - integrity-specialist: File integrity design - installer-specialist: Signature verification - tester: Test infrastructure - documenter: Documentation Total contribution: 3000+ lines of design + implementation code. ## Impact ClawSec now monitors for NanoClaw-specific security issues and can provide platform-targeted advisories. This enables NanoClaw to consume the advisory feed out-of-the-box for security monitoring. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Add clawsec-nanoclaw skill with full security suite Provides complete ClawSec integration for NanoClaw deployments including: Features: - 4 MCP tools for agent-initiated vulnerability checking - Advisory cache service with automatic feed fetching (6h interval) - Ed25519 signature verification for feed integrity - Platform-specific advisory filtering (nanoclaw/openclaw) - IPC-based container-to-host communication Components (1,730 lines): - MCP Tools (350 lines): clawsec_check_advisories, clawsec_check_skill_safety, clawsec_list_advisories, clawsec_verify_signature - Advisory Cache Manager (492 lines): Periodic fetching, signature verification - Signature Verification (387 lines): Ed25519 crypto utilities - Advisory Matching (289 lines): Skill-to-vulnerability correlation - IPC Handlers (212 lines): Host-side request processing - Complete documentation: SKILL.md, INSTALL.md with troubleshooting Architecture: - Container: MCP tools invoked by agents via Claude SDK - IPC Layer: Filesystem-based request/response for host operations - Host Service: Advisory cache with automatic refresh and verification - Feed Source: https://clawsec.prompt.security/advisories/feed.json Installation: NanoClaw users can now add ClawSec security by: 1. Copying skills/clawsec-nanoclaw to their deployment 2. Integrating MCP tools into container (3 line change) 3. Integrating IPC handlers into host (2 line change) 4. Starting cache service in host process (1 line change) No modifications to NanoClaw core required - ClawSec provides everything as an installable skill package, just like it does for OpenClaw. Updated NANOCLAW.md with complete installation instructions and documentation references. Team Credits: 8-agent collaborative design and implementation: - pioneer-repo-scout: ClawSec architecture analysis - pioneer-nanoclaw-scout: NanoClaw architecture analysis - architect: Integration design and coordination - advisory-specialist: Advisory feed integration - integrity-specialist: File integrity design - installer-specialist: Signature verification implementation - tester: Test infrastructure and validation - documenter: Documentation Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Add security expansion: Skill signature verification + File integrity monitoring Implements Phase 1 (Skill Signature Verification) and Phase 2 (File Integrity Monitoring) for NanoClaw security enhancement. ## Phase 1: Skill Signature Verification (~490 lines) Adds Ed25519 signature verification for skill packages to prevent supply chain attacks. **New Files:** - host-services/skill-signature-handler.ts (217 lines): Core verification service - mcp-tools/signature-verification.ts (200 lines): clawsec_verify_skill_package tool - docs/SKILL_SIGNING.md (270 lines): Complete signing/verification guide **Features:** - Ed25519 signature verification using Node.js crypto - Pinned ClawSec public key with custom key override support - Auto-detection of .sig signature files - Package SHA-256 integrity hashing - Fail-closed error handling with detailed diagnostics - IPC-based container-to-host verification (5s timeout) **MCP Tool:** clawsec_verify_skill_package - Verifies skill packages before installation - Returns: valid, recommendation (install/block/review), signer, algorithm - Prevents installation of tampered/malicious packages ## Phase 2: File Integrity Monitoring (~1,765 lines) Ports OpenClaw's soul-guardian to NanoClaw for critical file protection. **New Files:** - guardian/integrity-monitor.ts (711 lines): Core monitoring engine - guardian/policy.json (55 lines): NanoClaw-specific protection policy - mcp-tools/integrity-tools.ts (260 lines): 4 MCP tools for agents - host-services/integrity-handler.ts (349 lines): IPC handler integration - docs/INTEGRITY.md (470 lines): User documentation **Features:** - SHA-256 baseline tracking with tamper-evident audit logs - Auto-restore for critical files (registered_groups.json, CLAUDE.md) - Alert-only mode for non-critical files - Intentional change approval workflow - Hash-chained audit logging - Symlink protection and atomic file operations - Unified diff generation for drift analysis **MCP Tools:** - clawsec_check_integrity: Check files for unauthorized changes - clawsec_approve_change: Approve legitimate modifications - clawsec_integrity_status: View monitoring status - clawsec_verify_audit: Verify audit log integrity **Protected Files:** - CRITICAL: registered_groups.json (prevents group hijacking) - HIGH: CLAUDE.md files (prevents instruction poisoning) - MEDIUM: Container/host code (alerts on changes) - IGNORED: Conversations (expected to change) ## Shared Enhancements (+129 lines) **Updated: lib/signatures.ts** Added 5 new crypto utilities: - verifyDetachedSignature(): File-based Ed25519 verification - verifyDetachedSignatureWithDetails(): Diagnostic variant with error details - loadPublicKey(): PEM validation and security enforcement - sha256File(): File hashing (shared utility) - verifyFileHashes(): Batch drift detection **Updated: lib/types.ts** Added TypeScript interfaces for: - VerifySkillSignatureRequest/Response (Phase 1 IPC) - IntegrityCheckRequest/Response (Phase 2 IPC) - VerifySkillPackageParams (Phase 1 MCP tool) **Updated: host-services/ipc-handlers.ts** Added IPC handlers: - verify_skill_signature (Phase 1) - integrity_check, integrity_approve, integrity_status, integrity_verify_audit (Phase 2) ## Total Delivery - **New Code**: ~2,958 lines - **Files Created**: 11 new files - **Files Modified**: 3 existing files - **Documentation**: 740 lines across 2 comprehensive guides ## Architecture **Phase 1:** Container agents → MCP tool → IPC → Host verifier → Ed25519 crypto **Phase 2:** Container agents → MCP tools → IPC → Host service → File monitoring **Storage:** - Phase 1: Stateless (no persistent storage) - Phase 2: /workspace/project/data/soul-guardian/ (host-only) **Security Model:** - Ed25519 signatures verified with pinned ClawSec public key - SHA-256 baselines stored on host (containers cannot modify) - Hash-chained audit logs for tamper detection - Fail-closed error handling throughout - IPC-only access (no direct container mounts) ## Team Credits Designed and implemented by 5-agent Opus 4.6 team: - signature-verification-lead: Phase 1 implementation - integrity-monitoring-lead: Phase 2 implementation - shared-crypto: Cryptographic utilities - mcp-tools-architect: MCP tool schema standards - ipc-handler-architect: IPC protocol standards Coordination approach: 1. Design phase: Each agent analyzed and proposed solutions 2. Coordination phase: Aligned on shared components (crypto, IPC, storage) 3. Implementation phase: Parallel execution with peer support 4. Result: Zero conflicts, exceeded targets, complete documentation ## Integration NanoClaw users can now install ClawSec security features: **1. MCP Tools** (container): ```typescript import { clawsecTools } from '../../../skills/clawsec-nanoclaw/mcp-tools/advisory-tools.js'; import { verifySkillPackage } from '../../../skills/clawsec-nanoclaw/mcp-tools/signature-verification.js'; import { integrityTools } from '../../../skills/clawsec-nanoclaw/mcp-tools/integrity-tools.js'; ``` **2. IPC Handlers** (host): ```typescript import { registerClawSecHandlers } from '../skills/clawsec-nanoclaw/host-services/ipc-handlers.js'; ``` **3. Services** (host): ```typescript import { SkillSignatureVerifier } from '../skills/clawsec-nanoclaw/host-services/skill-signature-handler.js'; import { IntegrityService } from '../skills/clawsec-nanoclaw/host-services/integrity-handler.js'; ``` See docs/SKILL_SIGNING.md and docs/INTEGRITY.md for complete integration guides. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Fix SKILL.md format: proper YAML frontmatter, remove ASCII diagrams, focus on when-to-use * chore: align with contributors guidelines - set version 0.0.1, add version to SKILL.md frontmatter, complete SBOM * fix: use specific NanoClaw repo URL instead of wildcard pattern Change github.com/*/NanoClaw to github.com/qwibitai/NanoClaw to avoid matching unrelated projects in CVE advisory scanning. * docs: merge NanoClaw support into main README, move NANOCLAW.md to skill README - Add NanoClaw platform section in main README - Update supported platforms list (OpenClaw + NanoClaw) - Add monitored keywords for NanoClaw (WhatsApp-bot, baileys) - Document platform-specific advisory schema - Move NANOCLAW.md to skills/clawsec-nanoclaw/README.md * fix: resolve ESLint and TypeScript errors in clawsec-nanoclaw skill Fix all CI failures from prepare-to-push.sh for the nanoclaw-integration branch: ESLint fixes: - Add missing Node.js globals (Buffer, AbortController, clearTimeout, RequestInit) to eslint.config.js for TypeScript files - Add ambient declarations for host-provided variables (server, writeIpcFile, TASKS_DIR, groupFolder) in MCP tool template files - Wrap bare case statements in ipc-handlers.ts in a proper exported function - Replace @ts-ignore with @ts-expect-error in signatures.ts - Prefix unused variables with underscore (affectedVersion, keyDer, safeBasename, groupFolder) - Add eslint-disable directives for intentional any usage in template files - Change any to unknown in types.ts where appropriate TypeScript fixes: - Replace glob import with ambient namespace declaration (glob not in repo deps) - Fix Hash.hexdigest() to Hash.digest('hex') in integrity-monitor.ts - Fix unreachable type comparison (recommendation === 'install') in advisory-tools.ts Comment syntax fixes: - Convert block comments containing '*/30 * * * *' cron expressions to line comments to prevent premature comment termination in integrity-handler.ts and integrity-tools.ts Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: implement missing MCP tools and align documentation with code - Rewrote signature-verification.ts with actual server.tool() implementation (was template string) - Fixed tool naming: clawsec_verify_signature -> clawsec_verify_skill_package - Added missing clawsec_refresh_cache to all documentation - Updated skill.json mcp_tools array from 4 to 9 tools (added Phase 1 & 2 tools) - All 9 MCP tools now verified: 4 advisory + 1 signature + 4 integrity Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
ClawSec: Security Skill Suite for AI Agents
Secure Your OpenClaw Bots with a Complete Security Skill Suite
Brought to you by Prompt Security, the Platform for AI Security
🦞 What is ClawSec?
ClawSec is a complete security skill suite for AI agent platforms. It provides unified security monitoring, integrity verification, and threat intelligence-protecting your agent's cognitive architecture against prompt injection, drift, and malicious instructions.
Supported Platforms
- OpenClaw (Moltbot, Clawdbot, and clones) - Full suite with skill installer, file integrity protection, and security audits
- NanoClaw - Containerized WhatsApp bot security with MCP tools for advisory monitoring, signature verification, and file integrity
Core Capabilities
- 📦 Suite Installer - One-command installation of all security skills with integrity verification
- 🛡️ File Integrity Protection - Drift detection and auto-restore for critical agent files (SOUL.md, IDENTITY.md, etc.)
- 📡 Live Security Advisories - Automated NVD CVE polling and community threat intelligence
- 🔍 Security Audits - Self-check scripts to detect prompt injection markers and vulnerabilities
- 🔐 Checksum Verification - SHA256 checksums for all skill artifacts
- Health Checks - Automated updates and integrity verification for all installed skills
🚀 Quick Start
For AI Agents
# Fetch and install the ClawSec security suite
curl -sL https://clawsec.prompt.security/releases/latest/download/SKILL.md
The skill file contains deployment instructions. Your agent will:
- Detect its agent family (OpenClaw/MoltBot/ClawdBot or other)
- Install appropriate skills from the catalog
- Verify integrity using checksums
- Set up cron update checks
For Humans
Copy this instruction to your AI agent:
Read https://clawsec.prompt.security/releases/latest/download/SKILL.md and follow the instructions to install the protection skill suite.
📱 NanoClaw Platform Support
ClawSec now supports NanoClaw, a containerized WhatsApp bot powered by Claude agents.
clawsec-nanoclaw Skill
Location: skills/clawsec-nanoclaw/
A complete security suite adapted for NanoClaw's containerized architecture:
- 9 MCP Tools for agents to check vulnerabilities
- Advisory checking and browsing
- Pre-installation safety checks
- Skill package signature verification (Ed25519)
- File integrity monitoring
- Automatic Advisory Feed - Fetches and caches advisories every 6 hours
- Platform Filtering - Shows only NanoClaw-relevant advisories
- IPC-Based - Container-safe host communication
- Full Documentation - Installation guide, usage examples, troubleshooting
Advisory Feed for NanoClaw
The feed now monitors NanoClaw-specific keywords:
NanoClaw- Direct product nameWhatsApp-bot- Core functionalitybaileys- WhatsApp client library dependency
Advisories can specify platforms: ["nanoclaw"] for platform-specific issues.
Quick Start for NanoClaw
See skills/clawsec-nanoclaw/INSTALL.md for detailed setup instructions.
Quick integration:
- Copy skill to NanoClaw deployment
- Integrate MCP tools in container
- Add IPC handlers and cache service on host
- Restart NanoClaw
📦 ClawSec Suite (OpenClaw)
The clawsec-suite is a skill-of-skills manager that installs, verifies, and maintains security skills from the ClawSec catalog.
Skills in the Suite
| Skill | Description | Installation | Compatibility |
|---|---|---|---|
| 📡 clawsec-feed | Security advisory feed monitoring with live CVE updates | ✅ Included by default | All agents |
| 🔭 openclaw-audit-watchdog | Automated daily audits with email reporting | ⚙️ Optional (install separately) | OpenClaw/MoltBot/ClawdBot |
| 👻 soul-guardian | Drift detection and file integrity guard with auto-restore | ⚙️ Optional | All agents |
| 🤝 clawtributor | Community incident reporting | ❌ Optional (Explicit request) | All agents |
⚠️ clawtributor is not installed by default as it may share anonymized incident data. Install only on explicit user request.
⚠️ openclaw-audit-watchdog is tailored for the OpenClaw/MoltBot/ClawdBot agent family. Other agents receive the universal skill set.
Suite Features
- Integrity Verification - Every skill package includes
checksums.jsonwith SHA256 hashes - Updates - Automatic checks for new skill versions
- Self-Healing - Failed integrity checks trigger automatic re-download from trusted releases
- Advisory Cross-Reference - Installed skills are checked against the security advisory feed
📡 Security Advisory Feed
ClawSec maintains a continuously updated security advisory feed, automatically populated from NIST's National Vulnerability Database (NVD).
Feed URL
# Fetch latest advisories
curl -s https://clawsec.prompt.security/advisories/feed.json | jq '.advisories[] | select(.severity == "critical" or .severity == "high")'
Monitored Keywords
The feed polls CVEs related to:
- OpenClaw Platform:
OpenClaw,clawdbot,Moltbot - NanoClaw Platform:
NanoClaw,WhatsApp-bot,baileys - Prompt injection patterns
- Agent security vulnerabilities
Advisory Schema
NVD CVE Advisory:
{
"id": "CVE-2026-XXXXX",
"severity": "critical|high|medium|low",
"type": "vulnerable_skill",
"platforms": ["openclaw", "nanoclaw"],
"title": "Short description",
"description": "Full CVE description from NVD",
"published": "2026-02-01T00:00:00Z",
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-XXXXX",
"references": ["..."],
"action": "Recommended remediation"
}
Community Advisory:
{
"id": "CLAW-2026-0042",
"severity": "high",
"type": "prompt_injection|vulnerable_skill|tampering_attempt",
"platforms": ["nanoclaw"],
"title": "Short description",
"description": "Detailed description from issue",
"published": "2026-02-01T00:00:00Z",
"affected": ["skill-name@1.0.0"],
"source": "Community Report",
"github_issue_url": "https://github.com/.../issues/42",
"action": "Recommended remediation"
}
Platform values:
"openclaw"- OpenClaw/ClawdBot/MoltBot only"nanoclaw"- NanoClaw only["openclaw", "nanoclaw"]- Both platforms- (empty/missing) - All platforms (backward compatible)
🔄 CI/CD Pipelines
ClawSec uses automated pipelines for continuous security updates and skill distribution.
Automated Workflows
| Workflow | Trigger | Description |
|---|---|---|
| poll-nvd-cves.yml | Daily cron (06:00 UTC) | Polls NVD for new CVEs, updates feed |
| community-advisory.yml | Issue labeled advisory-approved |
Processes community reports into advisories |
| skill-release.yml | <skill>-v*.*.* tags |
Packages individual skills with checksums to GitHub Releases |
| deploy-pages.yml | Push to main | Builds and deploys the web interface to GitHub Pages |
Skill Release Pipeline
When a skill is tagged (e.g., soul-guardian-v1.0.0), the pipeline:
- Validates - Checks
skill.jsonversion matches tag - Enforces key consistency - Verifies pinned release key references are consistent across repo PEMs and
skills/clawsec-suite/SKILL.md - Generates Checksums - Creates
checksums.jsonwith SHA256 hashes for all SBOM files - Signs + verifies - Signs
checksums.jsonand validates the generatedsigning-public.pemfingerprint against canonical repo key material - Releases - Publishes to GitHub Releases with all artifacts
- Supersedes Old Releases - Marks older versions (same major) as pre-releases
- Triggers Pages Update - Refreshes the skills catalog on the website
Signing Key Consistency Guardrails
To prevent supply-chain drift, CI now fails fast when signing key references diverge.
Guardrail script:
scripts/ci/verify_signing_key_consistency.sh
What it checks:
skills/clawsec-suite/SKILL.mdinline public key fingerprint matchesRELEASE_PUBKEY_SHA256- Canonical PEM files all match the same fingerprint:
clawsec-signing-public.pemadvisories/feed-signing-public.pemskills/clawsec-suite/advisories/feed-signing-public.pem
- Generated public key in workflows matches canonical key:
release-assets/signing-public.pem(release workflow)public/signing-public.pem(pages workflow)
Where enforced:
.github/workflows/skill-release.yml.github/workflows/deploy-pages.yml
Release Versioning & Superseding
ClawSec follows semantic versioning. When a new version is released:
| Scenario | Behavior |
|---|---|
| New patch/minor (e.g., 1.0.1, 1.1.0) | Previous releases with same major version are deleted |
| New major (e.g., 2.0.0) | Previous major version (1.x.x) remains for backwards compatibility |
Why do old releases disappear?
When you release skill-v0.0.2, the previous skill-v0.0.1 release is automatically deleted to keep the releases page clean. Only the latest version within each major version is retained.
- Git tags are preserved - You can always recreate a release from an existing tag if needed
- Major versions coexist - Both
skill-v1.x.xandskill-v2.x.xlatest releases remain available for backwards compatibility
Release Artifacts
Each skill release includes:
checksums.json- SHA256 hashes for integrity verificationskill.json- Skill metadataSKILL.md- Main skill documentation- Additional files from SBOM (scripts, configs, etc.)
Signing Operations Documentation
For feed/release signing rollout and operations guidance:
SECURITY-SIGNING.md- key generation, GitHub secrets, rotation/revocation, incident responseMIGRATION-SIGNED-FEED.md- phased migration from unsigned feed, enforcement gates, rollback plan
🛠️ Offline Tools
ClawSec includes Python utilities for local skill development and validation.
Skill Validator
Validates a skill folder against the required schema:
python utils/validate_skill.py skills/clawsec-feed
Checks:
skill.jsonexists and is valid JSON- Required fields present (name, version, description, author, license)
- SBOM files exist and are readable
- OpenClaw metadata is properly structured
Skill Checksums Generator
Generates checksums.json with SHA256 hashes for a skill:
python utils/package_skill.py skills/clawsec-feed ./dist
Outputs:
checksums.json- SHA256 hashes for verification
🛠️ Local Development
Prerequisites
- Node.js 20+
- Python 3.10+ (for offline tools)
- npm
Setup
# Install dependencies
npm install
# Start development server
npm run dev
Populate Local Data
# Populate skills catalog from local skills/ directory
./scripts/populate-local-skills.sh
# Populate advisory feed with real NVD CVE data
./scripts/populate-local-feed.sh --days 120
Build
npm run build
📁 Project Structure
├── advisories/
│ └── feed.json # Main advisory feed (auto-updated from NVD)
├── components/ # React components
├── pages/ # Page components
├── scripts/
│ ├── populate-local-feed.sh # Local CVE feed populator
│ ├── populate-local-skills.sh # Local skills catalog populator
│ └── release-skill.sh # Manual skill release helper
├── skills/
│ ├── clawsec-suite/ # 📦 Suite installer (skill-of-skills)
│ ├── clawsec-feed/ # 📡 Advisory feed skill
│ ├── clawtributor/ # 🤝 Community reporting skill
│ ├── openclaw-audit-watchdog/ # 🔭 Automated audit skill
│ └── soul-guardian/ # 👻 File integrity skill
├── utils/
│ ├── package_skill.py # Skill packager utility
│ └── validate_skill.py # Skill validator utility
├── .github/workflows/
│ ├── poll-nvd-cves.yml # CVE polling pipeline
│ ├── skill-release.yml # Skill release pipeline
│ └── deploy-pages.yml # Pages deployment
└── public/ # Static assets and published skills
🤝 Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
Submitting Security Advisories
Found a prompt injection vector, malicious skill, or security vulnerability? Report it via GitHub Issues:
- Open a new issue using the Security Incident Report template
- Fill out the required fields (severity, type, description, affected skills)
- A maintainer will review and add the
advisory-approvedlabel - The advisory is automatically published to the feed as
CLAW-{YEAR}-{ISSUE#}
See CONTRIBUTING.md for detailed guidelines.
Adding New Skills
- Create a skill folder under
skills/ - Add
skill.jsonwith required metadata and SBOM - Add
SKILL.mdwith agent-readable instructions - Validate with
python utils/validate_skill.py skills/your-skill - Submit a PR for review
📄 License
- Source code: GNU AGPL v3.0 or later - See LICENSE for details.
- Fonts in
font/: Licensed separately - Seefont/README.md.
ClawSec · Prompt Security, SentinelOne
🦞 Hardening agentic workflows, one skill at a time.