gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d3c703aea66554bae822e7e0774f3ba10427332f
clawsec/skills/clawsec-suite/HEARTBEAT.md
T
David Abutbul d3c703aea6 ClawSec init
2026-02-05 21:58:23 +02:00

3.4 KiB
Raw Blame History

ClawSec Suite — Cron Check

Run this on a schedule (cron/systemd/CI/agent scheduler). It is written to be portable: it assumes only POSIX shell + curl + a SHA tool.

Goals

  1. Check whether ClawSec Suite has an update available
  2. Verify integrity of the installed suite package

Design note: Uses the checksums.json file from the latest release, which contains version info and SHA256 hashes. Avoids reliance on a separate catalog manifest.

Configuration

INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
SUITE_DIR="$INSTALL_ROOT/clawsec-suite"
CHECKSUMS_URL="${CHECKSUMS_URL:-https://clawsec.prompt.security/releases/latest/download/checksums.json}"

Step 0 — Basic sanity

set -euo pipefail

test -d "$SUITE_DIR"
test -f "$SUITE_DIR/skill.json"

echo "=== ClawSec update Check ==="
echo "When: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
echo "Where: $SUITE_DIR"

Step 1 — Verify the currently installed suite files (local integrity)

This step is only meaningful if you ship a checksums file inside the suite directory (recommended).

If present, verify it:

if [ -f "$SUITE_DIR/checksums.txt" ]; then
  echo "Verifying local checksums.txt"
  cd "$SUITE_DIR"
  if command -v shasum >/dev/null 2>&1; then
    shasum -a 256 -c checksums.txt
  else
    sha256sum -c checksums.txt
  fi
else
  echo "NOTE: No local checksums.txt shipped; skipping local integrity verification"
fi

Step 1.5 — Verify Bundled Components

Check that bundled security skills are properly deployed:

INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
SUITE_DIR="$INSTALL_ROOT/clawsec-suite"

# Function to check bundled skill
check_bundled_skill() {
  local skill_name="$1"
  local skill_dir="$INSTALL_ROOT/$skill_name"
  local bundled_dir="$SUITE_DIR/bundled/$skill_name"

  if [ -d "$skill_dir" ] && [ -f "$skill_dir/skill.json" ]; then
    SKILL_VERSION=$(jq -r '.version' "$skill_dir/skill.json")
    echo "✓ $skill_name v${SKILL_VERSION} is installed"
  elif [ -d "$bundled_dir" ] && [ -f "$bundled_dir/skill.json" ]; then
    echo "⚠ $skill_name bundled but not deployed"
    echo "  Deploy with: cp -r '$bundled_dir' '$skill_dir'"
  else
    echo "✗ $skill_name not found"
  fi
}

echo "=== Bundled Skills Status ==="
check_bundled_skill "clawsec-feed"
check_bundled_skill "openclaw-audit-watchdog"
check_bundled_skill "soul-guardian"

Step 2 — Check for updates (using checksums.json)

Fetch the latest checksums.json from the release mirror. This file contains version info and SHA256 hashes for all release assets.

TMP="$(mktemp -d)"
cd "$TMP"

curl -fsSLo checksums.json "$CHECKSUMS_URL"


INSTALLED_VER="$(jq -r '.version // ""' "$SUITE_DIR/skill.json" 2>/dev/null || true)"
LATEST_VER="$(jq -r '.version // ""' checksums.json 2>/dev/null || true)"

echo "Installed suite: ${INSTALLED_VER:-unknown}"
echo "Latest suite:    ${LATEST_VER:-unknown}"

if [ -n "$LATEST_VER" ] && [ "$LATEST_VER" != "$INSTALLED_VER" ]; then
  echo "UPDATE AVAILABLE: clawsec-suite ${INSTALLED_VER:-unknown} -> $LATEST_VER"
  echo "(Implement your runtime-specific update action here.)"
else
  echo "Suite appears up to date."
fi

If your runtime does not have jq, you can parse the version line with grep/sed, or we can publish a simpler latest.txt endpoint.

Output

This heartbeat should print a short report suitable for being copied into an alert message:

  • suite version status
  • integrity status
Reference in New Issue View Git Blame Copy Permalink