gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d3c703aea66554bae822e7e0774f3ba10427332f
clawsec/skills/clawsec-suite/HEARTBEAT.md
T
David Abutbul d3c703aea6 ClawSec init
2026-02-05 21:58:23 +02:00

128 lines
3.4 KiB
Markdown
Raw Blame History

# ClawSec Suite — Cron Check
Run this on a schedule (cron/systemd/CI/agent scheduler). It is written to be portable: it assumes only POSIX shell + curl + a SHA tool.
## Goals
1) Check whether ClawSec Suite has an update available
2) Verify integrity of the installed suite package
> Design note: Uses the **checksums.json** file from the latest release, which contains version info and SHA256 hashes. Avoids reliance on a separate catalog manifest.
---
## Configuration
```bash
INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
SUITE_DIR="$INSTALL_ROOT/clawsec-suite"
CHECKSUMS_URL="${CHECKSUMS_URL:-https://clawsec.prompt.security/releases/latest/download/checksums.json}"
```
---
## Step 0 — Basic sanity
```bash
set -euo pipefail
test -d "$SUITE_DIR"
test -f "$SUITE_DIR/skill.json"
echo "=== ClawSec update Check ==="
echo "When: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
echo "Where: $SUITE_DIR"
```
---
## Step 1 — Verify the currently installed suite files (local integrity)
This step is only meaningful if you ship a checksums file *inside* the suite directory (recommended).
If present, verify it:
```bash
if [ -f "$SUITE_DIR/checksums.txt" ]; then
echo "Verifying local checksums.txt"
cd "$SUITE_DIR"
if command -v shasum >/dev/null 2>&1; then
shasum -a 256 -c checksums.txt
else
sha256sum -c checksums.txt
fi
else
echo "NOTE: No local checksums.txt shipped; skipping local integrity verification"
fi
```
---
## Step 1.5 — Verify Bundled Components
Check that bundled security skills are properly deployed:
```bash
INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
SUITE_DIR="$INSTALL_ROOT/clawsec-suite"
# Function to check bundled skill
check_bundled_skill() {
local skill_name="$1"
local skill_dir="$INSTALL_ROOT/$skill_name"
local bundled_dir="$SUITE_DIR/bundled/$skill_name"
if [ -d "$skill_dir" ] && [ -f "$skill_dir/skill.json" ]; then
SKILL_VERSION=$(jq -r '.version' "$skill_dir/skill.json")
echo "$skill_name v${SKILL_VERSION} is installed"
elif [ -d "$bundled_dir" ] && [ -f "$bundled_dir/skill.json" ]; then
echo "$skill_name bundled but not deployed"
echo " Deploy with: cp -r '$bundled_dir' '$skill_dir'"
else
echo "$skill_name not found"
fi
}
echo "=== Bundled Skills Status ==="
check_bundled_skill "clawsec-feed"
check_bundled_skill "openclaw-audit-watchdog"
check_bundled_skill "soul-guardian"
```
---
## Step 2 — Check for updates (using checksums.json)
Fetch the latest checksums.json from the release mirror. This file contains version info and SHA256 hashes for all release assets.
```bash
TMP="$(mktemp -d)"
cd "$TMP"
curl -fsSLo checksums.json "$CHECKSUMS_URL"
INSTALLED_VER="$(jq -r '.version // ""' "$SUITE_DIR/skill.json" 2>/dev/null || true)"
LATEST_VER="$(jq -r '.version // ""' checksums.json 2>/dev/null || true)"
echo "Installed suite: ${INSTALLED_VER:-unknown}"
echo "Latest suite: ${LATEST_VER:-unknown}"
if [ -n "$LATEST_VER" ] && [ "$LATEST_VER" != "$INSTALLED_VER" ]; then
echo "UPDATE AVAILABLE: clawsec-suite ${INSTALLED_VER:-unknown} -> $LATEST_VER"
echo "(Implement your runtime-specific update action here.)"
else
echo "Suite appears up to date."
fi
```
If your runtime does not have `jq`, you can parse the version line with grep/sed, or we can publish a simpler `latest.txt` endpoint.
---
## Output
This heartbeat should print a short report suitable for being copied into an alert message:
- suite version status
- integrity status
Reference in New Issue View Git Blame Copy Permalink