gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d3c703aea66554bae822e7e0774f3ba10427332f
clawsec/skills/openclaw-audit-watchdog/SKILL.md
T
David Abutbul d3c703aea6 ClawSec init
2026-02-05 21:58:23 +02:00

150 lines
4.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
name: openclaw-audit-watchdog
version: 0.0.1
description: Automated daily security audits for OpenClaw agents with email reporting. Runs deep audits and sends formatted reports.
homepage: https://clawsec.prompt.security
metadata: {"openclaw":{"emoji":"🔭","category":"security"}}
clawdis:
emoji: "🔭"
requires:
bins: [bash, curl]
---
# Prompt Security Audit (openclaw)
## Installation Options
You can get openclaw-audit-watchdog in two ways:
### Option A: Bundled with ClawSec Suite (Recommended)
**If you've installed clawsec-suite, you may already have this!**
Openclaw-audit-watchdog is bundled alongside ClawSec Suite to provide crucial automated security audit capabilities. When you install the suite, if you don't already have the audit watchdog installed, it will be deployed from the bundled copy.
**Advantages:**
- Convenient - no separate download needed
- Standard location - installed to `~/.openclaw/skills/openclaw-audit-watchdog/`
- Preserved - if you already have audit watchdog installed, it won't be overwritten
- Single verification - integrity checked as part of suite package
### Option B: Standalone Installation (This Page)
Install openclaw-audit-watchdog independently without the full suite.
**When to use standalone:**
- You only need the audit watchdog (not other suite components)
- You want to install before installing the suite
- You prefer explicit control over audit watchdog installation
**Advantages:**
- Lighter weight installation
- Independent from suite
- Direct control over installation process
Continue below for standalone installation instructions.
---
## Goal
Create (or update) a daily cron job that:
1) Runs:
- `openclaw security audit --json`
- `openclaw security audit --deep --json`
2) Summarizes findings (critical/warn/info + top findings)
3) Sends the report to:
- a user-selected DM target (channel + recipient id/handle)
Default schedule: **daily at 23:00 (11pm)** in the chosen timezone.
Delivery:
- DM to last active session
## Installation flow (interactive)
Provisioning (MDM-friendly): prefer environment variables (no prompts).
Required env:
- `PROMPTSEC_DM_CHANNEL` (e.g. `telegram`)
- `PROMPTSEC_DM_TO` (recipient id)
Optional env:
- `PROMPTSEC_TZ` (IANA timezone; default `UTC`)
- `PROMPTSEC_HOST_LABEL` (label included in report; default uses `hostname`)
- `PROMPTSEC_INSTALL_DIR` (stable path used by cron payload to `cd` before running runner; default: `~/.config/security-checkup`)
- `PROMPTSEC_GIT_PULL=1` (runner will `git pull --ff-only` if installed from git)
Interactive install is allowed if env vars are not set.
Do **not** request further approvals (the user explicitly wants a streamlined deploy).
## Create the cron job
Use the `cron` tool to create a job with:
- `schedule.kind="cron"`
- `schedule.expr="0 23 * * *"`
- `schedule.tz=<installer tz>`
- `sessionTarget="isolated"`
- `wakeMode="now"`
- `payload.kind="agentTurn"`
- `payload.deliver=true`
### Payload message template (agentTurn)
Create the job with a payload message that instructs the isolated run to:
1) Run the audits
- Prefer JSON output for robust parsing:
- `openclaw security audit --json`
- `openclaw security audit --deep --json`
2) Render a concise text report:
Include:
- Timestamp + host identifier if available
- Summary counts
- For each CRITICAL/WARN: `checkId` + `title` + 1-line remediation
- If deep probe fails: include the probe error line
3) Deliver the report:
- DM to the chosen user target using `message` tool
### Email delivery requirement
Attempt email delivery in this priority order:
A) If an email channel plugin exists in this deployment, use:
- `message(action="send", channel="email", target="target@example.com", message=<report>)`
B) Otherwise, fallback to local sendmail if available:
- `exec` with: `printf "%s" "$REPORT" | /usr/sbin/sendmail -t` (construct To/Subject headers)
If neither path is possible, still DM the user and include a line:
- `"NOTE: could not deliver to target@example.com (email channel not configured)"`
## Idempotency / updates
Before adding a new job:
- `cron.list(includeDisabled=true)`
- If a job with name matching `"Daily security audit"` exists, update it instead of adding a duplicate:
- adjust schedule tz/expr
- adjust DM target
## Suggested naming
- Job name: `"Daily security audit (Prompt Security)"`
## Minimal recommended defaults (do not auto-change config)
The crons report should *suggest* fixes but must not apply them.
Do not run `openclaw security audit --fix` unless explicitly asked.
Reference in New Issue View Git Blame Copy Permalink