Skill: clawsec-suite

Owner: davida-ps

Summary: ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup...

Tags: latest:0.1.3

Version history:

v0.1.3 | 2026-02-25T11:27:15.775Z | user

Release 0.1.3 via CI

v0.1.2 | 2026-02-16T16:56:08.830Z | user

Release 0.1.2 via CI

v0.1.1 | 2026-02-16T12:49:13.431Z | user

Release 0.1.1 via CI

v0.1.0 | 2026-02-16T11:35:46.667Z | user

Release 0.1.0 via CI

v0.0.10 | 2026-02-12T17:46:53.795Z | user

Release 0.0.10 via CI

v0.0.9 | 2026-02-09T06:39:56.118Z | user

Release 0.0.9 via CI

v0.0.8 | 2026-02-08T21:39:30.789Z | user

Release 0.0.8 via CI

v0.0.6 | 2026-02-05T23:17:52.513Z | user

Release 0.0.6 via CI

v0.0.5 | 2026-02-05T22:55:03.375Z | user

Release 0.0.5 via CI

v0.0.4 | 2026-02-05T22:38:34.592Z | user

Release 0.0.4 via CI

v0.0.3 | 2026-02-05T22:35:12.245Z | user

Release 0.0.3 via CI

v0.0.2 | 2026-02-05T22:01:08.104Z | user

Release 0.0.2 via CI

v0.0.1 | 2026-02-05T21:17:12.957Z | user

Release 0.0.1 via CI

Archive index:

Archive v0.1.3: 29 files, 59315 bytes

Files: advisories/feed.json (6761b), CHANGELOG.md (8193b), HEARTBEAT.md (6803b), hooks/clawsec-advisory-guardian/handler.ts (8809b), hooks/clawsec-advisory-guardian/HOOK.md (2072b), hooks/clawsec-advisory-guardian/lib/advisory_scope.mjs (1197b), hooks/clawsec-advisory-guardian/lib/feed.mjs (17545b), hooks/clawsec-advisory-guardian/lib/matching.ts (6261b), hooks/clawsec-advisory-guardian/lib/state.ts (2475b), hooks/clawsec-advisory-guardian/lib/suppression.mjs (5483b), hooks/clawsec-advisory-guardian/lib/types.ts (871b), hooks/clawsec-advisory-guardian/lib/utils.mjs (3656b), hooks/clawsec-advisory-guardian/lib/version.mjs (2972b), scripts/discover_skill_catalog.mjs (8231b), scripts/generate_checksums_json.mjs (2176b), scripts/guarded_skill_install.mjs (9855b), scripts/setup_advisory_cron.mjs (2993b), scripts/setup_advisory_hook.mjs (2434b), scripts/sign_detached_ed25519.mjs (1689b), scripts/verify_detached_ed25519.mjs (1847b), skill.json (7572b), SKILL.md (14864b), test/advisory_application_scope.test.mjs (2959b), test/advisory_suppression.test.mjs (13437b), test/feed_verification.test.mjs (20208b), test/guarded_install.test.mjs (14573b), test/path_resolution.test.mjs (5321b), test/skill_catalog_discovery.test.mjs (7391b), _meta.json (132b)

File v0.1.3:SKILL.md

---

name: clawsec-suite version: 0.1.3 description: ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills. homepage: https://clawsec.prompt.security clawdis: emoji: "📦" requires: bins: [curl, jq, shasum, openssl]

ClawSec Suite

This means clawsec-suite can:

• monitor the ClawSec advisory feed,
• track which advisories are new since last check,
• cross-reference advisories against locally installed skills,
• recommend removal for malicious-skill advisories and require explicit user approval first,
• and still act as the setup/management entrypoint for other ClawSec protections.

Included vs Optional Protections

Built into clawsec-suite

• Embedded feed seed file: advisories/feed.json
• Portable heartbeat workflow in HEARTBEAT.md
• Advisory polling + state tracking + affected-skill checks
• OpenClaw advisory guardian hook package: hooks/clawsec-advisory-guardian/
• Setup scripts for hook and optional cron scheduling: scripts/
• Guarded installer: scripts/guarded_skill_install.mjs
• Dynamic catalog discovery for installable skills: scripts/discover_skill_catalog.mjs

Installed separately (dynamic catalog)

clawsec-suite does not hard-code add-on skill names in this document.

Discover the current catalog from the authoritative index (https://clawsec.prompt.security/skills/index.json) at runtime:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/discover_skill_catalog.mjs"

Fallback behavior:

• If the remote catalog index is reachable and valid, the suite uses it.
• If the remote index is unavailable or malformed, the script falls back to suite-local catalog metadata in skill.json.

Installation

Cross-shell path note

• In bash/zsh, keep path variables expandable (for example, INSTALL_ROOT="$HOME/.openclaw/skills").
• Do not single-quote home-variable paths (avoid '$HOME/.openclaw/skills').
• In PowerShell, set an explicit path:
  • $env:INSTALL_ROOT = Join-Path $HOME ".openclaw\\skills"
• If a path is passed with unresolved tokens (like \$HOME/...), suite scripts now fail fast with a clear error.

Option A: Via clawhub (recommended)

npx clawhub@latest install clawsec-suite

Option B: Manual download with signature + checksum verification

set -euo pipefail

VERSION="${SKILL_VERSION:?Set SKILL_VERSION (e.g. 0.0.8)}"
INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
DEST="$INSTALL_ROOT/clawsec-suite"
BASE="https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v${VERSION}"

TEMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TEMP_DIR"' EXIT

# Pinned release-signing public key (verify fingerprint out-of-band on first use)
# Fingerprint (SHA-256 of SPKI DER): 711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8
RELEASE_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8"
cat > "$TEMP_DIR/release-signing-public.pem" <<'PEM'
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAS7nijfMcUoOBCj4yOXJX+GYGv2pFl2Yaha1P4v5Cm6A=
-----END PUBLIC KEY-----
PEM

ACTUAL_KEY_SHA256="$(openssl pkey -pubin -in "$TEMP_DIR/release-signing-public.pem" -outform DER | shasum -a 256 | awk '{print $1}')"
if [ "$ACTUAL_KEY_SHA256" != "$RELEASE_PUBKEY_SHA256" ]; then
  echo "ERROR: Release public key fingerprint mismatch" >&2
  exit 1
fi

ZIP_NAME="clawsec-suite-v${VERSION}.zip"

# 1) Download release archive + signed checksums manifest + signing public key
curl -fsSL "$BASE/$ZIP_NAME" -o "$TEMP_DIR/$ZIP_NAME"
curl -fsSL "$BASE/checksums.json" -o "$TEMP_DIR/checksums.json"
curl -fsSL "$BASE/checksums.sig" -o "$TEMP_DIR/checksums.sig"

# 2) Verify checksums manifest signature before trusting any hashes
openssl base64 -d -A -in "$TEMP_DIR/checksums.sig" -out "$TEMP_DIR/checksums.sig.bin"
if ! openssl pkeyutl -verify \
  -pubin \
  -inkey "$TEMP_DIR/release-signing-public.pem" \
  -sigfile "$TEMP_DIR/checksums.sig.bin" \
  -rawin \
  -in "$TEMP_DIR/checksums.json" >/dev/null 2>&1; then
  echo "ERROR: checksums.json signature verification failed" >&2
  exit 1
fi

EXPECTED_ZIP_SHA="$(jq -r '.archive.sha256 // empty' "$TEMP_DIR/checksums.json")"
if [ -z "$EXPECTED_ZIP_SHA" ]; then
  echo "ERROR: checksums.json missing archive.sha256" >&2
  exit 1
fi

if command -v shasum >/dev/null 2>&1; then
  ACTUAL_ZIP_SHA="$(shasum -a 256 "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
else
  ACTUAL_ZIP_SHA="$(sha256sum "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
fi

if [ "$EXPECTED_ZIP_SHA" != "$ACTUAL_ZIP_SHA" ]; then
  echo "ERROR: Archive checksum mismatch for $ZIP_NAME" >&2
  exit 1
fi

echo "Checksums manifest signature and archive hash verified."

# 3) Install verified archive
mkdir -p "$INSTALL_ROOT"
rm -rf "$DEST"
unzip -q "$TEMP_DIR/$ZIP_NAME" -d "$INSTALL_ROOT"

chmod 600 "$DEST/skill.json"
find "$DEST" -type f ! -name "skill.json" -exec chmod 644 {} \;

echo "Installed clawsec-suite v${VERSION} to: $DEST"
echo "Next step (OpenClaw): node \"\$DEST/scripts/setup_advisory_hook.mjs\""

OpenClaw Automation (Hook + Optional Cron)

After installing the suite, enable the advisory guardian hook:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_hook.mjs"

Optional: create/update a periodic cron nudge (default every 6h) that triggers a main-session advisory scan:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_cron.mjs"

What this adds:

• scan on agent:bootstrap and /new (command:new),
• compare advisory affected entries against installed skills,
• consider advisories with application: "openclaw" (and legacy entries without application for backward compatibility),
• notify when new matches appear,
• and ask for explicit user approval before any removal flow.

Restart the OpenClaw gateway after enabling the hook. Then run /new once to force an immediate scan in the next session context.

Guarded Skill Install Flow (Double Confirmation)

When the user asks to install a skill, treat that as the first request and run a guarded install check:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1

Behavior:

• If no advisory match is found, install proceeds.
• If --version is omitted, matching is conservative: any advisory that references the skill name is treated as a match.
• If advisory match is found, the script prints advisory context and exits with code 42.
• Then require an explicit second confirmation from the user and rerun with --confirm-advisory:

node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1 --confirm-advisory

This enforces:

1. First confirmation: user asked to install.
2. Second confirmation: user explicitly approves install after seeing advisory details.

Embedded Advisory Feed Behavior

The embedded feed logic uses these defaults:

• Remote feed URL: https://clawsec.prompt.security/advisories/feed.json
• Remote feed signature URL: ${CLAWSEC_FEED_URL}.sig (override with CLAWSEC_FEED_SIG_URL)
• Remote checksums manifest URL: sibling checksums.json (override with CLAWSEC_FEED_CHECKSUMS_URL)
• Local seed fallback: ~/.openclaw/skills/clawsec-suite/advisories/feed.json
• Local feed signature: ${CLAWSEC_LOCAL_FEED}.sig (override with CLAWSEC_LOCAL_FEED_SIG)
• Local checksums manifest: ~/.openclaw/skills/clawsec-suite/advisories/checksums.json
• Pinned feed signing key: ~/.openclaw/skills/clawsec-suite/advisories/feed-signing-public.pem (override with CLAWSEC_FEED_PUBLIC_KEY)
• State file: ~/.openclaw/clawsec-suite-feed-state.json
• Hook rate-limit env (OpenClaw hook): CLAWSEC_HOOK_INTERVAL_SECONDS (default 300)

Fail-closed verification: Feed signatures are required by default. Checksum manifests are verified when companion checksum artifacts are available. Set CLAWSEC_ALLOW_UNSIGNED_FEED=1 only as a temporary migration bypass when adopting this version before signed feed artifacts are available upstream.

Quick feed check

FEED_URL="${CLAWSEC_FEED_URL:-https://clawsec.prompt.security/advisories/feed.json}"
STATE_FILE="${CLAWSEC_SUITE_STATE_FILE:-$HOME/.openclaw/clawsec-suite-feed-state.json}"

TMP="$(mktemp -d)"
trap 'rm -rf "$TMP"' EXIT

if ! curl -fsSLo "$TMP/feed.json" "$FEED_URL"; then
  echo "ERROR: Failed to fetch advisory feed"
  exit 1
fi

if ! jq -e '.version and (.advisories | type == "array")' "$TMP/feed.json" >/dev/null; then
  echo "ERROR: Invalid advisory feed format"
  exit 1
fi

mkdir -p "$(dirname "$STATE_FILE")"
if [ ! -f "$STATE_FILE" ]; then
  echo '{"schema_version":"1.0","known_advisories":[],"last_feed_check":null,"last_feed_updated":null}' > "$STATE_FILE"
  chmod 600 "$STATE_FILE"
fi

NEW_IDS_FILE="$TMP/new_ids.txt"
jq -r --argfile state "$STATE_FILE" '($state.known_advisories // []) as $known | [.advisories[]?.id | select(. != null and ($known | index(.) | not))] | .[]?' "$TMP/feed.json" > "$NEW_IDS_FILE"

if [ -s "$NEW_IDS_FILE" ]; then
  echo "New advisories detected:"
  while IFS= read -r id; do
    [ -z "$id" ] && continue
    jq -r --arg id "$id" '.advisories[] | select(.id == $id) | "- [\(.severity | ascii_upcase)] \(.id): \(.title)"' "$TMP/feed.json"
  done < "$NEW_IDS_FILE"
else
  echo "FEED_OK - no new advisories"
fi

Heartbeat Integration

Use the suite heartbeat script as the single periodic security check entrypoint:

• skills/clawsec-suite/HEARTBEAT.md

It handles:

• suite update checks,
• feed polling,
• new-advisory detection,
• affected-skill cross-referencing,
• approval-gated response guidance for malicious/removal advisories,
• and persistent state updates.

Approval-Gated Response Contract

If an advisory indicates a malicious or removal-recommended skill and that skill is installed:

1. Notify the user immediately with advisory details and severity.
2. Recommend removing or disabling the affected skill.
3. Treat the original install request as first intent only.
4. Ask for explicit second confirmation before deletion/disable action (or before proceeding with risky install).
5. Only proceed after that second confirmation.

The suite hook and heartbeat guidance are intentionally non-destructive by default.

Advisory Suppression / Allowlist

The advisory guardian pipeline supports opt-in suppression for advisories that have been reviewed and accepted by your security team. This is useful for first-party tooling or advisories that do not apply to your deployment.

Activation

Advisory suppression requires a single gate: the configuration file must contain "enabledFor" with "advisory" in the array. No CLI flag is needed -- the sentinel in the config file IS the opt-in gate.

If the enabledFor array is missing, empty, or does not include "advisory", all advisories are reported normally.

Config File Resolution (4-tier)

The advisory guardian resolves the suppression config using the same priority order as the audit pipeline:

1. Explicit --config <path> argument
2. OPENCLAW_AUDIT_CONFIG environment variable
3. ~/.openclaw/security-audit.json
4. .clawsec/allowlist.json

Config Format

{
  "enabledFor": ["advisory"],
  "suppressions": [
    {
      "checkId": "CVE-2026-25593",
      "skill": "clawsec-suite",
      "reason": "First-party security tooling — reviewed by security team",
      "suppressedAt": "2026-02-15"
    },
    {
      "checkId": "CLAW-2026-0001",
      "skill": "example-skill",
      "reason": "Advisory does not apply to our deployment configuration",
      "suppressedAt": "2026-02-16"
    }
  ]
}

Sentinel Semantics

• "enabledFor": ["advisory"] -- only advisory suppression active
• "enabledFor": ["audit"] -- only audit suppression active (no effect on advisory pipeline)
• "enabledFor": ["audit", "advisory"] -- both pipelines honor suppressions
• Missing or empty enabledFor -- no suppression active (safe default)

Matching Rules

• checkId: exact match against the advisory ID (e.g., CVE-2026-25593 or CLAW-2026-0001)
• skill: case-insensitive match against the affected skill name from the advisory
• Both fields must match for an advisory to be suppressed

Required Fields per Suppression Entry

| Field | Description | Example | |-------|-------------|---------| | checkId | Advisory ID to suppress | CVE-2026-25593 | | skill | Affected skill name | clawsec-suite | | reason | Justification for audit trail (required) | First-party tooling, reviewed by security team | | suppressedAt | ISO 8601 date (YYYY-MM-DD) | 2026-02-15 |

Shared Config with Audit Pipeline

The advisory and audit pipelines share the same config file. Use the enabledFor array to control which pipelines honor the suppression list:

{
  "enabledFor": ["audit", "advisory"],
  "suppressions": [
    {
      "checkId": "skills.code_safety",
      "skill": "clawsec-suite",
      "reason": "First-party tooling — audit finding accepted",
      "suppressedAt": "2026-02-15"
    },
    {
      "checkId": "CVE-2026-25593",
      "skill": "clawsec-suite",
      "reason": "First-party tooling — advisory reviewed",
      "suppressedAt": "2026-02-15"
    }
  ]
}

Audit entries (with check identifiers like skills.code_safety) are only matched by the audit pipeline. Advisory entries (with advisory IDs like CVE-2026-25593 or CLAW-2026-0001) are only matched by the advisory pipeline. Each pipeline filters for its own relevant entries.

Optional Skill Installation

Discover currently available installable skills dynamically, then install the ones you want:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/discover_skill_catalog.mjs"

# then install any discovered skill by name
npx clawhub@latest install <skill-name>

Machine-readable output is also available for automation:

node "$SUITE_DIR/scripts/discover_skill_catalog.mjs" --json

Security Notes

• Always verify checksums.json signature before trusting its file URLs/hashes, then verify each file checksum.
• Verify advisory feed detached signatures; do not enable CLAWSEC_ALLOW_UNSIGNED_FEED outside temporary migration windows.
• Keep advisory polling rate-limited (at least 5 minutes between checks).
• Treat critical and high advisories affecting installed skills as immediate action items.
• If you migrate off standalone clawsec-feed, keep one canonical state file to avoid duplicate notifications.
• Pin and verify public key fingerprints out-of-band before first use.

File v0.1.3:_meta.json

{ "ownerId": "kn76m78f01hqrtpgm895s0jsax80jd8v", "slug": "clawsec-suite", "version": "0.1.3", "publishedAt": 1772018835775 }

File v0.1.3:CHANGELOG.md

Changelog

All notable changes to the ClawSec Suite will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.1.3]

Added

• Contributor credit: portability and path-hardening improvements in this release were contributed by @aldodelgado in PR #62.
• Cross-shell path resolution support for home-directory tokens in suite path configuration (~, $HOME, ${HOME}, %USERPROFILE%, $env:HOME).
• Dedicated path-resolution regression coverage (test/path_resolution.test.mjs) including fallback behavior for invalid explicit path values.
• Additional advisory/installer tests validating home-token expansion and escaped-token rejection.

Changed

• Advisory guardian hook now resolves configured path environment variables through a shared portability helper.
• Guarded install flow now resolves feed/signature/checksum/public-key path overrides through the same shared path helper for consistent behavior across shells/OSes.
• Advisory matching now explicitly scopes to application: "openclaw" when present; legacy advisories without application remain eligible for backward compatibility.

Fixed

• Prevented advisory-check bypass when a single explicit path env var is malformed: invalid explicit values now fall back to safe defaults instead of aborting the entire hook run.

Security

• Escaped/unexpanded home-token inputs in path config are explicitly rejected while preserving secure defaults.

[0.1.2]

Added

• Advisory suppression module (hooks/clawsec-advisory-guardian/lib/suppression.mjs).
• loadAdvisorySuppression() -- loads suppression config with enabledFor: ["advisory"] sentinel gate.
• isAdvisorySuppressed() -- matches advisory.id === rule.checkId + case-insensitive skill name.
• Advisory guardian handler integration: partitions matches into active/suppressed after findMatches().
• Suppressed matches tracked in state file (prevents re-evaluation) but not alerted.
• Soft notification message for suppressed matches count.
• Advisory suppression tests (13 tests in advisory_suppression.test.mjs).
• Documentation in SKILL.md for advisory suppression/allowlist mechanism.

Changed

• Advisory guardian handler (handler.ts) now loads suppression config and filters matches before alerting.

Security

• Advisory suppression gated by config file sentinel (enabledFor: ["advisory"]) -- no CLI flag needed but config must explicitly opt in.
• Suppressed matches are still tracked in state to maintain audit trail.

[0.1.1] - 2026-02-16

Added

• Added scripts/discover_skill_catalog.mjs to dynamically discover installable skills from https://clawsec.prompt.security/skills/index.json.
• Added test/skill_catalog_discovery.test.mjs to validate remote-catalog loading and fallback behavior.
• Added CI signing-key drift guard script: scripts/ci/verify_signing_key_consistency.sh.

Changed

• Updated SKILL.md to use dynamic catalog discovery commands instead of hard-coded optional-skill names.
• Updated advisory feed defaults to signed-host URL (https://clawsec.prompt.security/advisories/feed.json).
• Improved checksum manifest key compatibility in feed verification logic (supports basename and advisories/* key formats).
• Kept openclaw-audit-watchdog as a standalone skill (not embedded in clawsec-suite).

Security

• Signing key drift control: CI now enforces that all public key references (inline SKILL.md PEM, canonical .pem files, workflow-generated keys) resolve to the same fingerprint. Prevents stale, fabricated, or rotated-but-not-propagated key material from reaching releases.
  • Enforced in: .github/workflows/skill-release.yml, .github/workflows/deploy-pages.yml
  • Guard script: scripts/ci/verify_signing_key_consistency.sh

Fixed

• Fixed fabricated signing key in SKILL.md: The manual installation script contained a hallucinated Ed25519 public key and fingerprint (35866e1b...) that never corresponded to the actual release signing key. Replaced with the real public key derived from the GitHub-secret-held private key. The bogus key was introduced in v0.0.10 (Integration/signing work #20) and went undetected because no consistency check existed at the time.
• Corrected checksums.sig naming in release verification documentation.

[0.0.10] - 2026-02-11

Security

Transport Security Hardening

• TLS Version Enforcement: Eliminated support for TLS 1.0 and TLS 1.1, enforcing minimum TLS 1.2 for all HTTPS connections
• Certificate Validation: Enabled strict certificate validation (rejectUnauthorized: true) to prevent MITM attacks
• Domain Allowlist: Restricted advisory feed connections to approved domains only:
  • clawsec.prompt.security (official ClawSec feed host)
  • prompt.security (parent domain)
  • raw.githubusercontent.com (GitHub raw content)
  • github.com (GitHub releases)
• Strong Cipher Suites: Configured modern cipher suites (AES-GCM, ChaCha20-Poly1305) for secure connections

Signature Verification & Checksum Validation

• Fixed unverified file publication: Refactored deploy-pages.yml workflow to download release assets to temporary directory before signature verification, ensuring unverified files never reach public directory
• Fixed schema mismatch: Updated deploy-pages.yml to generate checksums.json with proper schema_version and algorithm fields that match parser expectations
• Fixed missing checksums abort: Updated loadRemoteFeed to gracefully skip checksum verification when checksums.json is missing (e.g., GitHub raw content), while still enforcing fail-closed signature verification
• Fixed parser strictness: Enhanced parseChecksumsManifest to accept legacy manifest formats through a fallback chain:
  1. schema_version (new standard)
  2. version (skill-release.yml format)
  3. generated_at (old deploy-pages.yml format)
  4. "1" (ultimate fallback)

Changed

• Advisory feed loader now uses secureFetch wrapper with TLS 1.2+ enforcement and domain validation
• Checksum verification is now graceful: feeds load successfully from sources without checksums (e.g., GitHub raw) while maintaining fail-closed signature verification
• Workflow release mirroring flow changed from download → verify → skip to download to temp → verify → mirror (fail = delete temp)

Fixed

• Unverified skill releases no longer published to public directory on signature verification failure
• Schema mismatch between generated and expected checksums manifest fields
• Feed loading failures when checksums.json missing from upstream sources
• Parser rejection of valid legacy manifest formats

Security Impact

• Fail-closed security maintained: All feed signatures still verified; invalid signatures reject feed loading
• No backward compatibility break: Legacy manifests continue working through fallback chain
• Enhanced transport security: Connections protected against downgrade attacks and MITM
• Defense in depth: Multiple layers of verification (domain, TLS, certificate, signature, checksum)

---

Release Notes Template

When creating a new release, copy this template to the GitHub release notes:

## Security Improvements

### Transport Security
✅ TLS 1.2+ enforcement (eliminated TLS 1.0, 1.1)
✅ Strict certificate validation
✅ Domain allowlist (prompt.security, github.com only)
✅ Modern cipher suites (AES-GCM, ChaCha20-Poly1305)

### Signature & Checksum Verification
✅ Unverified files never published (temp directory workflow)
✅ Proper schema fields in generated checksums.json
✅ Graceful fallback when checksums missing (GitHub raw)
✅ Legacy manifest format support (backward compatible)

### Testing
All verification tests passed:
- ✅ Unit tests: 14/14 passed
- ✅ Parser lenience: 3/3 legacy formats accepted
- ✅ Remote loading: Gracefully handles missing checksums
- ✅ Workflow security: Temp directory prevents unverified publication

File v0.1.3:HEARTBEAT.md

ClawSec Suite — Heartbeat Check

Run this periodically (cron/systemd/CI/agent scheduler). It assumes POSIX shell, curl, and jq.

Goals

1. Check whether clawsec-suite has an update available.
2. Poll the advisory feed.
3. Report new advisories, highlight affected installed skills, and require approval before removal actions.

---

Configuration

INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
SUITE_DIR="$INSTALL_ROOT/clawsec-suite"
CHECKSUMS_URL="${CHECKSUMS_URL:-https://clawsec.prompt.security/releases/latest/download/checksums.json}"
FEED_URL="${CLAWSEC_FEED_URL:-https://clawsec.prompt.security/advisories/feed.json}"
STATE_FILE="${CLAWSEC_SUITE_STATE_FILE:-$HOME/.openclaw/clawsec-suite-feed-state.json}"
MIN_FEED_INTERVAL_SECONDS="${MIN_FEED_INTERVAL_SECONDS:-300}"

---

Step 0 — Basic sanity

set -euo pipefail

test -d "$SUITE_DIR"
test -f "$SUITE_DIR/skill.json"

echo "=== ClawSec Suite Heartbeat ==="
echo "When:  $(date -u +%Y-%m-%dT%H:%M:%SZ)"
echo "Suite: $SUITE_DIR"

---

Step 1 — Check suite version updates

TMP="$(mktemp -d)"
trap 'rm -rf "$TMP"' EXIT

curl -fsSLo "$TMP/checksums.json" "$CHECKSUMS_URL"

INSTALLED_VER="$(jq -r '.version // ""' "$SUITE_DIR/skill.json" 2>/dev/null || true)"
LATEST_VER="$(jq -r '.version // ""' "$TMP/checksums.json" 2>/dev/null || true)"

echo "Installed suite: ${INSTALLED_VER:-unknown}"
echo "Latest suite:    ${LATEST_VER:-unknown}"

if [ -n "$LATEST_VER" ] && [ "$LATEST_VER" != "$INSTALLED_VER" ]; then
  echo "UPDATE AVAILABLE: clawsec-suite ${INSTALLED_VER:-unknown} -> $LATEST_VER"
else
  echo "Suite appears up to date."
fi

---

Step 2 — Initialize advisory state

mkdir -p "$(dirname "$STATE_FILE")"

if [ ! -f "$STATE_FILE" ]; then
  echo '{"schema_version":"1.0","known_advisories":[],"last_feed_check":null,"last_feed_updated":null}' > "$STATE_FILE"
  chmod 600 "$STATE_FILE"
fi

if ! jq -e '.schema_version and .known_advisories' "$STATE_FILE" >/dev/null 2>&1; then
  echo "WARNING: Invalid state file, resetting: $STATE_FILE"
  cp "$STATE_FILE" "${STATE_FILE}.bak.$(date -u +%Y%m%d%H%M%S)" 2>/dev/null || true
  echo '{"schema_version":"1.0","known_advisories":[],"last_feed_check":null,"last_feed_updated":null}' > "$STATE_FILE"
  chmod 600 "$STATE_FILE"
fi

---

Step 3 — Advisory feed check (embedded clawsec-feed)

now_epoch="$(date -u +%s)"
last_check="$(jq -r '.last_feed_check // "1970-01-01T00:00:00Z"' "$STATE_FILE")"
last_epoch="$(date -u -d "$last_check" +%s 2>/dev/null || date -u -j -f "%Y-%m-%dT%H:%M:%SZ" "$last_check" +%s 2>/dev/null || echo 0)"

if [ $((now_epoch - last_epoch)) -lt "$MIN_FEED_INTERVAL_SECONDS" ]; then
  echo "Feed check skipped (rate limit: ${MIN_FEED_INTERVAL_SECONDS}s)."
else
  FEED_TMP="$TMP/feed.json"
  FEED_SOURCE="$FEED_URL"

  if ! curl -fsSLo "$FEED_TMP" "$FEED_URL"; then
    if [ -f "$SUITE_DIR/advisories/feed.json" ]; then
      cp "$SUITE_DIR/advisories/feed.json" "$FEED_TMP"
      FEED_SOURCE="$SUITE_DIR/advisories/feed.json (local fallback)"
      echo "WARNING: Remote feed unavailable, using local fallback."
    else
      echo "ERROR: Remote feed unavailable and no local fallback feed found."
      exit 1
    fi
  fi

  if ! jq -e '.version and (.advisories | type == "array")' "$FEED_TMP" >/dev/null 2>&1; then
    echo "ERROR: Advisory feed has invalid format."
    exit 1
  fi

  echo "Feed source: $FEED_SOURCE"
  echo "Feed updated: $(jq -r '.updated // "unknown"' "$FEED_TMP")"

  NEW_IDS_FILE="$TMP/new_ids.txt"
  jq -r --argfile state "$STATE_FILE" '($state.known_advisories // []) as $known | [.advisories[]?.id | select(. != null and ($known | index(.) | not))] | .[]?' "$FEED_TMP" > "$NEW_IDS_FILE"

  if [ -s "$NEW_IDS_FILE" ]; then
    echo "New advisories:"
    while IFS= read -r id; do
      [ -z "$id" ] && continue
      jq -r --arg id "$id" '.advisories[] | select(.id == $id) | "- [\(.severity | ascii_upcase)] \(.id): \(.title)"' "$FEED_TMP"
      jq -r --arg id "$id" '.advisories[] | select(.id == $id) | "  Action: \(.action // "Review advisory details")"' "$FEED_TMP"
    done < "$NEW_IDS_FILE"
  else
    echo "FEED_OK - no new advisories"
  fi

  echo "Affected installed skills (if any):"
  found_affected=0
  removal_recommended=0
  for skill_path in "$INSTALL_ROOT"/*; do
    [ -d "$skill_path" ] || continue
    skill_name="$(basename "$skill_path")"

    skill_hits="$(jq -r --arg skill_prefix "${skill_name}@" '
      [.advisories[]
      | select(any(.affected[]?; startswith($skill_prefix)))
      | "- [\(.severity | ascii_upcase)] \(.id): \(.title)\n  Action: \(.action // "Review advisory details")"
      ] | .[]?
    ' "$FEED_TMP")"

    if [ -n "$skill_hits" ]; then
      found_affected=1
      echo "- $skill_name is referenced by advisory feed entries"
      printf "%s\n" "$skill_hits"

      if jq -e --arg skill_prefix "${skill_name}@" '
        any(
          .advisories[];
          any(.affected[]?; startswith($skill_prefix))
          and (
            ((.type // "" | ascii_downcase) == "malicious_skill")
            or ((.title // "" | ascii_downcase | test("malicious|exfiltrat|backdoor|trojan|stealer")))
            or ((.description // "" | ascii_downcase | test("malicious|exfiltrat|backdoor|trojan|stealer")))
            or ((.action // "" | ascii_downcase | test("remove|uninstall|disable|do not use|quarantine")))
          )
        )
      ' "$FEED_TMP" >/dev/null 2>&1; then
        removal_recommended=1
      fi
    fi
  done

  if [ "$found_affected" -eq 0 ]; then
    echo "- none"
  fi

  if [ "$removal_recommended" -eq 1 ]; then
    echo "Approval required: ask the user for explicit approval before removing any skill."
    echo "Double-confirmation policy: install request is first intent; require a second explicit confirmation with advisory context."
  fi

  # Persist state
  current_utc="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
  state_tmp="$TMP/state.json"

  jq --arg t "$current_utc" --arg updated "$(jq -r '.updated // ""' "$FEED_TMP")" --argfile feed "$FEED_TMP" '
    .last_feed_check = $t
    | .last_feed_updated = (if $updated == "" then .last_feed_updated else $updated end)
    | .known_advisories = ((.known_advisories // []) + [$feed.advisories[]?.id] | map(select(. != null)) | unique)
  ' "$STATE_FILE" > "$state_tmp"

  mv "$state_tmp" "$STATE_FILE"
  chmod 600 "$STATE_FILE"
fi

---

Output Summary

Heartbeat output should include:

• suite version status,
• advisory feed status,
• new advisory list (if any),
• installed skills that appear in advisory affected lists,
• and a double-confirmation reminder before risky install/remove actions.

If your runtime sends alerts, treat critical and high advisories affecting installed skills as immediate notifications.

File v0.1.3:hooks/clawsec-advisory-guardian/HOOK.md

---

name: clawsec-advisory-guardian description: Detect advisory matches for installed skills and require explicit user approval before any removal action. metadata: { "openclaw": { "events": ["agent:bootstrap", "command:new"] } }

ClawSec Advisory Guardian Hook

This hook checks the ClawSec advisory feed against locally installed skills on:

• agent:bootstrap
• command:new

When it detects an advisory affecting an installed skill, it posts an alert message. If the advisory looks malicious or removal-oriented, it explicitly recommends removal and asks for user approval first.

Safety Contract

• The hook does not delete or modify skills.
• It only reports findings and requests explicit approval before removal.
• Alerts are deduplicated using ~/.openclaw/clawsec-suite-feed-state.json.

Optional Environment Variables

• CLAWSEC_FEED_URL: override remote feed URL.
• CLAWSEC_FEED_SIG_URL: override detached remote feed signature URL (default ${CLAWSEC_FEED_URL}.sig).
• CLAWSEC_FEED_CHECKSUMS_URL: override remote checksum manifest URL (default sibling checksums.json).
• CLAWSEC_FEED_CHECKSUMS_SIG_URL: override detached remote checksum manifest signature URL.
• CLAWSEC_FEED_PUBLIC_KEY: path to pinned feed-signing public key PEM.
• CLAWSEC_LOCAL_FEED: override local fallback feed file.
• CLAWSEC_LOCAL_FEED_SIG: override local detached feed signature path.
• CLAWSEC_LOCAL_FEED_CHECKSUMS: override local checksum manifest path.
• CLAWSEC_LOCAL_FEED_CHECKSUMS_SIG: override local checksum manifest signature path.
• CLAWSEC_VERIFY_CHECKSUM_MANIFEST: set to 0 only for emergency troubleshooting (default verifies checksums).
• CLAWSEC_ALLOW_UNSIGNED_FEED: set to 1 only for temporary migration compatibility; bypasses signature/checksum verification.
• CLAWSEC_SUITE_STATE_FILE: override state file path.
• CLAWSEC_INSTALL_ROOT: override installed skills root.
• CLAWSEC_SUITE_DIR: override clawsec-suite install path.
• CLAWSEC_HOOK_INTERVAL_SECONDS: minimum interval between hook scans (default 300).

File v0.1.3:advisories/feed.json

{ "version": "0.0.2", "updated": "2026-02-08T06:16:28Z", "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.", "advisories": [ { "id": "CVE-2026-25593", "severity": "high", "type": "vulnerable_skill", "title": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use t...", "description": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-06T21:16:17.790", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg" ], "cvss_score": 8.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25593" }, { "id": "CVE-2026-25475", "severity": "medium", "type": "vulnerable_skill", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-04T20:16:07.287", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25475" }, { "id": "CVE-2026-25157", "severity": "high", "type": "vulnerable_skill", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vu...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-04T20:16:06.577", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25157" }, { "id": "CLAW-2026-0001", "severity": "high", "type": "prompt_injection", "title": "Data exfiltration attempt via helper-plus skill", "description": "The helper-plus skill was observed sending conversation data to an external server (suspicious-domain.com) on every invocation. The skill makes undocumented network calls that transmit full conversation context to a domain not mentioned in the skill description.", "affected": [ "helper-plus@1.0.0", "helper-plus@1.0.1" ], "action": "Remove helper-plus immediately. Do not use versions 1.0.0 or 1.0.1. Wait for a verified patched version.", "published": "2026-02-04T09:30:00Z", "references": [], "source": "Community Report", "github_issue_url": "https://github.com/prompt-security/clawsec/issues/1", "reporter": { "agent_name": "SecurityBot", "opener_type": "agent" } }, { "id": "CVE-2026-24763", "severity": "high", "type": "vulnerable_skill", "title": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026....", "description": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-02T23:16:08.593", "references": [ "https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75", "https://github.com/openclaw/openclaw/releases/tag/v2026.1.29", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24763" }, { "id": "CVE-2026-25253", "severity": "high", "type": "vulnerable_skill", "title": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string a...", "description": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-01T23:15:49.717", "references": [ "https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys", "https://ethiack.com/news/blog/one-click-rce-moltbot", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253" } ] }

File v0.1.3:skill.json

{ "name": "clawsec-suite", "version": "0.1.3", "description": "ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.", "author": "prompt-security", "license": "AGPL-3.0-or-later", "homepage": "https://clawsec.prompt.security/", "keywords": [ "security", "skills", "catalog", "installer", "integrity", "advisory", "feed", "threat-intel", "hooks", "approval", "agents", "ai", "suite", "openclaw", "signature", "verification" ], "sbom": { "files": [ { "path": "SKILL.md", "required": true, "description": "Suite skill documentation and installation guide" }, { "path": "CHANGELOG.md", "required": true, "description": "Version history and security improvements changelog" }, { "path": "HEARTBEAT.md", "required": true, "description": "Portable heartbeat and update-check procedure" }, { "path": "advisories/feed.json", "required": true, "description": "Embedded advisory feed seed (merged from clawsec-feed)" }, { "path": "advisories/feed.json.sig", "required": true, "description": "Detached Ed25519 signature for advisory feed" }, { "path": "advisories/checksums.json", "required": true, "description": "SHA-256 checksum manifest for advisory artifacts" }, { "path": "advisories/checksums.json.sig", "required": true, "description": "Detached Ed25519 signature for checksum manifest" }, { "path": "advisories/feed-signing-public.pem", "required": true, "description": "Pinned Ed25519 public key for feed signature verification" }, { "path": "hooks/clawsec-advisory-guardian/HOOK.md", "required": true, "description": "OpenClaw hook metadata for advisory-driven malicious-skill checks" }, { "path": "hooks/clawsec-advisory-guardian/handler.ts", "required": true, "description": "OpenClaw hook handler for approval-gated advisory actions with signature verification" }, { "path": "hooks/clawsec-advisory-guardian/lib/utils.mjs", "required": true, "description": "Shared utility functions (isObject, normalizeSkillName, uniqueStrings)" }, { "path": "hooks/clawsec-advisory-guardian/lib/version.mjs", "required": true, "description": "Shared semver parsing and version matching logic" }, { "path": "hooks/clawsec-advisory-guardian/lib/feed.mjs", "required": true, "description": "Advisory feed loading with Ed25519 signature and checksum manifest verification" }, { "path": "hooks/clawsec-advisory-guardian/lib/types.ts", "required": true, "description": "TypeScript type definitions for hook and feed structures" }, { "path": "hooks/clawsec-advisory-guardian/lib/state.ts", "required": true, "description": "Advisory state persistence and loading" }, { "path": "hooks/clawsec-advisory-guardian/lib/matching.ts", "required": true, "description": "Advisory-to-skill matching and alert message generation" }, { "path": "scripts/setup_advisory_hook.mjs", "required": true, "description": "Installer script for enabling the advisory guardian hook" }, { "path": "scripts/setup_advisory_cron.mjs", "required": true, "description": "Installer script for optional periodic advisory scan cron" }, { "path": "scripts/guarded_skill_install.mjs", "required": true, "description": "Two-step confirmation installer with signature verification that blocks risky skill installs" }, { "path": "scripts/discover_skill_catalog.mjs", "required": true, "description": "Dynamic skill-catalog discovery with remote index fetch and suite-local fallback metadata" }, { "path": "scripts/sign_detached_ed25519.mjs", "required": false, "description": "Utility script for generating Ed25519 detached signatures" }, { "path": "scripts/verify_detached_ed25519.mjs", "required": false, "description": "Utility script for verifying Ed25519 detached signatures" }, { "path": "scripts/generate_checksums_json.mjs", "required": false, "description": "Utility script for generating SHA-256 checksum manifests" } ] }, "embedded_components": { "clawsec-feed": { "source_skill": "clawsec-feed", "source_version": "0.0.4", "paths": [ "advisories/feed.json", "advisories/feed.json.sig", "advisories/checksums.json", "advisories/checksums.json.sig", "advisories/feed-signing-public.pem" ], "capabilities": [ "advisory-feed monitoring", "new-advisory detection", "affected-skill cross-reference", "approval-gated malicious-skill removal recommendations", "double-confirmation gating for risky skill installs", "Ed25519 signature verification", "checksum manifest verification" ], "standalone_available": true, "deprecation_plan": "standalone skill may be retired after suite migration is verified" } }, "catalog": { "description": "Available protections in the ClawSec suite", "base_url": "https://clawsec.prompt.security/releases/download", "skills": { "clawsec-feed": { "description": "Advisory monitoring is now embedded in clawsec-suite", "integrated_in_suite": true, "standalone_available": true, "compatible": [ "openclaw", "moltbot", "clawdbot", "other" ] }, "openclaw-audit-watchdog": { "description": "Automated daily audits with email reporting", "default_install": true, "compatible": [ "openclaw", "moltbot", "clawdbot" ], "note": "Tailored for OpenClaw/MoltBot family" }, "soul-guardian": { "description": "Drift detection and file integrity guard", "default_install": false, "compatible": [ "openclaw", "moltbot", "clawdbot", "other" ] }, "clawtributor": { "description": "Community incident reporting (shares anonymized data)", "default_install": false, "requires_explicit_consent": true, "compatible": [ "openclaw", "moltbot", "clawdbot", "other" ] } } }, "openclaw": { "emoji": "📦", "category": "security", "requires": { "bins": [ "curl", "jq", "shasum", "openssl" ] }, "triggers": [ "clawsec suite", "security suite", "security advisories", "malicious skill alert", "remove malicious skills", "safe skill install", "confirm skill install", "check advisories", "advisory feed", "install security skills", "verify skills", "check skill integrity", "update skills" ] } }

Archive v0.1.2: 26 files, 53210 bytes

Files: advisories/feed.json (6761b), CHANGELOG.md (6836b), HEARTBEAT.md (6803b), hooks/clawsec-advisory-guardian/handler.ts (8337b), hooks/clawsec-advisory-guardian/HOOK.md (2072b), hooks/clawsec-advisory-guardian/lib/feed.mjs (17545b), hooks/clawsec-advisory-guardian/lib/matching.ts (6138b), hooks/clawsec-advisory-guardian/lib/state.ts (2475b), hooks/clawsec-advisory-guardian/lib/suppression.mjs (5289b), hooks/clawsec-advisory-guardian/lib/types.ts (836b), hooks/clawsec-advisory-guardian/lib/utils.mjs (473b), hooks/clawsec-advisory-guardian/lib/version.mjs (2972b), scripts/discover_skill_catalog.mjs (8231b), scripts/generate_checksums_json.mjs (2176b), scripts/guarded_skill_install.mjs (9393b), scripts/setup_advisory_cron.mjs (2993b), scripts/setup_advisory_hook.mjs (2434b), scripts/sign_detached_ed25519.mjs (1689b), scripts/verify_detached_ed25519.mjs (1847b), skill.json (7558b), SKILL.md (14313b), test/advisory_suppression.test.mjs (11352b), test/feed_verification.test.mjs (20208b), test/guarded_install.test.mjs (12484b), test/skill_catalog_discovery.test.mjs (7391b), _meta.json (132b)

File v0.1.2:SKILL.md

---

name: clawsec-suite version: 0.1.2 description: ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills. homepage: https://clawsec.prompt.security clawdis: emoji: "📦" requires: bins: [curl, jq, shasum, openssl]

ClawSec Suite

This means clawsec-suite can:

• monitor the ClawSec advisory feed,
• track which advisories are new since last check,
• cross-reference advisories against locally installed skills,
• recommend removal for malicious-skill advisories and require explicit user approval first,
• and still act as the setup/management entrypoint for other ClawSec protections.

Included vs Optional Protections

Built into clawsec-suite

• Embedded feed seed file: advisories/feed.json
• Portable heartbeat workflow in HEARTBEAT.md
• Advisory polling + state tracking + affected-skill checks
• OpenClaw advisory guardian hook package: hooks/clawsec-advisory-guardian/
• Setup scripts for hook and optional cron scheduling: scripts/
• Guarded installer: scripts/guarded_skill_install.mjs
• Dynamic catalog discovery for installable skills: scripts/discover_skill_catalog.mjs

Installed separately (dynamic catalog)

clawsec-suite does not hard-code add-on skill names in this document.

Discover the current catalog from the authoritative index (https://clawsec.prompt.security/skills/index.json) at runtime:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/discover_skill_catalog.mjs"

Fallback behavior:

• If the remote catalog index is reachable and valid, the suite uses it.
• If the remote index is unavailable or malformed, the script falls back to suite-local catalog metadata in skill.json.

Installation

Option A: Via clawhub (recommended)

npx clawhub@latest install clawsec-suite

Option B: Manual download with signature + checksum verification

set -euo pipefail

VERSION="${SKILL_VERSION:?Set SKILL_VERSION (e.g. 0.0.8)}"
INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
DEST="$INSTALL_ROOT/clawsec-suite"
BASE="https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v${VERSION}"

TEMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TEMP_DIR"' EXIT

# Pinned release-signing public key (verify fingerprint out-of-band on first use)
# Fingerprint (SHA-256 of SPKI DER): 711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8
RELEASE_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8"
cat > "$TEMP_DIR/release-signing-public.pem" <<'PEM'
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAS7nijfMcUoOBCj4yOXJX+GYGv2pFl2Yaha1P4v5Cm6A=
-----END PUBLIC KEY-----
PEM

ACTUAL_KEY_SHA256="$(openssl pkey -pubin -in "$TEMP_DIR/release-signing-public.pem" -outform DER | shasum -a 256 | awk '{print $1}')"
if [ "$ACTUAL_KEY_SHA256" != "$RELEASE_PUBKEY_SHA256" ]; then
  echo "ERROR: Release public key fingerprint mismatch" >&2
  exit 1
fi

ZIP_NAME="clawsec-suite-v${VERSION}.zip"

# 1) Download release archive + signed checksums manifest + signing public key
curl -fsSL "$BASE/$ZIP_NAME" -o "$TEMP_DIR/$ZIP_NAME"
curl -fsSL "$BASE/checksums.json" -o "$TEMP_DIR/checksums.json"
curl -fsSL "$BASE/checksums.sig" -o "$TEMP_DIR/checksums.sig"

# 2) Verify checksums manifest signature before trusting any hashes
openssl base64 -d -A -in "$TEMP_DIR/checksums.sig" -out "$TEMP_DIR/checksums.sig.bin"
if ! openssl pkeyutl -verify \
  -pubin \
  -inkey "$TEMP_DIR/release-signing-public.pem" \
  -sigfile "$TEMP_DIR/checksums.sig.bin" \
  -rawin \
  -in "$TEMP_DIR/checksums.json" >/dev/null 2>&1; then
  echo "ERROR: checksums.json signature verification failed" >&2
  exit 1
fi

EXPECTED_ZIP_SHA="$(jq -r '.archive.sha256 // empty' "$TEMP_DIR/checksums.json")"
if [ -z "$EXPECTED_ZIP_SHA" ]; then
  echo "ERROR: checksums.json missing archive.sha256" >&2
  exit 1
fi

if command -v shasum >/dev/null 2>&1; then
  ACTUAL_ZIP_SHA="$(shasum -a 256 "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
else
  ACTUAL_ZIP_SHA="$(sha256sum "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
fi

if [ "$EXPECTED_ZIP_SHA" != "$ACTUAL_ZIP_SHA" ]; then
  echo "ERROR: Archive checksum mismatch for $ZIP_NAME" >&2
  exit 1
fi

echo "Checksums manifest signature and archive hash verified."

# 3) Install verified archive
mkdir -p "$INSTALL_ROOT"
rm -rf "$DEST"
unzip -q "$TEMP_DIR/$ZIP_NAME" -d "$INSTALL_ROOT"

chmod 600 "$DEST/skill.json"
find "$DEST" -type f ! -name "skill.json" -exec chmod 644 {} \;

echo "Installed clawsec-suite v${VERSION} to: $DEST"
echo "Next step (OpenClaw): node \"\$DEST/scripts/setup_advisory_hook.mjs\""

OpenClaw Automation (Hook + Optional Cron)

After installing the suite, enable the advisory guardian hook:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_hook.mjs"

Optional: create/update a periodic cron nudge (default every 6h) that triggers a main-session advisory scan:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_cron.mjs"

What this adds:

• scan on agent:bootstrap and /new (command:new),
• compare advisory affected entries against installed skills,
• notify when new matches appear,
• and ask for explicit user approval before any removal flow.

Restart the OpenClaw gateway after enabling the hook. Then run /new once to force an immediate scan in the next session context.

Guarded Skill Install Flow (Double Confirmation)

When the user asks to install a skill, treat that as the first request and run a guarded install check:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1

Behavior:

• If no advisory match is found, install proceeds.
• If --version is omitted, matching is conservative: any advisory that references the skill name is treated as a match.
• If advisory match is found, the script prints advisory context and exits with code 42.
• Then require an explicit second confirmation from the user and rerun with --confirm-advisory:

node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1 --confirm-advisory

This enforces:

1. First confirmation: user asked to install.
2. Second confirmation: user explicitly approves install after seeing advisory details.

Embedded Advisory Feed Behavior

The embedded feed logic uses these defaults:

• Remote feed URL: https://clawsec.prompt.security/advisories/feed.json
• Remote feed signature URL: ${CLAWSEC_FEED_URL}.sig (override with CLAWSEC_FEED_SIG_URL)
• Remote checksums manifest URL: sibling checksums.json (override with CLAWSEC_FEED_CHECKSUMS_URL)
• Local seed fallback: ~/.openclaw/skills/clawsec-suite/advisories/feed.json
• Local feed signature: ${CLAWSEC_LOCAL_FEED}.sig (override with CLAWSEC_LOCAL_FEED_SIG)
• Local checksums manifest: ~/.openclaw/skills/clawsec-suite/advisories/checksums.json
• Pinned feed signing key: ~/.openclaw/skills/clawsec-suite/advisories/feed-signing-public.pem (override with CLAWSEC_FEED_PUBLIC_KEY)
• State file: ~/.openclaw/clawsec-suite-feed-state.json
• Hook rate-limit env (OpenClaw hook): CLAWSEC_HOOK_INTERVAL_SECONDS (default 300)

Fail-closed verification: Feed signatures are required by default. Checksum manifests are verified when companion checksum artifacts are available. Set CLAWSEC_ALLOW_UNSIGNED_FEED=1 only as a temporary migration bypass when adopting this version before signed feed artifacts are available upstream.

Quick feed check

FEED_URL="${CLAWSEC_FEED_URL:-https://clawsec.prompt.security/advisories/feed.json}"
STATE_FILE="${CLAWSEC_SUITE_STATE_FILE:-$HOME/.openclaw/clawsec-suite-feed-state.json}"

TMP="$(mktemp -d)"
trap 'rm -rf "$TMP"' EXIT

if ! curl -fsSLo "$TMP/feed.json" "$FEED_URL"; then
  echo "ERROR: Failed to fetch advisory feed"
  exit 1
fi

if ! jq -e '.version and (.advisories | type == "array")' "$TMP/feed.json" >/dev/null; then
  echo "ERROR: Invalid advisory feed format"
  exit 1
fi

mkdir -p "$(dirname "$STATE_FILE")"
if [ ! -f "$STATE_FILE" ]; then
  echo '{"schema_version":"1.0","known_advisories":[],"last_feed_check":null,"last_feed_updated":null}' > "$STATE_FILE"
  chmod 600 "$STATE_FILE"
fi

NEW_IDS_FILE="$TMP/new_ids.txt"
jq -r --argfile state "$STATE_FILE" '($state.known_advisories // []) as $known | [.advisories[]?.id | select(. != null and ($known | index(.) | not))] | .[]?' "$TMP/feed.json" > "$NEW_IDS_FILE"

if [ -s "$NEW_IDS_FILE" ]; then
  echo "New advisories detected:"
  while IFS= read -r id; do
    [ -z "$id" ] && continue
    jq -r --arg id "$id" '.advisories[] | select(.id == $id) | "- [\(.severity | ascii_upcase)] \(.id): \(.title)"' "$TMP/feed.json"
  done < "$NEW_IDS_FILE"
else
  echo "FEED_OK - no new advisories"
fi

Heartbeat Integration

Use the suite heartbeat script as the single periodic security check entrypoint:

• skills/clawsec-suite/HEARTBEAT.md

It handles:

• suite update checks,
• feed polling,
• new-advisory detection,
• affected-skill cross-referencing,
• approval-gated response guidance for malicious/removal advisories,
• and persistent state updates.

Approval-Gated Response Contract

If an advisory indicates a malicious or removal-recommended skill and that skill is installed:

1. Notify the user immediately with advisory details and severity.
2. Recommend removing or disabling the affected skill.
3. Treat the original install request as first intent only.
4. Ask for explicit second confirmation before deletion/disable action (or before proceeding with risky install).
5. Only proceed after that second confirmation.

The suite hook and heartbeat guidance are intentionally non-destructive by default.

Advisory Suppression / Allowlist

The advisory guardian pipeline supports opt-in suppression for advisories that have been reviewed and accepted by your security team. This is useful for first-party tooling or advisories that do not apply to your deployment.

Activation

Advisory suppression requires a single gate: the configuration file must contain "enabledFor" with "advisory" in the array. No CLI flag is needed -- the sentinel in the config file IS the opt-in gate.

If the enabledFor array is missing, empty, or does not include "advisory", all advisories are reported normally.

Config File Resolution (4-tier)

The advisory guardian resolves the suppression config using the same priority order as the audit pipeline:

1. Explicit --config <path> argument
2. OPENCLAW_AUDIT_CONFIG environment variable
3. ~/.openclaw/security-audit.json
4. .clawsec/allowlist.json

Config Format

{
  "enabledFor": ["advisory"],
  "suppressions": [
    {
      "checkId": "CVE-2026-25593",
      "skill": "clawsec-suite",
      "reason": "First-party security tooling — reviewed by security team",
      "suppressedAt": "2026-02-15"
    },
    {
      "checkId": "CLAW-2026-0001",
      "skill": "example-skill",
      "reason": "Advisory does not apply to our deployment configuration",
      "suppressedAt": "2026-02-16"
    }
  ]
}

Sentinel Semantics

• "enabledFor": ["advisory"] -- only advisory suppression active
• "enabledFor": ["audit"] -- only audit suppression active (no effect on advisory pipeline)
• "enabledFor": ["audit", "advisory"] -- both pipelines honor suppressions
• Missing or empty enabledFor -- no suppression active (safe default)

Matching Rules

• checkId: exact match against the advisory ID (e.g., CVE-2026-25593 or CLAW-2026-0001)
• skill: case-insensitive match against the affected skill name from the advisory
• Both fields must match for an advisory to be suppressed

Required Fields per Suppression Entry

| Field | Description | Example | |-------|-------------|---------| | checkId | Advisory ID to suppress | CVE-2026-25593 | | skill | Affected skill name | clawsec-suite | | reason | Justification for audit trail (required) | First-party tooling, reviewed by security team | | suppressedAt | ISO 8601 date (YYYY-MM-DD) | 2026-02-15 |

Shared Config with Audit Pipeline

The advisory and audit pipelines share the same config file. Use the enabledFor array to control which pipelines honor the suppression list:

{
  "enabledFor": ["audit", "advisory"],
  "suppressions": [
    {
      "checkId": "skills.code_safety",
      "skill": "clawsec-suite",
      "reason": "First-party tooling — audit finding accepted",
      "suppressedAt": "2026-02-15"
    },
    {
      "checkId": "CVE-2026-25593",
      "skill": "clawsec-suite",
      "reason": "First-party tooling — advisory reviewed",
      "suppressedAt": "2026-02-15"
    }
  ]
}

Audit entries (with check identifiers like skills.code_safety) are only matched by the audit pipeline. Advisory entries (with advisory IDs like CVE-2026-25593 or CLAW-2026-0001) are only matched by the advisory pipeline. Each pipeline filters for its own relevant entries.

Optional Skill Installation

Discover currently available installable skills dynamically, then install the ones you want:

SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/discover_skill_catalog.mjs"

# then install any discovered skill by name
npx clawhub@latest install <skill-name>

Machine-readable output is also available for automation:

node "$SUITE_DIR/scripts/discover_skill_catalog.mjs" --json

Security Notes

• Always verify checksums.json signature before trusting its file URLs/hashes, then verify each file checksum.
• Verify advisory feed detached signatures; do not enable CLAWSEC_ALLOW_UNSIGNED_FEED outside temporary migration windows.
• Keep advisory polling rate-limited (at least 5 minutes between checks).
• Treat critical and high advisories affecting installed skills as immediate action items.
• If you migrate off standalone clawsec-feed, keep one canonical state file to avoid duplicate notifications.
• Pin and verify public key fingerprints out-of-band before first use.

File v0.1.2:_meta.json

{ "ownerId": "kn76m78f01hqrtpgm895s0jsax80jd8v", "slug": "clawsec-suite", "version": "0.1.2", "publishedAt": 1771260968830 }

File v0.1.2:CHANGELOG.md

Changelog

All notable changes to the ClawSec Suite will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.1.2]

Added

• Advisory suppression module (hooks/clawsec-advisory-guardian/lib/suppression.mjs).
• loadAdvisorySuppression() -- loads suppression config with enabledFor: ["advisory"] sentinel gate.
• isAdvisorySuppressed() -- matches advisory.id === rule.checkId + case-insensitive skill name.
• Advisory guardian handler integration: partitions matches into active/suppressed after findMatches().
• Suppressed matches tracked in state file (prevents re-evaluation) but not alerted.
• Soft notification message for suppressed matches count.
• Advisory suppression tests (13 tests in advisory_suppression.test.mjs).
• Documentation in SKILL.md for advisory suppression/allowlist mechanism.

Changed

• Advisory guardian handler (handler.ts) now loads suppression config and filters matches before alerting.

Security

• Advisory suppression gated by config file sentinel (enabledFor: ["advisory"]) -- no CLI flag needed but config must explicitly opt in.
• Suppressed matches are still tracked in state to maintain audit trail.

[0.1.1] - 2026-02-16

Added

• Added scripts/discover_skill_catalog.mjs to dynamically discover installable skills from https://clawsec.prompt.security/skills/index.json.
• Added test/skill_catalog_discovery.test.mjs to validate remote-catalog loading and fallback behavior.
• Added CI signing-key drift guard script: scripts/ci/verify_signing_key_consistency.sh.

Changed

• Updated SKILL.md to use dynamic catalog discovery commands instead of hard-coded optional-skill names.
• Updated advisory feed defaults to signed-host URL (https://clawsec.prompt.security/advisories/feed.json).
• Improved checksum manifest key compatibility in feed verification logic (supports basename and advisories/* key formats).
• Kept openclaw-audit-watchdog as a standalone skill (not embedded in clawsec-suite).

Security

• Signing key drift control: CI now enforces that all public key references (inline SKILL.md PEM, canonical .pem files, workflow-generated keys) resolve to the same fingerprint. Prevents stale, fabricated, or rotated-but-not-propagated key material from reaching releases.
  • Enforced in: .github/workflows/skill-release.yml, .github/workflows/deploy-pages.yml
  • Guard script: scripts/ci/verify_signing_key_consistency.sh

Fixed

• Fixed fabricated signing key in SKILL.md: The manual installation script contained a hallucinated Ed25519 public key and fingerprint (35866e1b...) that never corresponded to the actual release signing key. Replaced with the real public key derived from the GitHub-secret-held private key. The bogus key was introduced in v0.0.10 (Integration/signing work #20) and went undetected because no consistency check existed at the time.
• Corrected checksums.sig naming in release verification documentation.

[0.0.10] - 2026-02-11

Security

Transport Security Hardening

• TLS Version Enforcement: Eliminated support for TLS 1.0 and TLS 1.1, enforcing minimum TLS 1.2 for all HTTPS connections
• Certificate Validation: Enabled strict certificate validation (rejectUnauthorized: true) to prevent MITM attacks
• Domain Allowlist: Restricted advisory feed connections to approved domains only:
  • clawsec.prompt.security (official ClawSec feed host)
  • prompt.security (parent domain)
  • raw.githubusercontent.com (GitHub raw content)
  • github.com (GitHub releases)
• Strong Cipher Suites: Configured modern cipher suites (AES-GCM, ChaCha20-Poly1305) for secure connections

Signature Verification & Checksum Validation

• Fixed unverified file publication: Refactored deploy-pages.yml workflow to download release assets to temporary directory before signature verification, ensuring unverified files never reach public directory
• Fixed schema mismatch: Updated deploy-pages.yml to generate checksums.json with proper schema_version and algorithm fields that match parser expectations
• Fixed missing checksums abort: Updated loadRemoteFeed to gracefully skip checksum verification when checksums.json is missing (e.g., GitHub raw content), while still enforcing fail-closed signature verification
• Fixed parser strictness: Enhanced parseChecksumsManifest to accept legacy manifest formats through a fallback chain:
  1. schema_version (new standard)
  2. version (skill-release.yml format)
  3. generated_at (old deploy-pages.yml format)
  4. "1" (ultimate fallback)

Changed

• Advisory feed loader now uses secureFetch wrapper with TLS 1.2+ enforcement and domain validation
• Checksum verification is now graceful: feeds load successfully from sources without checksums (e.g., GitHub raw) while maintaining fail-closed signature verification
• Workflow release mirroring flow changed from download → verify → skip to download to temp → verify → mirror (fail = delete temp)

Fixed

• Unverified skill releases no longer published to public directory on signature verification failure
• Schema mismatch between generated and expected checksums manifest fields
• Feed loading failures when checksums.json missing from upstream sources
• Parser rejection of valid legacy manifest formats

Security Impact

• Fail-closed security maintained: All feed signatures still verified; invalid signatures reject feed loading
• No backward compatibility break: Legacy manifests continue working through fallback chain
• Enhanced transport security: Connections protected against downgrade attacks and MITM
• Defense in depth: Multiple layers of verification (domain, TLS, certificate, signature, checksum)

---

Release Notes Template

When creating a new release, copy this template to the GitHub release notes:

## Security Improvements

### Transport Security
✅ TLS 1.2+ enforcement (eliminated TLS 1.0, 1.1)
✅ Strict certificate validation
✅ Domain allowlist (prompt.security, github.com only)
✅ Modern cipher suites (AES-GCM, ChaCha20-Poly1305)

### Signature & Checksum Verification
✅ Unverified files never published (temp directory workflow)
✅ Proper schema fields in generated checksums.json
✅ Graceful fallback when checksums missing (GitHub raw)
✅ Legacy manifest format support (backward compatible)

### Testing
All verification tests passed:
- ✅ Unit tests: 14/14 passed
- ✅ Parser lenience: 3/3 legacy formats accepted
- ✅ Remote loading: Gracefully handles missing checksums
- ✅ Workflow security: Temp directory prevents unverified publication

File v0.1.2:HEARTBEAT.md

ClawSec Suite — Heartbeat Check

Run this periodically (cron/systemd/CI/agent scheduler). It assumes POSIX shell, curl, and jq.

Goals

1. Check whether clawsec-suite has an update available.
2. Poll the advisory feed.
3. Report new advisories, highlight affected installed skills, and require approval before removal actions.

---

Configuration

INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
SUITE_DIR="$INSTALL_ROOT/clawsec-suite"
CHECKSUMS_URL="${CHECKSUMS_URL:-https://clawsec.prompt.security/releases/latest/download/checksums.json}"
FEED_URL="${CLAWSEC_FEED_URL:-https://clawsec.prompt.security/advisories/feed.json}"
STATE_FILE="${CLAWSEC_SUITE_STATE_FILE:-$HOME/.openclaw/clawsec-suite-feed-state.json}"
MIN_FEED_INTERVAL_SECONDS="${MIN_FEED_INTERVAL_SECONDS:-300}"

---

Step 0 — Basic sanity

set -euo pipefail

test -d "$SUITE_DIR"
test -f "$SUITE_DIR/skill.json"

echo "=== ClawSec Suite Heartbeat ==="
echo "When:  $(date -u +%Y-%m-%dT%H:%M:%SZ)"
echo "Suite: $SUITE_DIR"

---

Step 1 — Check suite version updates

TMP="$(mktemp -d)"
trap 'rm -rf "$TMP"' EXIT

curl -fsSLo "$TMP/checksums.json" "$CHECKSUMS_URL"

INSTALLED_VER="$(jq -r '.version // ""' "$SUITE_DIR/skill.json" 2>/dev/null || true)"
LATEST_VER="$(jq -r '.version // ""' "$TMP/checksums.json" 2>/dev/null || true)"

echo "Installed suite: ${INSTALLED_VER:-unknown}"
echo "Latest suite:    ${LATEST_VER:-unknown}"

if [ -n "$LATEST_VER" ] && [ "$LATEST_VER" != "$INSTALLED_VER" ]; then
  echo "UPDATE AVAILABLE: clawsec-suite ${INSTALLED_VER:-unknown} -> $LATEST_VER"
else
  echo "Suite appears up to date."
fi

---

Step 2 — Initialize advisory state

mkdir -p "$(dirname "$STATE_FILE")"

if [ ! -f "$STATE_FILE" ]; then
  echo '{"schema_version":"1.0","known_advisories":[],"last_feed_check":null,"last_feed_updated":null}' > "$STATE_FILE"
  chmod 600 "$STATE_FILE"
fi

if ! jq -e '.schema_version and .known_advisories' "$STATE_FILE" >/dev/null 2>&1; then
  echo "WARNING: Invalid state file, resetting: $STATE_FILE"
  cp "$STATE_FILE" "${STATE_FILE}.bak.$(date -u +%Y%m%d%H%M%S)" 2>/dev/null || true
  echo '{"schema_version":"1.0","known_advisories":[],"last_feed_check":null,"last_feed_updated":null}' > "$STATE_FILE"
  chmod 600 "$STATE_FILE"
fi

---

Step 3 — Advisory feed check (embedded clawsec-feed)

now_epoch="$(date -u +%s)"
last_check="$(jq -r '.last_feed_check // "1970-01-01T00:00:00Z"' "$STATE_FILE")"
last_epoch="$(date -u -d "$last_check" +%s 2>/dev/null || date -u -j -f "%Y-%m-%dT%H:%M:%SZ" "$last_check" +%s 2>/dev/null || echo 0)"

if [ $((now_epoch - last_epoch)) -lt "$MIN_FEED_INTERVAL_SECONDS" ]; then
  echo "Feed check skipped (rate limit: ${MIN_FEED_INTERVAL_SECONDS}s)."
else
  FEED_TMP="$TMP/feed.json"
  FEED_SOURCE="$FEED_URL"

  if ! curl -fsSLo "$FEED_TMP" "$FEED_URL"; then
    if [ -f "$SUITE_DIR/advisories/feed.json" ]; then
      cp "$SUITE_DIR/advisories/feed.json" "$FEED_TMP"
      FEED_SOURCE="$SUITE_DIR/advisories/feed.json (local fallback)"
      echo "WARNING: Remote feed unavailable, using local fallback."
    else
      echo "ERROR: Remote feed unavailable and no local fallback feed found."
      exit 1
    fi
  fi

  if ! jq -e '.version and (.advisories | type == "array")' "$FEED_TMP" >/dev/null 2>&1; then
    echo "ERROR: Advisory feed has invalid format."
    exit 1
  fi

  echo "Feed source: $FEED_SOURCE"
  echo "Feed updated: $(jq -r '.updated // "unknown"' "$FEED_TMP")"

  NEW_IDS_FILE="$TMP/new_ids.txt"
  jq -r --argfile state "$STATE_FILE" '($state.known_advisories // []) as $known | [.advisories[]?.id | select(. != null and ($known | index(.) | not))] | .[]?' "$FEED_TMP" > "$NEW_IDS_FILE"

  if [ -s "$NEW_IDS_FILE" ]; then
    echo "New advisories:"
    while IFS= read -r id; do
      [ -z "$id" ] && continue
      jq -r --arg id "$id" '.advisories[] | select(.id == $id) | "- [\(.severity | ascii_upcase)] \(.id): \(.title)"' "$FEED_TMP"
      jq -r --arg id "$id" '.advisories[] | select(.id == $id) | "  Action: \(.action // "Review advisory details")"' "$FEED_TMP"
    done < "$NEW_IDS_FILE"
  else
    echo "FEED_OK - no new advisories"
  fi

  echo "Affected installed skills (if any):"
  found_affected=0
  removal_recommended=0
  for skill_path in "$INSTALL_ROOT"/*; do
    [ -d "$skill_path" ] || continue
    skill_name="$(basename "$skill_path")"

    skill_hits="$(jq -r --arg skill_prefix "${skill_name}@" '
      [.advisories[]
      | select(any(.affected[]?; startswith($skill_prefix)))
      | "- [\(.severity | ascii_upcase)] \(.id): \(.title)\n  Action: \(.action // "Review advisory details")"
      ] | .[]?
    ' "$FEED_TMP")"

    if [ -n "$skill_hits" ]; then
      found_affected=1
      echo "- $skill_name is referenced by advisory feed entries"
      printf "%s\n" "$skill_hits"

      if jq -e --arg skill_prefix "${skill_name}@" '
        any(
          .advisories[];
          any(.affected[]?; startswith($skill_prefix))
          and (
            ((.type // "" | ascii_downcase) == "malicious_skill")
            or ((.title // "" | ascii_downcase | test("malicious|exfiltrat|backdoor|trojan|stealer")))
            or ((.description // "" | ascii_downcase | test("malicious|exfiltrat|backdoor|trojan|stealer")))
            or ((.action // "" | ascii_downcase | test("remove|uninstall|disable|do not use|quarantine")))
          )
        )
      ' "$FEED_TMP" >/dev/null 2>&1; then
        removal_recommended=1
      fi
    fi
  done

  if [ "$found_affected" -eq 0 ]; then
    echo "- none"
  fi

  if [ "$removal_recommended" -eq 1 ]; then
    echo "Approval required: ask the user for explicit approval before removing any skill."
    echo "Double-confirmation policy: install request is first intent; require a second explicit confirmation with advisory context."
  fi

  # Persist state
  current_utc="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
  state_tmp="$TMP/state.json"

  jq --arg t "$current_utc" --arg updated "$(jq -r '.updated // ""' "$FEED_TMP")" --argfile feed "$FEED_TMP" '
    .last_feed_check = $t
    | .last_feed_updated = (if $updated == "" then .last_feed_updated else $updated end)
    | .known_advisories = ((.known_advisories // []) + [$feed.advisories[]?.id] | map(select(. != null)) | unique)
  ' "$STATE_FILE" > "$state_tmp"

  mv "$state_tmp" "$STATE_FILE"
  chmod 600 "$STATE_FILE"
fi

---

Output Summary

Heartbeat output should include:

• suite version status,
• advisory feed status,
• new advisory list (if any),
• installed skills that appear in advisory affected lists,
• and a double-confirmation reminder before risky install/remove actions.

If your runtime sends alerts, treat critical and high advisories affecting installed skills as immediate notifications.

File v0.1.2:hooks/clawsec-advisory-guardian/HOOK.md

---

name: clawsec-advisory-guardian description: Detect advisory matches for installed skills and require explicit user approval before any removal action. metadata: { "openclaw": { "events": ["agent:bootstrap", "command:new"] } }

ClawSec Advisory Guardian Hook

This hook checks the ClawSec advisory feed against locally installed skills on:

• agent:bootstrap
• command:new

When it detects an advisory affecting an installed skill, it posts an alert message. If the advisory looks malicious or removal-oriented, it explicitly recommends removal and asks for user approval first.

Safety Contract

• The hook does not delete or modify skills.
• It only reports findings and requests explicit approval before removal.
• Alerts are deduplicated using ~/.openclaw/clawsec-suite-feed-state.json.

Optional Environment Variables

• CLAWSEC_FEED_URL: override remote feed URL.
• CLAWSEC_FEED_SIG_URL: override detached remote feed signature URL (default ${CLAWSEC_FEED_URL}.sig).
• CLAWSEC_FEED_CHECKSUMS_URL: override remote checksum manifest URL (default sibling checksums.json).
• CLAWSEC_FEED_CHECKSUMS_SIG_URL: override detached remote checksum manifest signature URL.
• CLAWSEC_FEED_PUBLIC_KEY: path to pinned feed-signing public key PEM.
• CLAWSEC_LOCAL_FEED: override local fallback feed file.
• CLAWSEC_LOCAL_FEED_SIG: override local detached feed signature path.
• CLAWSEC_LOCAL_FEED_CHECKSUMS: override local checksum manifest path.
• CLAWSEC_LOCAL_FEED_CHECKSUMS_SIG: override local checksum manifest signature path.
• CLAWSEC_VERIFY_CHECKSUM_MANIFEST: set to 0 only for emergency troubleshooting (default verifies checksums).
• CLAWSEC_ALLOW_UNSIGNED_FEED: set to 1 only for temporary migration compatibility; bypasses signature/checksum verification.
• CLAWSEC_SUITE_STATE_FILE: override state file path.
• CLAWSEC_INSTALL_ROOT: override installed skills root.
• CLAWSEC_SUITE_DIR: override clawsec-suite install path.
• CLAWSEC_HOOK_INTERVAL_SECONDS: minimum interval between hook scans (default 300).

File v0.1.2:advisories/feed.json

{ "version": "0.0.2", "updated": "2026-02-08T06:16:28Z", "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.", "advisories": [ { "id": "CVE-2026-25593", "severity": "high", "type": "vulnerable_skill", "title": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use t...", "description": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-06T21:16:17.790", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg" ], "cvss_score": 8.4, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25593" }, { "id": "CVE-2026-25475", "severity": "medium", "type": "vulnerable_skill", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-04T20:16:07.287", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq" ], "cvss_score": 6.5, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25475" }, { "id": "CVE-2026-25157", "severity": "high", "type": "vulnerable_skill", "title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vu...", "description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-04T20:16:06.577", "references": [ "https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585" ], "cvss_score": 7.7, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25157" }, { "id": "CLAW-2026-0001", "severity": "high", "type": "prompt_injection", "title": "Data exfiltration attempt via helper-plus skill", "description": "The helper-plus skill was observed sending conversation data to an external server (suspicious-domain.com) on every invocation. The skill makes undocumented network calls that transmit full conversation context to a domain not mentioned in the skill description.", "affected": [ "helper-plus@1.0.0", "helper-plus@1.0.1" ], "action": "Remove helper-plus immediately. Do not use versions 1.0.0 or 1.0.1. Wait for a verified patched version.", "published": "2026-02-04T09:30:00Z", "references": [], "source": "Community Report", "github_issue_url": "https://github.com/prompt-security/clawsec/issues/1", "reporter": { "agent_name": "SecurityBot", "opener_type": "agent" } }, { "id": "CVE-2026-24763", "severity": "high", "type": "vulnerable_skill", "title": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026....", "description": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-02T23:16:08.593", "references": [ "https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75", "https://github.com/openclaw/openclaw/releases/tag/v2026.1.29", "https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24763" }, { "id": "CVE-2026-25253", "severity": "high", "type": "vulnerable_skill", "title": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string a...", "description": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.", "affected": [], "action": "Review and update affected components. See NVD for remediation details.", "published": "2026-02-01T23:15:49.717", "references": [ "https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys", "https://ethiack.com/news/blog/one-click-rce-moltbot", "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq" ], "cvss_score": 8.8, "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253" } ] }

File v0.1.2:skill.json

{ "name": "clawsec-suite", "version": "0.1.2", "description": "ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.", "author": "prompt-security", "license": "MIT", "homepage": "https://clawsec.prompt.security/", "keywords": [ "security", "skills", "catalog", "installer", "integrity", "advisory", "feed", "threat-intel", "hooks", "approval", "agents", "ai", "suite", "openclaw", "signature", "verification" ], "sbom": { "files": [ { "path": "SKILL.md", "required": true, "description": "Suite skill documentation and installation guide" }, { "path": "CHANGELOG.md", "required": true, "description": "Version history and security improvements changelog" }, { "path": "HEARTBEAT.md", "required": true, "description": "Portable heartbeat and update-check procedure" }, { "path": "advisories/feed.json", "required": true, "description": "Embedded advisory feed seed (merged from clawsec-feed)" }, { "path": "advisories/feed.json.sig", "required": true, "description": "Detached Ed25519 signature for advisory feed" }, { "path": "advisories/checksums.json", "required": true, "description": "SHA-256 checksum manifest for advisory artifacts" }, { "path": "advisories/checksums.json.sig", "required": true, "description": "Detached Ed25519 signature for checksum manifest" }, { "path": "advisories/feed-signing-public.pem", "required": true, "description": "Pinned Ed25519 public key for feed signature verification" }, { "path": "hooks/clawsec-advisory-guardian/HOOK.md", "required": true, "description": "OpenClaw hook metadata for advisory-driven malicious-skill checks" }, { "path": "hooks/clawsec-advisory-guardian/handler.ts", "required": true, "description": "OpenClaw hook handler for approval-gated advisory actions with signature verification" }, { "path": "hooks/clawsec-advisory-guardian/lib/utils.mjs", "required": true, "description": "Shared utility functions (isObject, normalizeSkillName, uniqueStrings)" }, { "path": "hooks/clawsec-advisory-guardian/lib/version.mjs", "required": true, "description": "Shared semver parsing and version matching logic" }, { "path": "hooks/clawsec-advisory-guardian/lib/feed.mjs", "required": true, "description": "Advisory feed loading with Ed25519 signature and checksum manifest verification" }, { "path": "hooks/clawsec-advisory-guardian/lib/types.ts", "required": true, "description": "TypeScript type definitions for hook and feed structures" }, { "path": "hooks/clawsec-advisory-guardian/lib/state.ts", "required": true, "description": "Advisory state persistence and loading" }, { "path": "hooks/clawsec-advisory-guardian/lib/matching.ts", "required": true, "description": "Advisory-to-skill matching and alert message generation" }, { "path": "scripts/setup_advisory_hook.mjs", "required": true, "description": "Installer script for enabling the advisory guardian hook" }, { "path": "scripts/setup_advisory_cron.mjs", "required": true, "description": "Installer script for optional periodic advisory scan cron" }, { "path": "scripts/guarded_skill_install.mjs", "required": true, "description": "Two-step confirmation installer with signature verification that blocks risky skill installs" }, { "path": "scripts/discover_skill_catalog.mjs", "required": true, "description": "Dynamic skill-catalog discovery with remote index fetch and suite-local fallback metadata" }, { "path": "scripts/sign_detached_ed25519.mjs", "required": false, "description": "Utility script for generating Ed25519 detached signatures" }, { "path": "scripts/verify_detached_ed25519.mjs", "required": false, "description": "Utility script for verifying Ed25519 detached signatures" }, { "path": "scripts/generate_checksums_json.mjs", "required": false, "description": "Utility script for generating SHA-256 checksum manifests" } ] }, "embedded_components": { "clawsec-feed": { "source_skill": "clawsec-feed", "source_version": "0.0.4", "paths": [ "advisories/feed.json", "advisories/feed.json.sig", "advisories/checksums.json", "advisories/checksums.json.sig", "advisories/feed-signing-public.pem" ], "capabilities": [ "advisory-feed monitoring", "new-advisory detection", "affected-skill cross-reference", "approval-gated malicious-skill removal recommendations", "double-confirmation gating for risky skill installs", "Ed25519 signature verification", "checksum manifest verification" ], "standalone_available": true, "deprecation_plan": "standalone skill may be retired after suite migration is verified" } }, "catalog": { "description": "Available protections in the ClawSec suite", "base_url": "https://clawsec.prompt.security/releases/download", "skills": { "clawsec-feed": { "description": "Advisory monitoring is now embedded in clawsec-suite", "integrated_in_suite": true, "standalone_available": true, "compatible": [ "openclaw", "moltbot", "clawdbot", "other" ] }, "openclaw-audit-watchdog": { "description": "Automated daily audits with email reporting", "default_install": true, "compatible": [ "openclaw", "moltbot", "clawdbot" ], "note": "Tailored for OpenClaw/MoltBot family" }, "soul-guardian": { "description": "Drift detection and file integrity guard", "default_install": false, "compatible": [ "openclaw", "moltbot", "clawdbot", "other" ] }, "clawtributor": { "description": "Community incident reporting (shares anonymized data)", "default_install": false, "requires_explicit_consent": true, "compatible": [ "openclaw", "moltbot", "clawdbot", "other" ] } } }, "openclaw": { "emoji": "📦", "category": "security", "requires": { "bins": [ "curl", "jq", "shasum", "openssl" ] }, "triggers": [ "clawsec suite", "security suite", "security advisories", "malicious skill alert", "remove malicious skills", "safe skill install", "confirm skill install", "check advisories", "advisory feed", "install security skills", "verify skills", "check skill integrity", "update skills" ] } }