clawsec-suiteClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup...
Install via ClawdBot CLI:
clawdbot install davida-ps/clawsec-suiteThis means clawsec-suite can:
advisories/feed.jsonHEARTBEAT.mdhooks/clawsec-advisory-guardian/scripts/scripts/guarded_skill_install.mjsscripts/discover_skill_catalog.mjsclawsec-suite does not hard-code add-on skill names in this document.
Discover the current catalog from the authoritative index (https://clawsec.prompt.security/skills/index.json) at runtime:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/discover_skill_catalog.mjs"Fallback behavior:
skill.json.bash/zsh, keep path variables expandable (for example, INSTALL_ROOT="$HOME/.openclaw/skills").'$HOME/.openclaw/skills').$env:INSTALL_ROOT = Join-Path $HOME ".openclaw\\skills"\$HOME/...), suite scripts now fail fast with a clear error.npx clawhub@latest install clawsec-suiteset -euo pipefail
VERSION="${SKILL_VERSION:?Set SKILL_VERSION (e.g. 0.0.8)}"
INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
DEST="$INSTALL_ROOT/clawsec-suite"
BASE="https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v${VERSION}"
TEMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TEMP_DIR"' EXIT
# Pinned release-signing public key (verify fingerprint out-of-band on first use)
# Fingerprint (SHA-256 of SPKI DER): 711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8
RELEASE_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8"
cat > "$TEMP_DIR/release-signing-public.pem" <<'PEM'
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAS7nijfMcUoOBCj4yOXJX+GYGv2pFl2Yaha1P4v5Cm6A=
-----END PUBLIC KEY-----
PEM
ACTUAL_KEY_SHA256="$(openssl pkey -pubin -in "$TEMP_DIR/release-signing-public.pem" -outform DER | shasum -a 256 | awk '{print $1}')"
if [ "$ACTUAL_KEY_SHA256" != "$RELEASE_PUBKEY_SHA256" ]; then
echo "ERROR: Release public key fingerprint mismatch" >&2
exit 1
fi
ZIP_NAME="clawsec-suite-v${VERSION}.zip"
# 1) Download release archive + signed checksums manifest + signing public key
curl -fsSL "$BASE/$ZIP_NAME" -o "$TEMP_DIR/$ZIP_NAME"
curl -fsSL "$BASE/checksums.json" -o "$TEMP_DIR/checksums.json"
curl -fsSL "$BASE/checksums.sig" -o "$TEMP_DIR/checksums.sig"
# 2) Verify checksums manifest signature before trusting any hashes
openssl base64 -d -A -in "$TEMP_DIR/checksums.sig" -out "$TEMP_DIR/checksums.sig.bin"
if ! openssl pkeyutl -verify \
-pubin \
-inkey "$TEMP_DIR/release-signing-public.pem" \
-sigfile "$TEMP_DIR/checksums.sig.bin" \
-rawin \
-in "$TEMP_DIR/checksums.json" >/dev/null 2>&1; then
echo "ERROR: checksums.json signature verification failed" >&2
exit 1
fi
EXPECTED_ZIP_SHA="$(jq -r '.archive.sha256 // empty' "$TEMP_DIR/checksums.json")"
if [ -z "$EXPECTED_ZIP_SHA" ]; then
echo "ERROR: checksums.json missing archive.sha256" >&2
exit 1
fi
if command -v shasum >/dev/null 2>&1; then
ACTUAL_ZIP_SHA="$(shasum -a 256 "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
else
ACTUAL_ZIP_SHA="$(sha256sum "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
fi
if [ "$EXPECTED_ZIP_SHA" != "$ACTUAL_ZIP_SHA" ]; then
echo "ERROR: Archive checksum mismatch for $ZIP_NAME" >&2
exit 1
fi
echo "Checksums manifest signature and archive hash verified."
# 3) Install verified archive
mkdir -p "$INSTALL_ROOT"
rm -rf "$DEST"
unzip -q "$TEMP_DIR/$ZIP_NAME" -d "$INSTALL_ROOT"
chmod 600 "$DEST/skill.json"
find "$DEST" -type f ! -name "skill.json" -exec chmod 644 {} \;
echo "Installed clawsec-suite v${VERSION} to: $DEST"
echo "Next step (OpenClaw): node \"\$DEST/scripts/setup_advisory_hook.mjs\""After installing the suite, enable the advisory guardian hook:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_hook.mjs"Optional: create/update a periodic cron nudge (default every 6h) that triggers a main-session advisory scan:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_cron.mjs"What this adds:
agent:bootstrap and /new (command:new),affected entries against installed skills,application: "openclaw" (and legacy entries without application for backward compatibility),Restart the OpenClaw gateway after enabling the hook. Then run /new once to force an immediate scan in the next session context.
When the user asks to install a skill, treat that as the first request and run a guarded install check:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1Behavior:
--version is omitted, matching is conservative: any advisory that references the skill name is treated as a match.42.--confirm-advisory:node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1 --confirm-advisoryThis enforces:
The embedded feed logic uses these defaults:
https://clawsec.prompt.security/advisories/feed.json${CLAWSEC_FEED_URL}.sig (override with CLAWSEC_FEED_SIG_URL)checksums.json (override with CLAWSEC_FEED_CHECKSUMS_URL)~/.openclaw/skills/clawsec-suite/advisories/feed.json${CLAWSEC_LOCAL_FEED}.sig (override with CLAWSEC_LOCAL_FEED_SIG)~/.openclaw/skills/clawsec-suite/advisories/checksums.json~/.openclaw/skills/clawsec-suite/advisories/feed-signing-public.pem (override with CLAWSEC_FEED_PUBLIC_KEY)~/.openclaw/clawsec-suite-feed-state.jsonCLAWSEC_HOOK_INTERVAL_SECONDS (default 300)Fail-closed verification: Feed signatures are required by default. Checksum manifests are verified when companion checksum artifacts are available. Set CLAWSEC_ALLOW_UNSIGNED_FEED=1 only as a temporary migration bypass when adopting this version before signed feed artifacts are available upstream.
FEED_URL="${CLAWSEC_FEED_URL:-https://clawsec.prompt.security/advisories/feed.json}"
STATE_FILE="${CLAWSEC_SUITE_STATE_FILE:-$HOME/.openclaw/clawsec-suite-feed-state.json}"
TMP="$(mktemp -d)"
trap 'rm -rf "$TMP"' EXIT
if ! curl -fsSLo "$TMP/feed.json" "$FEED_URL"; then
echo "ERROR: Failed to fetch advisory feed"
exit 1
fi
if ! jq -e '.version and (.advisories | type == "array")' "$TMP/feed.json" >/dev/null; then
echo "ERROR: Invalid advisory feed format"
exit 1
fi
mkdir -p "$(dirname "$STATE_FILE")"
if [ ! -f "$STATE_FILE" ]; then
echo '{"schema_version":"1.0","known_advisories":[],"last_feed_check":null,"last_feed_updated":null}' > "$STATE_FILE"
chmod 600 "$STATE_FILE"
fi
NEW_IDS_FILE="$TMP/new_ids.txt"
jq -r --argfile state "$STATE_FILE" '($state.known_advisories // []) as $known | [.advisories[]?.id | select(. != null and ($known | index(.) | not))] | .[]?' "$TMP/feed.json" > "$NEW_IDS_FILE"
if [ -s "$NEW_IDS_FILE" ]; then
echo "New advisories detected:"
while IFS= read -r id; do
[ -z "$id" ] && continue
jq -r --arg id "$id" '.advisories[] | select(.id == $id) | "- [\(.severity | ascii_upcase)] \(.id): \(.title)"' "$TMP/feed.json"
done < "$NEW_IDS_FILE"
else
echo "FEED_OK - no new advisories"
fiUse the suite heartbeat script as the single periodic security check entrypoint:
skills/clawsec-suite/HEARTBEAT.mdIt handles:
If an advisory indicates a malicious or removal-recommended skill and that skill is installed:
The suite hook and heartbeat guidance are intentionally non-destructive by default.
The advisory guardian pipeline supports opt-in suppression for advisories that have been reviewed and accepted by your security team. This is useful for first-party tooling or advisories that do not apply to your deployment.
Advisory suppression requires a single gate: the configuration file must contain "enabledFor" with "advisory" in the array. No CLI flag is needed -- the sentinel in the config file IS the opt-in gate.
If the enabledFor array is missing, empty, or does not include "advisory", all advisories are reported normally.
The advisory guardian resolves the suppression config using the same priority order as the audit pipeline:
--config argumentOPENCLAW_AUDIT_CONFIG environment variable~/.openclaw/security-audit.json.clawsec/allowlist.json{
"enabledFor": ["advisory"],
"suppressions": [
{
"checkId": "CVE-2026-25593",
"skill": "clawsec-suite",
"reason": "First-party security tooling — reviewed by security team",
"suppressedAt": "2026-02-15"
},
{
"checkId": "CLAW-2026-0001",
"skill": "example-skill",
"reason": "Advisory does not apply to our deployment configuration",
"suppressedAt": "2026-02-16"
}
]
}"enabledFor": ["advisory"] -- only advisory suppression active"enabledFor": ["audit"] -- only audit suppression active (no effect on advisory pipeline)"enabledFor": ["audit", "advisory"] -- both pipelines honor suppressionsenabledFor -- no suppression active (safe default)CVE-2026-25593 or CLAW-2026-0001)| Field | Description | Example |
|-------|-------------|---------|
| checkId | Advisory ID to suppress | CVE-2026-25593 |
| skill | Affected skill name | clawsec-suite |
| reason | Justification for audit trail (required) | First-party tooling, reviewed by security team |
| suppressedAt | ISO 8601 date (YYYY-MM-DD) | 2026-02-15 |
The advisory and audit pipelines share the same config file. Use the enabledFor array to control which pipelines honor the suppression list:
{
"enabledFor": ["audit", "advisory"],
"suppressions": [
{
"checkId": "skills.code_safety",
"skill": "clawsec-suite",
"reason": "First-party tooling — audit finding accepted",
"suppressedAt": "2026-02-15"
},
{
"checkId": "CVE-2026-25593",
"skill": "clawsec-suite",
"reason": "First-party tooling — advisory reviewed",
"suppressedAt": "2026-02-15"
}
]
}Audit entries (with check identifiers like skills.code_safety) are only matched by the audit pipeline. Advisory entries (with advisory IDs like CVE-2026-25593 or CLAW-2026-0001) are only matched by the advisory pipeline. Each pipeline filters for its own relevant entries.
Discover currently available installable skills dynamically, then install the ones you want:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/discover_skill_catalog.mjs"
# then install any discovered skill by name
npx clawhub@latest install <skill-name>Machine-readable output is also available for automation:
node "$SUITE_DIR/scripts/discover_skill_catalog.mjs" --jsonchecksums.json signature before trusting its file URLs/hashes, then verify each file checksum.CLAWSEC_ALLOW_UNSIGNED_FEED outside temporary migration windows.critical and high advisories affecting installed skills as immediate action items.clawsec-feed, keep one canonical state file to avoid duplicate notifications.Generated Mar 1, 2026
Maintainers of open-source AI agent ecosystems use clawsec-suite to monitor security advisories for installed skills, ensuring malicious packages are flagged and removed with user approval. It integrates with automated workflows via hooks and cron jobs, providing continuous protection against vulnerabilities in community-contributed extensions.
Large organizations deploying AI agents across teams rely on clawsec-suite to enforce security policies by verifying skill signatures and tracking advisories. The suite's approval-gated removal prevents unauthorized changes, while dynamic catalog discovery ensures access to vetted security skills without hard-coded dependencies.
DevSecOps teams integrate clawsec-suite into CI/CD pipelines to scan for malicious skills during agent updates, using cryptographic verification and advisory feeds. The portable heartbeat workflow and setup scripts automate security checks, reducing manual oversight and ensuring compliance in fast-paced development environments.
Universities and research labs use clawsec-suite to secure AI agent environments for students, monitoring advisories and requiring explicit approval for skill removals to prevent accidental data loss. The guided setup helps non-experts deploy additional protections, fostering safe experimentation with AI skills.
Offer clawsec-suite as a free core tool with basic advisory monitoring and verification, while charging for premium features like advanced threat intelligence feeds, custom catalog management, or enterprise support. Revenue is generated through subscription tiers targeting businesses needing enhanced security analytics.
License clawsec-suite to large organizations with tailored deployments, including on-premise advisory feeds, dedicated support, and integration services. Revenue comes from annual licenses and consulting fees for custom security skill development and compliance auditing.
Use clawsec-suite as a gateway to a curated marketplace of security skills, where developers pay to list or users purchase premium skills. Revenue is generated through transaction fees, featured listings, and partnerships with security vendors for integrated solutions.
💬 Integration Tip
Ensure all required binaries (curl, jq, shasum, openssl) are installed and path variables are correctly set across different shells to avoid installation errors.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.