openclaw-triageIncident response and forensics for agent workspaces. Investigate compromises, build timelines, assess blast radius, and collect evidence. Cross-references data from warden, ledger, signet, and sentinel for unified analysis. Free alert layer β upgrade to openclaw-triage-pro for automated containment, remediation playbooks, and evidence export.
Install via ClawdBot CLI:
clawdbot install AtlasPA/openclaw-triageIncident response and forensics for agent workspaces. When something goes wrong β a skill behaves unexpectedly, files change without explanation, or another security tool flags an anomaly β triage investigates what happened, assesses the damage, and guides recovery.
This is the "detective" that pulls together evidence from all OpenClaw security tools into a unified incident report.
Run a comprehensive incident investigation. Collects workspace state, checks for signs of compromise (recently modified critical files, new skills, unusual permissions, off-hours modifications, large files, hidden files), cross-references with warden/ledger/signet/sentinel data, builds an event timeline, and calculates an incident severity score (CRITICAL / HIGH / MEDIUM / LOW).
python3 {baseDir}/scripts/triage.py investigate --workspace /path/to/workspaceBuild a chronological timeline of all file modifications in the workspace. Groups events by hour, highlights suspicious burst activity (many files modified in a short window), shows which directories and skills were affected, and cross-references with ledger entries if available.
python3 {baseDir}/scripts/triage.py timeline --workspace /path/to/workspaceLook back further than the default 24 hours:
python3 {baseDir}/scripts/triage.py timeline --hours 72 --workspace /path/to/workspaceAssess the blast radius of a potential compromise. Categorizes all files by risk level (critical, memory, skill, config), checks for credential exposure patterns in recently modified files, scans for outbound exfiltration URLs, and estimates scope as CONTAINED (single area), SPREADING (multiple skills), or SYSTEMIC (workspace-level).
python3 {baseDir}/scripts/triage.py scope --workspace /path/to/workspaceCollect and preserve forensic evidence before remediation. Snapshots the full workspace state (file list with SHA-256 hashes, sizes, timestamps), copies all available security tool data (.integrity/, .ledger/, .signet/, .sentinel/), and generates a summary report. Always run this before any remediation to preserve the forensic trail.
python3 {baseDir}/scripts/triage.py evidence --workspace /path/to/workspaceSave to a custom output directory:
python3 {baseDir}/scripts/triage.py evidence --output /path/to/evidence/dir --workspace /path/to/workspaceOne-line summary of triage state: last investigation timestamp, current threat level, and whether evidence has been collected.
python3 {baseDir}/scripts/triage.py status --workspace /path/to/workspaceIf --workspace is omitted, the script tries:
OPENCLAW_WORKSPACE environment variable~/.openclaw/workspace (default)Triage automatically checks for data from these OpenClaw tools:
| Tool | Data Path | What Triage Checks |
|------|-----------|-------------------|
| Warden | .integrity/manifest.json | Baseline deviations β files modified since last known-good state |
| Ledger | .ledger/chain.jsonl | Chain breaks, unparseable entries, suspicious log entries |
| Signet | .signet/manifest.json | Tampered skill signatures β skills modified after signing |
| Sentinel | .sentinel/threats.json | Known threats and high-severity findings |
| Level | Meaning | Trigger |
|-------|---------|---------|
| CRITICAL | Immediate response required | Any critical finding, or 3+ high findings |
| HIGH | Investigation warranted | High-severity findings from any source |
| MEDIUM | Review recommended | Multiple medium findings or volume threshold |
| LOW | No immediate action | Informational findings only |
0 β Clean, no actionable findings1 β Findings detected (investigation recommended)2 β Critical findings (immediate action needed)Python standard library only. No pip install. No network calls. Everything runs locally.
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.
Generated Mar 1, 2026
A financial analyst's AI agent workspace shows unexpected file modifications and new skills installed after hours. Using OpenClaw Triage, the security team runs a full investigation to collect evidence, assess blast radius, and determine if sensitive financial data was compromised, guiding immediate containment actions.
A healthcare provider's AI agent used for patient data analysis triggers an anomaly alert. The compliance officer uses the event timeline command to review file modifications over 72 hours, identifying unauthorized access patterns and ensuring HIPAA compliance by documenting the incident for audit trails.
A software development team's AI workspace experiences unexplained configuration changes and potential credential exposure. Developers run the blast radius assessment to categorize risk levels and use evidence collection to preserve forensic data before remediation, minimizing downtime and securing the CI/CD pipeline.
A law firm's AI agent assisting with legal document review shows signs of tampering in skill signatures. The IT security team executes a quick status check and full investigation to cross-reference with Signet data, ensuring the integrity of confidential legal files and maintaining client trust.
A university research lab's AI workspace is flagged for unusual permissions and hidden files after a collaborative project. Researchers use the timeline and scope commands to assess the impact, leveraging cross-referenced data from security tools to contain the threat and protect intellectual property.
MSSPs integrate OpenClaw Triage into their incident response offerings for clients using AI agents. They provide automated triage services, generating unified reports and severity scores to upsell remediation packages, ensuring quick threat containment and compliance support.
Vendors bundle OpenClaw Triage with their AI agent platforms as a premium security add-on. They charge licensing fees for advanced features like cross-tool integration and custom evidence collection, targeting large organizations needing robust forensic capabilities.
Consulting firms offer specialized training and incident response services using OpenClaw Triage. They conduct workshops on triage commands and provide on-demand forensic analysis, generating revenue through project-based contracts and certification programs.
π¬ Integration Tip
Set the OPENCLAW_WORKSPACE environment variable for seamless auto-detection, and run evidence collection before any remediation to preserve forensic trails for compliance audits.
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.
Search and analyze your own session logs (older/parent conversations) using jq.
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linking related objects, enforcing constraints, planning multi-step actions as graph transformations, or when skills need to share state. Trigger on "remember", "what do I know about", "link X to Y", "show dependencies", entity CRUD, or cross-skill data access.
Ultimate AI agent memory system for Cursor, Claude, ChatGPT & Copilot. WAL protocol + vector search + git-notes + cloud backup. Never lose context again. Vibe-coding ready.
Headless browser automation CLI optimized for AI agents with accessibility tree snapshots and ref-based element selection