ClawSec Suite
This means clawsec-suite can:
- monitor the ClawSec advisory feed,
- track which advisories are new since last check,
- cross-reference advisories against locally installed skills,
- recommend removal for malicious-skill advisories and require explicit user approval first,
- and still act as the setup/management entrypoint for other ClawSec protections.
Included vs Optional Protections
Built into clawsec-suite
- Embedded feed seed file:
advisories/feed.json
- Portable heartbeat workflow in
HEARTBEAT.md
- Advisory polling + state tracking + affected-skill checks
- OpenClaw advisory guardian hook package:
hooks/clawsec-advisory-guardian/
- Setup scripts for hook and optional cron scheduling:
scripts/
- Guarded installer:
scripts/guarded_skill_install.mjs
- Dynamic catalog discovery for installable skills:
scripts/discover_skill_catalog.mjs
Installed separately (dynamic catalog)
clawsec-suite does not hard-code add-on skill names in this document.
Discover the current catalog from the authoritative index (https://clawsec.prompt.security/skills/index.json) at runtime:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/discover_skill_catalog.mjs"
Fallback behavior:
- If the remote catalog index is reachable and valid, the suite uses it.
- If the remote index is unavailable or malformed, the script falls back to suite-local catalog metadata in
skill.json.
Installation
Cross-shell path note
- In
bash/zsh, keep path variables expandable (for example, INSTALL_ROOT="$HOME/.openclaw/skills").
- Do not single-quote home-variable paths (avoid
'$HOME/.openclaw/skills').
- In PowerShell, set an explicit path:
$env:INSTALL_ROOT = Join-Path $HOME ".openclaw\\skills"
- If a path is passed with unresolved tokens (like
\$HOME/...), suite scripts now fail fast with a clear error.
Option A: Via clawhub (recommended)
npx clawhub@latest install clawsec-suite
Option B: Manual download with signature + checksum verification
set -euo pipefail
VERSION="${SKILL_VERSION:?Set SKILL_VERSION (e.g. 0.0.8)}"
INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
DEST="$INSTALL_ROOT/clawsec-suite"
BASE="https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v${VERSION}"
TEMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TEMP_DIR"' EXIT
RELEASE_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8"
cat > "$TEMP_DIR/release-signing-public.pem" <<'PEM'
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAS7nijfMcUoOBCj4yOXJX+GYGv2pFl2Yaha1P4v5Cm6A=
-----END PUBLIC KEY-----
PEM
ACTUAL_KEY_SHA256="$(openssl pkey -pubin -in "$TEMP_DIR/release-signing-public.pem" -outform DER | shasum -a 256 | awk '{print $1}')"
if [ "$ACTUAL_KEY_SHA256" != "$RELEASE_PUBKEY_SHA256" ]; then
echo "ERROR: Release public key fingerprint mismatch" >&2
exit 1
fi
ZIP_NAME="clawsec-suite-v${VERSION}.zip"
curl -fsSL "$BASE/$ZIP_NAME" -o "$TEMP_DIR/$ZIP_NAME"
curl -fsSL "$BASE/checksums.json" -o "$TEMP_DIR/checksums.json"
curl -fsSL "$BASE/checksums.sig" -o "$TEMP_DIR/checksums.sig"
openssl base64 -d -A -in "$TEMP_DIR/checksums.sig" -out "$TEMP_DIR/checksums.sig.bin"
if ! openssl pkeyutl -verify \
-pubin \
-inkey "$TEMP_DIR/release-signing-public.pem" \
-sigfile "$TEMP_DIR/checksums.sig.bin" \
-rawin \
-in "$TEMP_DIR/checksums.json" >/dev/null 2>&1; then
echo "ERROR: checksums.json signature verification failed" >&2
exit 1
fi
EXPECTED_ZIP_SHA="$(jq -r '.archive.sha256 // empty' "$TEMP_DIR/checksums.json")"
if [ -z "$EXPECTED_ZIP_SHA" ]; then
echo "ERROR: checksums.json missing archive.sha256" >&2
exit 1
fi
if command -v shasum >/dev/null 2>&1; then
ACTUAL_ZIP_SHA="$(shasum -a 256 "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
else
ACTUAL_ZIP_SHA="$(sha256sum "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
fi
if [ "$EXPECTED_ZIP_SHA" != "$ACTUAL_ZIP_SHA" ]; then
echo "ERROR: Archive checksum mismatch for $ZIP_NAME" >&2
exit 1
fi
echo "Checksums manifest signature and archive hash verified."
mkdir -p "$INSTALL_ROOT"
rm -rf "$DEST"
unzip -q "$TEMP_DIR/$ZIP_NAME" -d "$INSTALL_ROOT"
chmod 600 "$DEST/skill.json"
find "$DEST" -type f ! -name "skill.json" -exec chmod 644 {} \;
echo "Installed clawsec-suite v${VERSION} to: $DEST"
echo "Next step (OpenClaw): node \"\$DEST/scripts/setup_advisory_hook.mjs\""
OpenClaw Automation (Hook + Optional Cron)
After installing the suite, enable the advisory guardian hook:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_hook.mjs"
Optional: create/update a periodic cron nudge (default every 6h) that triggers a main-session advisory scan:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_cron.mjs"
What this adds:
- scan on
agent:bootstrap and /new (command:new),
- compare advisory
affected entries against installed skills,
- consider advisories with
application: "openclaw" (and legacy entries without application for backward compatibility),
- notify when new matches appear,
- and ask for explicit user approval before any removal flow.
Restart the OpenClaw gateway after enabling the hook. Then run /new once to force an immediate scan in the next session context.
Guarded Skill Install Flow (Double Confirmation)
When the user asks to install a skill, treat that as the first request and run a guarded install check:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1
Behavior:
- If no advisory match is found, install proceeds.
- If
--version is omitted, matching is conservative: any advisory that references the skill name is treated as a match.
- If advisory match is found, the script prints advisory context and exits with code
42.
- Then require an explicit second confirmation from the user and rerun with
--confirm-advisory:
node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1 --confirm-advisory
This enforces:
- First confirmation: user asked to install.
- Second confirmation: user explicitly approves install after seeing advisory details.
Embedded Advisory Feed Behavior
The embedded feed logic uses these defaults:
- Remote feed URL:
https://clawsec.prompt.security/advisories/feed.json
- Remote feed signature URL:
${CLAWSEC_FEED_URL}.sig (override with CLAWSEC_FEED_SIG_URL)
- Remote checksums manifest URL: sibling
checksums.json (override with CLAWSEC_FEED_CHECKSUMS_URL)
- Local seed fallback:
~/.openclaw/skills/clawsec-suite/advisories/feed.json
- Local feed signature:
${CLAWSEC_LOCAL_FEED}.sig (override with CLAWSEC_LOCAL_FEED_SIG)
- Local checksums manifest:
~/.openclaw/skills/clawsec-suite/advisories/checksums.json
- Pinned feed signing key:
~/.openclaw/skills/clawsec-suite/advisories/feed-signing-public.pem (override with CLAWSEC_FEED_PUBLIC_KEY)
- State file:
~/.openclaw/clawsec-suite-feed-state.json<
