Security suite manager with embedded advisory feed monitoring, cryptographic verification, and approval-gated malicious-skill response.
Works with
Monitors ClawSec advisory feed for new security advisories, cross-references them against installed skills, and requires explicit user approval before removing flagged skills
Includes cryptographic signature verification for release archives and advisory feeds using pinned public keys with out-of-band fingerprint validation
Provides guarded skill ins
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionclawsec-suiteExecute the skills CLI command in your project's root directory to begin installation:
Fetches clawsec-suite from prompt-security/clawsec and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate clawsec-suite. Access via /clawsec-suite in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
883
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
883
stars
This means clawsec-suite can:
advisories/feed.jsonHEARTBEAT.mdhooks/clawsec-advisory-guardian/scripts/scripts/guarded_skill_install.mjsscripts/discover_skill_catalog.mjsclawsec-suite does not hard-code add-on skill names in this document.
Discover the current catalog from the authoritative index (https://clawsec.prompt.security/skills/index.json) at runtime:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/discover_skill_catalog.mjs"
Fallback behavior:
skill.json.bash/zsh, keep path variables expandable (for example, INSTALL_ROOT="$HOME/.openclaw/skills").'$HOME/.openclaw/skills').$env:INSTALL_ROOT = Join-Path $HOME ".openclaw\\skills"\$HOME/...), suite scripts now fail fast with a clear error.npx clawhub@latest install clawsec-suite
set -euo pipefail
VERSION="${SKILL_VERSION:?Set SKILL_VERSION (e.g. 0.0.8)}"
INSTALL_ROOT="${INSTALL_ROOT:-$HOME/.openclaw/skills}"
DEST="$INSTALL_ROOT/clawsec-suite"
BASE="https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v${VERSION}"
TEMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TEMP_DIR"' EXIT
# Pinned release-signing public key (verify fingerprint out-of-band on first use)
# Fingerprint (SHA-256 of SPKI DER): 711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8
RELEASE_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8"
cat > "$TEMP_DIR/release-signing-public.pem" <<'PEM'
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAS7nijfMcUoOBCj4yOXJX+GYGv2pFl2Yaha1P4v5Cm6A=
-----END PUBLIC KEY-----
PEM
ACTUAL_KEY_SHA256="$(openssl pkey -pubin -in "$TEMP_DIR/release-signing-public.pem" -outform DER | shasum -a 256 | awk '{print $1}')"
if [ "$ACTUAL_KEY_SHA256" != "$RELEASE_PUBKEY_SHA256" ]; then
echo "ERROR: Release public key fingerprint mismatch" >&2
exit 1
fi
ZIP_NAME="clawsec-suite-v${VERSION}.zip"
# 1) Download release archive + signed checksums manifest + signing public key
curl -fsSL "$BASE/$ZIP_NAME" -o "$TEMP_DIR/$ZIP_NAME"
curl -fsSL "$BASE/checksums.json" -o "$TEMP_DIR/checksums.json"
curl -fsSL "$BASE/checksums.sig" -o "$TEMP_DIR/checksums.sig"
# 2) Verify checksums manifest signature before trusting any hashes
openssl base64 -d -A -in "$TEMP_DIR/checksums.sig" -out "$TEMP_DIR/checksums.sig.bin"
if ! openssl pkeyutl -verify \
-pubin \
-inkey "$TEMP_DIR/release-signing-public.pem" \
-sigfile "$TEMP_DIR/checksums.sig.bin" \
-rawin \
-in "$TEMP_DIR/checksums.json" >/dev/null 2>&1; then
echo "ERROR: checksums.json signature verification failed" >&2
exit 1
fi
EXPECTED_ZIP_SHA="$(jq -r '.archive.sha256 // empty' "$TEMP_DIR/checksums.json")"
if [ -z "$EXPECTED_ZIP_SHA" ]; then
echo "ERROR: checksums.json missing archive.sha256" >&2
exit 1
fi
if command -v shasum >/dev/null 2>&1; then
ACTUAL_ZIP_SHA="$(shasum -a 256 "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
else
ACTUAL_ZIP_SHA="$(sha256sum "$TEMP_DIR/$ZIP_NAME" | awk '{print $1}')"
fi
if [ "$EXPECTED_ZIP_SHA" != "$ACTUAL_ZIP_SHA" ]; then
echo "ERROR: Archive checksum mismatch for $ZIP_NAME" >&2
exit 1
fi
echo "Checksums manifest signature and archive hash verified."
# 3) Install verified archive
mkdir -p "$INSTALL_ROOT"
rm -rf "$DEST"
unzip -q "$TEMP_DIR/$ZIP_NAME" -d "$INSTALL_ROOT"
chmod 600 "$DEST/skill.json"
find "$DEST" -type f ! -name "skill.json" -exec chmod 644 {} \;
echo "Installed clawsec-suite v${VERSION} to: $DEST"
echo "Next step (OpenClaw): node \"\$DEST/scripts/setup_advisory_hook.mjs\""
After installing the suite, enable the advisory guardian hook:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_hook.mjs"
Optional: create/update a periodic cron nudge (default every 6h) that triggers a main-session advisory scan:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/setup_advisory_cron.mjs"
What this adds:
agent:bootstrap and /new (command:new),affected entries against installed skills,application: "openclaw" (and legacy entries without application for backward compatibility),Restart the OpenClaw gateway after enabling the hook. Then run /new once to force an immediate scan in the next session context.
When the user asks to install a skill, treat that as the first request and run a guarded install check:
SUITE_DIR="${INSTALL_ROOT:-$HOME/.openclaw/skills}/clawsec-suite"
node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1
Behavior:
--version is omitted, matching is conservative: any advisory that references the skill name is treated as a match.42.--confirm-advisory:node "$SUITE_DIR/scripts/guarded_skill_install.mjs" --skill helper-plus --version 1.0.1 --confirm-advisory
This enforces:
The embedded feed logic uses these defaults:
https://clawsec.prompt.security/advisories/feed.json${CLAWSEC_FEED_URL}.sig (override with CLAWSEC_FEED_SIG_URL)checksums.json (override with CLAWSEC_FEED_CHECKSUMS_URL)~/.openclaw/skills/clawsec-suite/advisories/feed.json${CLAWSEC_LOCAL_FEED}.sig (override with CLAWSEC_LOCAL_FEED_SIG)~/.openclaw/skills/clawsec-suite/advisories/checksums.json~/.openclaw/skills/clawsec-suite/advisories/feed-signing-public.pem (override with CLAWSEC_FEED_PUBLIC_KEY)~/.openclaw/clawsec-suite-feed-state.json<Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
davila7/claude-code-templates
wshobson/agents
dpearson2699/swift-ios-skills
jeffallan/claude-skills
antonbabenko/terraform-skill
cinience/alicloud-skills
clawsec-suite has been reliable in day-to-day use. Documentation quality is above average for community skills.
Solid pick for teams standardizing on skills: clawsec-suite is focused, and the summary matches what you get after install.
clawsec-suite reduced setup friction for our internal harness; good balance of opinion and flexibility.
We added clawsec-suite from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
We added clawsec-suite from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
I recommend clawsec-suite for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Keeps context tight: clawsec-suite is the kind of skill you can hand to a new teammate without a long onboarding doc.
Solid pick for teams standardizing on skills: clawsec-suite is focused, and the summary matches what you get after install.
clawsec-suite fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
clawsec-suite fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
showing 1-10 of 40