clawsec-nanoclaw

Use when checking for security vulnerabilities in NanoClaw skills, before installing new skills, or when asked about security advisories affecting the bot

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "clawsec-nanoclaw" with this command: npx skills add davida-ps/clawsec-nanoclaw

ClawSec for NanoClaw

Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.

Overview

ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.

Core principle: Check before you install. Monitor what's running.

When to Use

Use ClawSec tools when:

  • Installing a new skill (check safety first)
  • User asks "are my skills secure?"
  • Investigating suspicious behavior
  • Regular security audits
  • After receiving security notifications

Do NOT use for:

  • Code review (use other tools)
  • Performance issues (different concern)
  • General debugging

MCP Tools Available

Pre-Installation Check

// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'new-skill',
  skillVersion: '1.0.0'  // optional
});

if (!safety.safe) {
  // Show user the risks before proceeding
  console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}

Security Audit

// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
  installRoot: '/home/node/.claude/skills'  // optional
});

if (result.matches.some((m) =>
  m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
  // Alert user immediately
  console.error('Urgent advisories found!');
}

Browse Advisories

// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
  severity: 'high',               // optional
  exploitabilityScore: 'high'     // optional
});

Quick Reference

TaskToolKey Parameter
Pre-install checkclawsec_check_skill_safetyskillName
Audit all skillsclawsec_check_advisoriesinstallRoot (optional)
Browse feedclawsec_list_advisoriesseverity, type, exploitabilityScore (optional)
Verify package signatureclawsec_verify_skill_packagepackagePath
Refresh advisory cacheclawsec_refresh_cache(none)
Check file integrityclawsec_check_integritymode, autoRestore (optional)
Approve file changeclawsec_approve_changepath
View baseline statusclawsec_integrity_statuspath (optional)
Verify audit logclawsec_verify_audit(none)

Common Patterns

Pattern 1: Safe Skill Installation

// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
  skillName: userRequestedSkill
});

if (safety.safe) {
  // Proceed with installation
  await installSkill(userRequestedSkill);
} else {
  // Show user the risks and get confirmation
  await showSecurityWarning(safety.advisories);
  if (await getUserConfirmation()) {
    await installSkill(userRequestedSkill);
  }
}

Pattern 2: Periodic Security Check

// Add to scheduled tasks
schedule_task({
  prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
  schedule_type: "cron",
  schedule_value: "0 9 * * *"  // Daily at 9am
});

Pattern 3: User Security Query

User: "Are my skills secure?"

You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]

Response:
✅ No urgent issues found.
- 2 low-severity/low-exploitability advisories
- All skills up to date

Common Mistakes

❌ Installing without checking

// DON'T
await installSkill('untrusted-skill');

// DO
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');

❌ Ignoring exploitability context

// DON'T: Use severity only
if (advisory.severity === 'high') {
  notifyNow(advisory);
}

// DO: Use exploitability + severity
if (
  advisory.exploitability_score === 'high' ||
  advisory.severity === 'critical'
) {
  notifyNow(advisory);
}

❌ Skipping critical severity

// DON'T: Ignore high exploitability in medium severity advisories
if (advisory.severity === 'critical') alert();

// DO: Prioritize exploitability and severity together
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
  // Alert immediately
}

Implementation Details

Feed Source: https://clawsec.prompt.security/advisories/feed.json

Update Frequency: Every 6 hours (automatic)

Signature Verification: Ed25519 signed feeds Package Verification Policy: pinned key only, bounded package/signature paths

Cache Location: /workspace/project/data/clawsec-advisory-cache.json

See INSTALL.md for setup and docs/ for advanced usage.

Real-World Impact

  • Prevents installation of skills with known RCE vulnerabilities
  • Alerts to supply chain attacks in dependencies
  • Provides actionable remediation steps
  • Zero false positives (curated feed only)

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

compliance-evidence-assembler

把审计所需证据整理成目录、清单和缺失项,便于后续评审。;use for compliance, evidence, audit workflows;do not use for 伪造证据, 替代正式审计结论.

Archived SourceRecently Updated
--
52yuanchangxing
Security

full scale openclaw skill auditor

Audits Claude skills from GitHub repositories for effectiveness, token usage, safety, and best-practice compliance, then automatically generates bilingual so...

Registry SourceRecently Updated
194
yangran
Security

Skill Guard Pro

Security scanner for ClawHub skills. Analyze before you install.

Registry SourceRecently Updated
0115
Profile unavailable