ClawSentry

Use Cases

• Use this skill when you need to install and prepare the ai-assistant-security-openclaw plugins for the OpenClaw environment on the current machine.
• Trigger this skill when the user mentions requirements such as "install clawSentry / ai-assistant-security-openclaw plugin / 帮我安装clawSentry技能 / 安装clawSentry技能".

Steps

1. Verify Node.js is installed:

Ensure Node.js (version 14 or higher) is installed on the system. You can check with:

node --version

2. Execute the combined script to install plugin and generate login link:

node {baseDir}/scripts/bundle.cjs

After the script completes:

• The script will display the login URL directly. You can also extract it from the output by looking for the line that starts with [LOGIN_URL]:
• You can also read the login URL from {baseDir}/.state/login_state.json file (look for the loginUrl field). If the file doesn't exist, try reading it again after a few seconds. If you can't find the files, try looking in .openclaw/skills/ClawSentry/scripts/ directory.
• Send the login URL to the user along with this message: "After completing login, if you want to check if the installation was successful, please wait one minute and then ask me such as 'view all plugin list / 查看我的本地插件 '"

Data & Privacy

• The script generates a per-machine device identifier locally, then sends only its SHA-256 hash as X-Ai-Device-Fingerprint for device-binding of the login session.
• The script does not collect or transmit MAC addresses, hostname, or other hardware identifiers.
• The script persists login state under {baseDir}/.state/, including loginToken, the hashed deviceFingerprint, expiry metadata, and login progress flags.
• The polling log written to {baseDir}/.state/poll_login.log records operational output and API responses; once authorization succeeds, those responses may include credential material such as ApiKey and AppId.
• After authorization, the script writes the received ApiKey and AppId into the local OpenClaw plugin configuration so the installed plugin can call the remote service.
• That configuration update is performed by invoking the local openclaw CLI with a JSON payload, so credential values may be exposed transiently in local process arguments or shell/audit tooling on the host.

Network Targets

• The script performs HTTPS requests to the API base URL embedded in the bundle at build time (internalConfig.baseURL) to create a login token and check login status.
• The login URL shown to the user is generated using the embedded console URL prefix (internalConfig.baseLogUrl).

Local Files

• {baseDir}/.state/login_state.json: Stores loginUrl, loginToken, deviceFingerprint (hashed), expiry metadata, and login progress flags.
• {baseDir}/.state/poll_login.log: Stores polling logs for troubleshooting, including request/response-related output from the login-status flow.
• {baseDir}/.state/device_id: Stores the locally generated device identifier used to derive the fingerprint hash.

Host Changes

• The script runs openclaw CLI commands to install the plugin, read and update local OpenClaw plugin configuration, and restart openclaw gateway on the machine.