{ "schemaVersion": "1.0", "item": { "slug": "clawd-zero-trust", "name": "Clawd Zero Trust", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/stanistolberg/clawd-zero-trust", "canonicalUrl": "https://clawhub.ai/stanistolberg/clawd-zero-trust", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/clawd-zero-trust", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=clawd-zero-trust", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "README.md", "SKILL.md", "config/custom-providers.json", "config/providers.txt", "hardening.json" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/clawd-zero-trust" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/clawd-zero-trust", "agentPageUrl": "https://openagent3.xyz/skills/clawd-zero-trust/agent", "manifestUrl": "https://openagent3.xyz/skills/clawd-zero-trust/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawd-zero-trust/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "clawd-zero-trust (v1.3.1)", "body": "Zero Trust hardening framework for OpenClaw. Built by Blocksoft.\n\n⚠️ BREAKING (v1.3.0→v1.3.1): First apply after upgrade requires --force or run bash scripts/release-gate.sh --reset-hash to reset trusted baseline. Unattended/cron apply workflows must be updated." }, { "title": "Dependencies", "body": "The following binaries are required. Install with apt on Debian/Ubuntu:\n\nBinaryPackageRequired ForufwufwAll mutating operations (--apply, --canary, --reset, --refresh)curlcurlEndpoint verification (--verify, --verify-all)opensslopensslSMTP/IMAP verification in --verify-allncnetcat-openbsdTCP/UDP port checks in --verify-alldigdnsutilsDNS resolution for provider IPspython3python3JSON parsing, log aggregation, state management\n\nRead-only modes (--verify, --audit-log, --status) do not require root. Mutating modes (--apply, --canary, --reset, --refresh) require root privileges." }, { "title": "Core Principles", "body": "NHI (Non-Human Identity): Sub-agents run as isolated sessions with scoped credentials. Never share 'main' identity for high-risk ops.\nPLP (Principle of Least Privilege): Restrict default model toolset. Use tools.byProvider to limit small/untrusted models to coding profile.\nPlan-First: Declare intent (what + why + expected outcome) before any write, exec, or network call.\nEgress Control: Whitelist outbound traffic to authorized AI providers only. Preserve Tailscale + Telegram API.\nAssumption of Breach: Design as if the attacker is already in. Verify every plugin, model, and extension." }, { "title": "Canonical Egress Script Path", "body": "Single source of truth:\n\n/home/claw/.openclaw/workspace/skills/clawd-zero-trust/scripts/egress-filter.sh\n\nCompatibility symlink:\n\n/home/claw/.openclaw/workspace/scripts/egress_filter.sh -> .../skills/clawd-zero-trust/scripts/egress-filter.sh" }, { "title": "1) Audit", "body": "bash scripts/audit.sh" }, { "title": "2) Harden", "body": "# Preview (default)\nbash scripts/harden.sh\n\n# Apply\nbash scripts/harden.sh --apply" }, { "title": "3) Egress Policy (dry-run default)", "body": "# Dry-run preview (default)\nbash scripts/egress-filter.sh --dry-run\n\n# Transactional apply: auto-rollback if Telegram/GitHub/Anthropic/OpenAI checks fail\nbash scripts/egress-filter.sh --apply\n\n# Canary mode: temporary apply + 120s periodic verification, then commit/rollback\nbash scripts/egress-filter.sh --canary\n\n# Verify critical endpoints only (Telegram, GitHub, Anthropic, OpenAI)\nbash scripts/egress-filter.sh --verify\n\n# Emergency rollback\nbash scripts/egress-filter.sh --reset" }, { "title": "4) Egress Profile Status (v1.3.0)", "body": "# Print current egress profile status (read-only, no root required)\nbash scripts/egress-filter.sh --status\n\nDisplays: profile version, last applied timestamp, last result, provider count from providers.txt, and current UFW state. Read-only. No root required for core status output. UFW active state is best-effort — may show 'unknown' if sudo is unavailable on your system." }, { "title": "5) Egress Violation Audit Log (v1.3.0)", "body": "# View blocked outbound traffic from the last 24 hours\nbash scripts/egress-filter.sh --audit-log\n\nParses /var/log/ufw.log and journalctl -k for [UFW BLOCK] entries with outbound markers (OUT=, DPT=). Aggregates by destination IP + port and prints a summary table with counts, first-seen, and last-seen timestamps. During --apply, a UFW LOG rule (ZT:egress-violation) is automatically inserted to capture future violations." }, { "title": "6) IP Snapshot Auto-Refresh (v1.3.0)", "body": "# Re-resolve DNS and apply only changed IPs (delta) to UFW\nbash scripts/egress-filter.sh --refresh\n\nRe-resolves all domains in config/providers.txt, diffs against the last-applied IP snapshot (.state/applied-ips.json), and applies only the delta rules. Transactional: backs up UFW rules before applying, verifies critical endpoints after, and rolls back on failure. The IP snapshot is saved automatically after every --apply and --canary." }, { "title": "7) Per-Provider Verification (v1.3.0)", "body": "# Protocol-aware verification of ALL providers in providers.txt\nbash scripts/egress-filter.sh --verify-all\n\nDetects the appropriate protocol from port number and runs the matching check:\n\n443 → HTTPS curl (status code check)\n587/465/25 → SMTP openssl s_client (STARTTLS/TLS)\n993/143 → IMAP openssl s_client (TLS/STARTTLS)\n41641 → UDP nc -zu (Tailscale WireGuard)\n22 → TCP nc -z (SSH)\nother → TCP nc -z (generic fallback)\n\nEach check runs with a hard timeout 5s wrapper (enforced at OS level, not just socket timeout). Automatically called after --apply and --canary. Available standalone for on-demand verification. Requires: curl, openssl, nc (netcat-openbsd)." }, { "title": "8) Plugin Integrity Hashing (v1.3.0)", "body": "# Snapshot current plugin hashes\nbash scripts/plugin-integrity.sh --snapshot\n\n# Verify plugin integrity against stored hashes\nbash scripts/plugin-integrity.sh --verify\n\n# Check plugins against hardening.json allowlist\nbash scripts/plugin-integrity.sh --drift\n\n# Combine checks\nbash scripts/plugin-integrity.sh --verify --drift\n\nMonitors plugin file integrity via SHA-256 hashing of each plugin's JS entry point (dist/index.js → index.js → *.js fallback). Detects unauthorized modifications, new/removed plugins, and drift from the hardening.json allowlist." }, { "title": "9) Dynamic Whitelisting (MAX USER-FRIENDLY API)", "body": "To open a new port or add a service securely (e.g. for custom email, video extraction, new AI agents), DO NOT edit the bash script or hardcoded arrays. Always use the dynamic configuration helper command:\n\nbash scripts/whitelist.sh \n\n(Example: bash whitelist.sh youtu.be 443). This automatically injects the domain cleanly into the config/providers.txt engine, triggers a transactional configuration flush, and instantly applies the changes to UFW." }, { "title": "10) Release Gate (v1.3.0)", "body": "bash scripts/release-gate.sh\n\nGate checks (must all pass):\n\nquick_validate.py on skill structure\nshellcheck on all shell scripts (fails with install hint if missing)\npackage_skill.py packaging to skills/dist/clawd-zero-trust.skill\n--verify endpoint checks" }, { "title": "Versioned Firewall Profile State", "body": "State files (in .state/):\n\nFilePurposeegress-profile.jsonScript hash, version, last apply resultapplied-ips.jsonPer-domain IP snapshot for --refresh deltaplugin-hashes.jsonSHA-256 hashes for plugin integrity verification\n\nOn apply/canary, hash mismatch is refused unless --force is provided. The whitelist.sh helper intrinsically handles hash mismatches seamlessly." }, { "title": "References", "body": "references/zero-trust-principles.md — Detailed ZT framework for AI agents\nreferences/false-positives.md — Verified safe patterns that trigger audit warnings" }, { "title": "HARD REQUIREMENT: Self-Update Prevention", "body": "NEVER run openclaw update, openclaw upgrade, npm install -g openclaw, or npm update -g openclaw without explicit Founder approval.\n\nThese commands are blocked in denyCommands. On 2026-02-24, a self-update during an audit caused a 10,450+ crash-loop by deprecating a plugin. System stability > latest version. Always:\n\nPresent update details + changelog to Founder first\nBackup config: cp openclaw.json openclaw.json.pre-update\nOnly update after explicit approval\nRun openclaw doctor --fix + openclaw status after" }, { "title": "MANDATORY: Update Proposal Format", "body": "When you detect that an OpenClaw update is available (via update-scout-daily or any other means), you MUST ALWAYS propose it in exactly this format — no exceptions:\n\n📦 OpenClaw update available: vOLD → vNEW\n\nTo apply safely, SSH in and run:\n\nopenclaw update\n/home/claw/.openclaw/workspace/scripts/post-update-repair.sh\n\nThe repair script restores all symlinks, cleans config, restarts the gateway, and runs a 6-point smoke test automatically. No other steps needed.\n\nNEVER say \"I will run the update for you\" or attempt to run it yourself. The update MUST be executed by the Founder via SSH." } ], "body": "clawd-zero-trust (v1.3.1)\n\nZero Trust hardening framework for OpenClaw. Built by Blocksoft.\n\n⚠️ BREAKING (v1.3.0→v1.3.1): First apply after upgrade requires --force or run bash scripts/release-gate.sh --reset-hash to reset trusted baseline. Unattended/cron apply workflows must be updated.\n\nDependencies\n\nThe following binaries are required. Install with apt on Debian/Ubuntu:\n\nBinary\tPackage\tRequired For\nufw\tufw\tAll mutating operations (--apply, --canary, --reset, --refresh)\ncurl\tcurl\tEndpoint verification (--verify, --verify-all)\nopenssl\topenssl\tSMTP/IMAP verification in --verify-all\nnc\tnetcat-openbsd\tTCP/UDP port checks in --verify-all\ndig\tdnsutils\tDNS resolution for provider IPs\npython3\tpython3\tJSON parsing, log aggregation, state management\n\nRead-only modes (--verify, --audit-log, --status) do not require root. Mutating modes (--apply, --canary, --reset, --refresh) require root privileges.\n\nCore Principles\nNHI (Non-Human Identity): Sub-agents run as isolated sessions with scoped credentials. Never share 'main' identity for high-risk ops.\nPLP (Principle of Least Privilege): Restrict default model toolset. Use tools.byProvider to limit small/untrusted models to coding profile.\nPlan-First: Declare intent (what + why + expected outcome) before any write, exec, or network call.\nEgress Control: Whitelist outbound traffic to authorized AI providers only. Preserve Tailscale + Telegram API.\nAssumption of Breach: Design as if the attacker is already in. Verify every plugin, model, and extension.\nCanonical Egress Script Path\n\nSingle source of truth:\n\n/home/claw/.openclaw/workspace/skills/clawd-zero-trust/scripts/egress-filter.sh\n\nCompatibility symlink:\n\n/home/claw/.openclaw/workspace/scripts/egress_filter.sh -> .../skills/clawd-zero-trust/scripts/egress-filter.sh\n\nWorkflow: Audit → Harden → Egress → Verify\n1) Audit\nbash scripts/audit.sh\n\n2) Harden\n# Preview (default)\nbash scripts/harden.sh\n\n# Apply\nbash scripts/harden.sh --apply\n\n3) Egress Policy (dry-run default)\n# Dry-run preview (default)\nbash scripts/egress-filter.sh --dry-run\n\n# Transactional apply: auto-rollback if Telegram/GitHub/Anthropic/OpenAI checks fail\nbash scripts/egress-filter.sh --apply\n\n# Canary mode: temporary apply + 120s periodic verification, then commit/rollback\nbash scripts/egress-filter.sh --canary\n\n# Verify critical endpoints only (Telegram, GitHub, Anthropic, OpenAI)\nbash scripts/egress-filter.sh --verify\n\n# Emergency rollback\nbash scripts/egress-filter.sh --reset\n\n4) Egress Profile Status (v1.3.0)\n# Print current egress profile status (read-only, no root required)\nbash scripts/egress-filter.sh --status\n\n\nDisplays: profile version, last applied timestamp, last result, provider count from providers.txt, and current UFW state. Read-only. No root required for core status output. UFW active state is best-effort — may show 'unknown' if sudo is unavailable on your system.\n\n5) Egress Violation Audit Log (v1.3.0)\n# View blocked outbound traffic from the last 24 hours\nbash scripts/egress-filter.sh --audit-log\n\n\nParses /var/log/ufw.log and journalctl -k for [UFW BLOCK] entries with outbound markers (OUT=, DPT=). Aggregates by destination IP + port and prints a summary table with counts, first-seen, and last-seen timestamps. During --apply, a UFW LOG rule (ZT:egress-violation) is automatically inserted to capture future violations.\n\n6) IP Snapshot Auto-Refresh (v1.3.0)\n# Re-resolve DNS and apply only changed IPs (delta) to UFW\nbash scripts/egress-filter.sh --refresh\n\n\nRe-resolves all domains in config/providers.txt, diffs against the last-applied IP snapshot (.state/applied-ips.json), and applies only the delta rules. Transactional: backs up UFW rules before applying, verifies critical endpoints after, and rolls back on failure. The IP snapshot is saved automatically after every --apply and --canary.\n\n7) Per-Provider Verification (v1.3.0)\n# Protocol-aware verification of ALL providers in providers.txt\nbash scripts/egress-filter.sh --verify-all\n\n\nDetects the appropriate protocol from port number and runs the matching check:\n\n443 → HTTPS curl (status code check)\n587/465/25 → SMTP openssl s_client (STARTTLS/TLS)\n993/143 → IMAP openssl s_client (TLS/STARTTLS)\n41641 → UDP nc -zu (Tailscale WireGuard)\n22 → TCP nc -z (SSH)\nother → TCP nc -z (generic fallback)\n\nEach check runs with a hard timeout 5s wrapper (enforced at OS level, not just socket timeout). Automatically called after --apply and --canary. Available standalone for on-demand verification. Requires: curl, openssl, nc (netcat-openbsd).\n\n8) Plugin Integrity Hashing (v1.3.0)\n# Snapshot current plugin hashes\nbash scripts/plugin-integrity.sh --snapshot\n\n# Verify plugin integrity against stored hashes\nbash scripts/plugin-integrity.sh --verify\n\n# Check plugins against hardening.json allowlist\nbash scripts/plugin-integrity.sh --drift\n\n# Combine checks\nbash scripts/plugin-integrity.sh --verify --drift\n\n\nMonitors plugin file integrity via SHA-256 hashing of each plugin's JS entry point (dist/index.js → index.js → *.js fallback). Detects unauthorized modifications, new/removed plugins, and drift from the hardening.json allowlist.\n\n9) Dynamic Whitelisting (MAX USER-FRIENDLY API)\n\nTo open a new port or add a service securely (e.g. for custom email, video extraction, new AI agents), DO NOT edit the bash script or hardcoded arrays. Always use the dynamic configuration helper command:\n\nbash scripts/whitelist.sh \n\n\n(Example: bash whitelist.sh youtu.be 443). This automatically injects the domain cleanly into the config/providers.txt engine, triggers a transactional configuration flush, and instantly applies the changes to UFW.\n\n10) Release Gate (v1.3.0)\nbash scripts/release-gate.sh\n\n\nGate checks (must all pass):\n\nquick_validate.py on skill structure\nshellcheck on all shell scripts (fails with install hint if missing)\npackage_skill.py packaging to skills/dist/clawd-zero-trust.skill\n--verify endpoint checks\nVersioned Firewall Profile State\n\nState files (in .state/):\n\nFile\tPurpose\negress-profile.json\tScript hash, version, last apply result\napplied-ips.json\tPer-domain IP snapshot for --refresh delta\nplugin-hashes.json\tSHA-256 hashes for plugin integrity verification\n\nOn apply/canary, hash mismatch is refused unless --force is provided. The whitelist.sh helper intrinsically handles hash mismatches seamlessly.\n\nReferences\nreferences/zero-trust-principles.md — Detailed ZT framework for AI agents\nreferences/false-positives.md — Verified safe patterns that trigger audit warnings\nHARD REQUIREMENT: Self-Update Prevention\n\nNEVER run openclaw update, openclaw upgrade, npm install -g openclaw, or npm update -g openclaw without explicit Founder approval.\n\nThese commands are blocked in denyCommands. On 2026-02-24, a self-update during an audit caused a 10,450+ crash-loop by deprecating a plugin. System stability > latest version. Always:\n\nPresent update details + changelog to Founder first\nBackup config: cp openclaw.json openclaw.json.pre-update\nOnly update after explicit approval\nRun openclaw doctor --fix + openclaw status after\nMANDATORY: Update Proposal Format\n\nWhen you detect that an OpenClaw update is available (via update-scout-daily or any other means), you MUST ALWAYS propose it in exactly this format — no exceptions:\n\n📦 OpenClaw update available: vOLD → vNEW\n\nTo apply safely, SSH in and run:\n\nopenclaw update\n/home/claw/.openclaw/workspace/scripts/post-update-repair.sh\n\n\nThe repair script restores all symlinks, cleans config, restarts the gateway, and runs a 6-point smoke test automatically. No other steps needed.\n\nNEVER say \"I will run the update for you\" or attempt to run it yourself. The update MUST be executed by the Founder via SSH." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/stanistolberg/clawd-zero-trust", "publisherUrl": "https://clawhub.ai/stanistolberg/clawd-zero-trust", "owner": "stanistolberg", "version": "1.3.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/clawd-zero-trust", "downloadUrl": "https://openagent3.xyz/downloads/clawd-zero-trust", "agentUrl": "https://openagent3.xyz/skills/clawd-zero-trust/agent", "manifestUrl": "https://openagent3.xyz/skills/clawd-zero-trust/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawd-zero-trust/agent.md" } }