{ "schemaVersion": "1.0", "item": { "slug": "clawsec-nanoclaw", "name": "clawsec-nanoclaw", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/davida-ps/clawsec-nanoclaw", "canonicalUrl": "https://clawhub.ai/davida-ps/clawsec-nanoclaw", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/clawsec-nanoclaw", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=clawsec-nanoclaw", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "INSTALL.md", "README.md", "SKILL.md", "docs/INTEGRITY.md", "docs/SKILL_SIGNING.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/clawsec-nanoclaw" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/clawsec-nanoclaw", "agentPageUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw/agent", "manifestUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "ClawSec for NanoClaw", "body": "Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies." }, { "title": "Overview", "body": "ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.\n\nCore principle: Check before you install. Monitor what's running." }, { "title": "When to Use", "body": "Use ClawSec tools when:\n\nInstalling a new skill (check safety first)\nUser asks \"are my skills secure?\"\nInvestigating suspicious behavior\nRegular security audits\nAfter receiving security notifications\n\nDo NOT use for:\n\nCode review (use other tools)\nPerformance issues (different concern)\nGeneral debugging" }, { "title": "Pre-Installation Check", "body": "// Before installing any skill\nconst safety = await tools.clawsec_check_skill_safety({\n skillName: 'new-skill',\n skillVersion: '1.0.0' // optional\n});\n\nif (!safety.safe) {\n // Show user the risks before proceeding\n console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);\n}" }, { "title": "Security Audit", "body": "// Check all installed skills (defaults to ~/.claude/skills in the container)\nconst result = await tools.clawsec_check_advisories({\n installRoot: '/home/node/.claude/skills' // optional\n});\n\nif (result.matches.some((m) =>\n m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'\n)) {\n // Alert user immediately\n console.error('Urgent advisories found!');\n}" }, { "title": "Browse Advisories", "body": "// List advisories with filters\nconst advisories = await tools.clawsec_list_advisories({\n severity: 'high', // optional\n exploitabilityScore: 'high' // optional\n});" }, { "title": "Quick Reference", "body": "TaskToolKey ParameterPre-install checkclawsec_check_skill_safetyskillNameAudit all skillsclawsec_check_advisoriesinstallRoot (optional)Browse feedclawsec_list_advisoriesseverity, type, exploitabilityScore (optional)Verify package signatureclawsec_verify_skill_packagepackagePathRefresh advisory cacheclawsec_refresh_cache(none)Check file integrityclawsec_check_integritymode, autoRestore (optional)Approve file changeclawsec_approve_changepathView baseline statusclawsec_integrity_statuspath (optional)Verify audit logclawsec_verify_audit(none)" }, { "title": "Pattern 1: Safe Skill Installation", "body": "// ALWAYS check before installing\nconst safety = await tools.clawsec_check_skill_safety({\n skillName: userRequestedSkill\n});\n\nif (safety.safe) {\n // Proceed with installation\n await installSkill(userRequestedSkill);\n} else {\n // Show user the risks and get confirmation\n await showSecurityWarning(safety.advisories);\n if (await getUserConfirmation()) {\n await installSkill(userRequestedSkill);\n }\n}" }, { "title": "Pattern 2: Periodic Security Check", "body": "// Add to scheduled tasks\nschedule_task({\n prompt: \"Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear\",\n schedule_type: \"cron\",\n schedule_value: \"0 9 * * *\" // Daily at 9am\n});" }, { "title": "Pattern 3: User Security Query", "body": "User: \"Are my skills secure?\"\n\nYou: I'll check installed skills for known vulnerabilities.\n[Use clawsec_check_advisories]\n\nResponse:\n✅ No urgent issues found.\n- 2 low-severity/low-exploitability advisories\n- All skills up to date" }, { "title": "❌ Installing without checking", "body": "// DON'T\nawait installSkill('untrusted-skill');\n\n// DO\nconst safety = await tools.clawsec_check_skill_safety({\n skillName: 'untrusted-skill'\n});\nif (safety.safe) await installSkill('untrusted-skill');" }, { "title": "❌ Ignoring exploitability context", "body": "// DON'T: Use severity only\nif (advisory.severity === 'high') {\n notifyNow(advisory);\n}\n\n// DO: Use exploitability + severity\nif (\n advisory.exploitability_score === 'high' ||\n advisory.severity === 'critical'\n) {\n notifyNow(advisory);\n}" }, { "title": "❌ Skipping critical severity", "body": "// DON'T: Ignore high exploitability in medium severity advisories\nif (advisory.severity === 'critical') alert();\n\n// DO: Prioritize exploitability and severity together\nif (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {\n // Alert immediately\n}" }, { "title": "Implementation Details", "body": "Feed Source: https://clawsec.prompt.security/advisories/feed.json\n\nUpdate Frequency: Every 6 hours (automatic)\n\nSignature Verification: Ed25519 signed feeds\nPackage Verification Policy: pinned key only, bounded package/signature paths\n\nCache Location: /workspace/project/data/clawsec-advisory-cache.json\n\nSee INSTALL.md for setup and docs/ for advanced usage." }, { "title": "Real-World Impact", "body": "Prevents installation of skills with known RCE vulnerabilities\nAlerts to supply chain attacks in dependencies\nProvides actionable remediation steps\nZero false positives (curated feed only)" } ], "body": "ClawSec for NanoClaw\n\nSecurity advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.\n\nOverview\n\nClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.\n\nCore principle: Check before you install. Monitor what's running.\n\nWhen to Use\n\nUse ClawSec tools when:\n\nInstalling a new skill (check safety first)\nUser asks \"are my skills secure?\"\nInvestigating suspicious behavior\nRegular security audits\nAfter receiving security notifications\n\nDo NOT use for:\n\nCode review (use other tools)\nPerformance issues (different concern)\nGeneral debugging\nMCP Tools Available\nPre-Installation Check\n// Before installing any skill\nconst safety = await tools.clawsec_check_skill_safety({\n skillName: 'new-skill',\n skillVersion: '1.0.0' // optional\n});\n\nif (!safety.safe) {\n // Show user the risks before proceeding\n console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);\n}\n\nSecurity Audit\n// Check all installed skills (defaults to ~/.claude/skills in the container)\nconst result = await tools.clawsec_check_advisories({\n installRoot: '/home/node/.claude/skills' // optional\n});\n\nif (result.matches.some((m) =>\n m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'\n)) {\n // Alert user immediately\n console.error('Urgent advisories found!');\n}\n\nBrowse Advisories\n// List advisories with filters\nconst advisories = await tools.clawsec_list_advisories({\n severity: 'high', // optional\n exploitabilityScore: 'high' // optional\n});\n\nQuick Reference\nTask\tTool\tKey Parameter\nPre-install check\tclawsec_check_skill_safety\tskillName\nAudit all skills\tclawsec_check_advisories\tinstallRoot (optional)\nBrowse feed\tclawsec_list_advisories\tseverity, type, exploitabilityScore (optional)\nVerify package signature\tclawsec_verify_skill_package\tpackagePath\nRefresh advisory cache\tclawsec_refresh_cache\t(none)\nCheck file integrity\tclawsec_check_integrity\tmode, autoRestore (optional)\nApprove file change\tclawsec_approve_change\tpath\nView baseline status\tclawsec_integrity_status\tpath (optional)\nVerify audit log\tclawsec_verify_audit\t(none)\nCommon Patterns\nPattern 1: Safe Skill Installation\n// ALWAYS check before installing\nconst safety = await tools.clawsec_check_skill_safety({\n skillName: userRequestedSkill\n});\n\nif (safety.safe) {\n // Proceed with installation\n await installSkill(userRequestedSkill);\n} else {\n // Show user the risks and get confirmation\n await showSecurityWarning(safety.advisories);\n if (await getUserConfirmation()) {\n await installSkill(userRequestedSkill);\n }\n}\n\nPattern 2: Periodic Security Check\n// Add to scheduled tasks\nschedule_task({\n prompt: \"Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear\",\n schedule_type: \"cron\",\n schedule_value: \"0 9 * * *\" // Daily at 9am\n});\n\nPattern 3: User Security Query\nUser: \"Are my skills secure?\"\n\nYou: I'll check installed skills for known vulnerabilities.\n[Use clawsec_check_advisories]\n\nResponse:\n✅ No urgent issues found.\n- 2 low-severity/low-exploitability advisories\n- All skills up to date\n\nCommon Mistakes\n❌ Installing without checking\n// DON'T\nawait installSkill('untrusted-skill');\n\n// DO\nconst safety = await tools.clawsec_check_skill_safety({\n skillName: 'untrusted-skill'\n});\nif (safety.safe) await installSkill('untrusted-skill');\n\n❌ Ignoring exploitability context\n// DON'T: Use severity only\nif (advisory.severity === 'high') {\n notifyNow(advisory);\n}\n\n// DO: Use exploitability + severity\nif (\n advisory.exploitability_score === 'high' ||\n advisory.severity === 'critical'\n) {\n notifyNow(advisory);\n}\n\n❌ Skipping critical severity\n// DON'T: Ignore high exploitability in medium severity advisories\nif (advisory.severity === 'critical') alert();\n\n// DO: Prioritize exploitability and severity together\nif (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {\n // Alert immediately\n}\n\nImplementation Details\n\nFeed Source: https://clawsec.prompt.security/advisories/feed.json\n\nUpdate Frequency: Every 6 hours (automatic)\n\nSignature Verification: Ed25519 signed feeds Package Verification Policy: pinned key only, bounded package/signature paths\n\nCache Location: /workspace/project/data/clawsec-advisory-cache.json\n\nSee INSTALL.md for setup and docs/ for advanced usage.\n\nReal-World Impact\nPrevents installation of skills with known RCE vulnerabilities\nAlerts to supply chain attacks in dependencies\nProvides actionable remediation steps\nZero false positives (curated feed only)" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/davida-ps/clawsec-nanoclaw", "publisherUrl": "https://clawhub.ai/davida-ps/clawsec-nanoclaw", "owner": "davida-ps", "version": "0.0.3", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw", "downloadUrl": "https://openagent3.xyz/downloads/clawsec-nanoclaw", "agentUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw/agent", "manifestUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawsec-nanoclaw/agent.md" } }