{ "schemaVersion": "1.0", "item": { "slug": "crusty-security", "name": "Crusty Security", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/silentcool/crusty-security", "canonicalUrl": "https://clawhub.ai/silentcool/crusty-security", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/crusty-security", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=crusty-security", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "LICENSE.txt", "README.md", "SKILL.md", "_meta.json", "references/remediation.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/crusty-security" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/crusty-security", "agentPageUrl": "https://openagent3.xyz/skills/crusty-security/agent", "manifestUrl": "https://openagent3.xyz/skills/crusty-security/agent.json", "briefUrl": "https://openagent3.xyz/skills/crusty-security/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Overview", "body": "Crusty Security protects OpenClaw agents against real threats: malware in downloaded files, compromised skills from ClawHub, data exfiltration, prompt injection payloads, and host-level compromise. It uses ClamAV for file scanning and AI-agent-specific static analysis.\n\nThreat model: The agent itself is the attack surface. Prompt injection can lead to code execution. Malicious skills run with agent privileges. Crusty Security protects both the host AND the agent's integrity." }, { "title": "Quick Reference", "body": "TaskCommandInstall ClamAVbash scripts/install_clamav.shScan a filebash scripts/scan_file.sh /path/to/fileScan a directorybash scripts/scan_file.sh -r /path/to/dirAudit a skillbash scripts/audit_skill.sh /path/to/skill/Host security auditbash scripts/host_audit.shMonitor agent integritybash scripts/monitor_agent.shGenerate security reportbash scripts/generate_report.sh\n\nAll scripts output JSON. All scripts support --help. All paths are relative to this skill directory." }, { "title": "Setup (First Run)", "body": "Run bash setup.sh — that's it. This will:\n\nInstall ClamAV if missing\nConfigure freshclam (macOS Homebrew fix)\nSend initial heartbeat to dashboard (if CRUSTY_API_KEY set)\nRun initial host audit + workspace scan (populates dashboard immediately)\nCheck which scheduled scans need to be created\n\n⚠️ IMPORTANT — After setup.sh, you MUST create the cron jobs below using the OpenClaw cron tool. Setup.sh handles the bash-level installation, but cron jobs require agent-level tools. Do this immediately after first install — don't wait for the user to ask." }, { "title": "Required Cron Jobs (create on first install)", "body": "Check what's missing: bash scripts/check_crons.sh\n\nUse the OpenClaw cron tool (cron add) to create these. Replace {SKILL_DIR} with the actual path to this skill directory and {WORKSPACE} with the workspace path (usually /data/workspace).\n\nNameSchedulesessionTargetPayloadcrusty-daily-scancron 0 3 * * *main / systemEventRun Crusty Security daily scan: bash {SKILL_DIR}/scripts/scan_file.sh --incremental -r {WORKSPACE} && bash {SKILL_DIR}/scripts/monitor_agent.shcrusty-weekly-fullcron 0 3 * * 0main / systemEventRun Crusty Security weekly scan: bash {SKILL_DIR}/scripts/scan_file.sh -r {WORKSPACE} && bash {SKILL_DIR}/scripts/host_audit.sh && bash {SKILL_DIR}/scripts/generate_report.sh --output /tmp/crusty_logs/weekly_report.mdcrusty-monthly-deepcron 0 4 1 * *main / systemEventRun Crusty Security monthly deep audit: bash {SKILL_DIR}/scripts/host_audit.sh --deep" }, { "title": "Dashboard Cron Jobs (only if CRUSTY_API_KEY is set)", "body": "NameSchedulesessionTargetPayloadcrusty-heartbeatevery 300000ms (5 min)main / systemEventCrusty Security heartbeat: Run bash {SKILL_DIR}/scripts/dashboard.sh heartbeatcrusty-clawhub-syncevery 43200000ms (12h)isolated / agentTurnRun ClawHub security sync: python3 {SKILL_DIR}/scripts/clawhub_sync.py --push. Report any critical or high severity findings.\n\nCheck cron list first — skip any that already exist (match by name prefix crusty-).\n\nSee references/setup.md for detailed configuration." }, { "title": "Dashboard Connection", "body": "If your human has configured CRUSTY_API_KEY, the skill sends scan results to the Crusty Security dashboard (crustysecurity.com):\n\nHeartbeats are sent every 5 minutes automatically — keeps the dashboard showing agent status\nScan results are pushed when you add --push to scan commands\nClawHub sync sends skill inventory with python3 scripts/clawhub_sync.py --push\nIf CRUSTY_API_KEY is NOT set, everything works locally — no data is sent anywhere\nThe dashboard never connects TO the agent — data flows one way (agent → dashboard)" }, { "title": "File Scanning", "body": "Triggers: \"scan this file\", \"is this safe\", \"check this download\", \"virus scan\"\n\nRun bash scripts/scan_file.sh for ClamAV local scan\nReport results:\n\n✅ Clean — \"No threats detected. Scanned with ClamAV, signatures from [date].\"\n⚠️ Suspicious — \"Low-confidence detection by ClamAV. Recommend quarantine for review.\"\n🚨 Malicious — \"Threat detected: [name]. Recommend quarantine. Options: quarantine, delete, or ignore.\"\n\nFor directories:\n\nbash scripts/scan_file.sh -r /data/workspace # Full recursive scan\nbash scripts/scan_file.sh -r --incremental /data/workspace # Skip unchanged files\n\nQuarantine workflow:\n\nbash scripts/scan_file.sh --quarantine /path/to/file # Move to quarantine\n# Quarantine location: $CRUSTY_QUARANTINE (default: /tmp/crusty_quarantine)\n# Manifest: /tmp/crusty_quarantine/manifest.json\n\nImportant notes:\n\nClamAV prefers clamdscan (daemon) when available, falls back to clamscan\nMax file size default: 200M (configurable via CRUSTY_MAX_FILE_SIZE)\nEncrypted archives: flagged as \"unscanned\" — cannot inspect contents\nLarge archives: ClamAV handles zip, rar, 7z, tar, gz natively" }, { "title": "Skill Auditing (Supply Chain Security)", "body": "Triggers: \"audit this skill\", \"is this skill safe\", \"check skill security\", \"scan skill\"\n\nbash scripts/audit_skill.sh /path/to/skill/directory/\n\nWhat it checks:\n\n🔴 Critical: curl/wget piped to shell, reverse shell patterns, crypto mining indicators\n🟠 High: eval/exec with dynamic input, base64 decode patterns, data exfiltration endpoints (webhook.site, ngrok, etc.), credential harvesting, binary executables, agent config modification\n🟡 Medium: hidden files, system file access, hardcoded IPs, obfuscated code, persistence mechanisms (cron, systemd)\n🔵 Low/Info: large skill size, credential references in docs\n\nOutput: Risk score (low/medium/high/critical) + detailed findings with evidence.\n\nWhen to use:\n\nBefore installing any skill from ClawHub\nWhen reviewing third-party skill contributions\nPeriodically on all installed skills: for d in /data/workspace/skills/*/; do bash scripts/audit_skill.sh \"$d\"; done" }, { "title": "Host Security Audit", "body": "Triggers: \"audit host\", \"security audit\", \"check host security\"\n\nbash scripts/host_audit.sh or bash scripts/host_audit.sh --deep\n\nChecks:\n\nSuspicious cron jobs (curl piping, base64, reverse shells)\nUnexpected listening ports\nRecently modified system files (deep mode)\nSSH key audit (excessive keys, no-comment keys, root login)\nSensitive file permissions (world-writable /etc/passwd, etc.)\nClamAV signature freshness\nopenclaw security audit (if available)\n\nOutput: Posture score (0-100) + findings. Score deductions: critical (-25), high (-15), medium (-10), low (-5)." }, { "title": "Agent Behavior Monitoring", "body": "Triggers: \"check agent integrity\", \"monitor agent\", \"is the agent compromised\"\n\nbash scripts/monitor_agent.sh\n\nWhat it checks:\n\nRecent modifications to AGENTS.md, SOUL.md, MEMORY.md, TOOLS.md, USER.md\nMemory file churn (>10 files modified = suspicious)\nUnexpected cron jobs (anything not clawguard/freshclam/standard maintenance)\nSuspicious outbound connections (IRC ports, backdoor ports, Tor)\nFiles created outside workspace (/tmp executables, home directory changes)\nSuspicious processes (xmrig, nc -l, ncat, socat, chisel)\nHigh CPU processes (>80% — potential miners)\nSensitive file exposure (.env files, world-readable SSH keys)\n\nOutput: Status (healthy / warnings_present / compromised_indicators) + findings." }, { "title": "Security Report Generation", "body": "Triggers: \"security report\", \"threat report\", \"posture report\"\n\nbash scripts/generate_report.sh or bash scripts/generate_report.sh --days 30 --output report.md\n\nCompiles all recent scan results into a markdown security posture report with:\n\nScan summary (total, clean, threats, errors)\nThreat details with file paths and actions taken\nSecurity posture score with emoji indicators\nRecommendations (missing tools, scan schedules)" }, { "title": "Automatic Scheduled Scanning", "body": "Cron jobs are defined in the Setup (First Run) section above. Create them immediately on first install using the OpenClaw cron tool.\n\nTo verify all crons are configured: bash scripts/check_crons.sh" }, { "title": "False Positive Handling", "body": "ClamAV has moderate false positive rates. Strategy:\n\nSingle ClamAV detection, known safe source → Likely false positive. Log and skip.\nClamAV detection, unknown source → Quarantine and investigate.\nClamAV detection + skill audit findings → Real threat. Quarantine immediately.\n\nTo handle a false positive:\n\nSubmit to ClamAV: https://www.clamav.net/reports/fp\nDocument in scan logs for future reference" }, { "title": "Quarantine Procedures", "body": "Location: $CRUSTY_QUARANTINE (default: /tmp/crusty_quarantine)\nManifest: manifest.json in quarantine directory tracks original paths and timestamps.\n\n# View quarantined files\ncat /tmp/crusty_quarantine/manifest.json | python3 -m json.tool\n\n# Restore a false positive\nmv /tmp/crusty_quarantine/ /original/path/\n\n# Permanently delete\nrm -rf /tmp/crusty_quarantine/*\n\nNever use clamscan --remove. Always quarantine first, verify, then delete." }, { "title": "Offline Mode", "body": "Crusty Security works fully offline with reduced capability:\n\n✅ ClamAV scanning (local signatures)\n✅ Skill auditing (static analysis, no network needed)\n✅ Host auditing (local checks)\n✅ Agent monitoring (local checks)\n⚠️ ClamAV signatures may be stale (check freshness in host audit)" }, { "title": "Resource-Constrained Environments (Raspberry Pi)", "body": "For hosts with <2GB RAM:\n\ninstall_clamav.sh auto-detects low RAM and skips daemon mode\nUse clamscan (on-demand) instead of clamd (daemon)\nUse incremental scanning (--incremental) to reduce scan time\nSkill auditing and agent monitoring have minimal resource requirements\n\nFor hosts with <1GB RAM:\n\nConsider skipping ClamAV entirely\nUse skill auditing + agent monitoring only\nThese tools are shell/Python with negligible memory usage" }, { "title": "Environment Variables", "body": "VariableDefaultDescriptionCRUSTY_API_KEY(none)Dashboard API key (cg_live_...)CRUSTY_DASHBOARD_URLhttps://crustysecurity.comDashboard URLCRUSTY_QUARANTINE/tmp/crusty_quarantineQuarantine directoryCRUSTY_LOG_DIR/tmp/crusty_logsScan log directoryCRUSTY_MAX_FILE_SIZE200MMax file size to scanCRUSTY_WORKSPACEauto-detectedAgent workspace path\n\nBackwards compat: CLAWGUARD_* env vars are still supported but deprecated. Use CRUSTY_* going forward." }, { "title": "Incident Response", "body": "When a real threat is confirmed, see references/remediation.md for the full checklist. Quick summary:\n\nQuarantine the file immediately\nAssess scope — was it executed? Did it modify other files?\nCheck persistence — cron jobs, SSH keys, shell profiles, systemd services\nCheck exfiltration — outbound connections, DNS queries, API key usage\nRotate credentials if any were potentially exposed\nFull scan — bash scripts/scan_file.sh -r /\nDocument the incident" } ], "body": "Crusty Security — Security & Threat Scanning\nOverview\n\nCrusty Security protects OpenClaw agents against real threats: malware in downloaded files, compromised skills from ClawHub, data exfiltration, prompt injection payloads, and host-level compromise. It uses ClamAV for file scanning and AI-agent-specific static analysis.\n\nThreat model: The agent itself is the attack surface. Prompt injection can lead to code execution. Malicious skills run with agent privileges. Crusty Security protects both the host AND the agent's integrity.\n\nQuick Reference\nTask\tCommand\nInstall ClamAV\tbash scripts/install_clamav.sh\nScan a file\tbash scripts/scan_file.sh /path/to/file\nScan a directory\tbash scripts/scan_file.sh -r /path/to/dir\nAudit a skill\tbash scripts/audit_skill.sh /path/to/skill/\nHost security audit\tbash scripts/host_audit.sh\nMonitor agent integrity\tbash scripts/monitor_agent.sh\nGenerate security report\tbash scripts/generate_report.sh\n\nAll scripts output JSON. All scripts support --help. All paths are relative to this skill directory.\n\nSetup (First Run)\n\nRun bash setup.sh — that's it. This will:\n\nInstall ClamAV if missing\nConfigure freshclam (macOS Homebrew fix)\nSend initial heartbeat to dashboard (if CRUSTY_API_KEY set)\nRun initial host audit + workspace scan (populates dashboard immediately)\nCheck which scheduled scans need to be created\n\n⚠️ IMPORTANT — After setup.sh, you MUST create the cron jobs below using the OpenClaw cron tool. Setup.sh handles the bash-level installation, but cron jobs require agent-level tools. Do this immediately after first install — don't wait for the user to ask.\n\nRequired Cron Jobs (create on first install)\n\nCheck what's missing: bash scripts/check_crons.sh\n\nUse the OpenClaw cron tool (cron add) to create these. Replace {SKILL_DIR} with the actual path to this skill directory and {WORKSPACE} with the workspace path (usually /data/workspace).\n\nName\tSchedule\tsessionTarget\tPayload\ncrusty-daily-scan\tcron 0 3 * * *\tmain / systemEvent\tRun Crusty Security daily scan: bash {SKILL_DIR}/scripts/scan_file.sh --incremental -r {WORKSPACE} && bash {SKILL_DIR}/scripts/monitor_agent.sh\ncrusty-weekly-full\tcron 0 3 * * 0\tmain / systemEvent\tRun Crusty Security weekly scan: bash {SKILL_DIR}/scripts/scan_file.sh -r {WORKSPACE} && bash {SKILL_DIR}/scripts/host_audit.sh && bash {SKILL_DIR}/scripts/generate_report.sh --output /tmp/crusty_logs/weekly_report.md\ncrusty-monthly-deep\tcron 0 4 1 * *\tmain / systemEvent\tRun Crusty Security monthly deep audit: bash {SKILL_DIR}/scripts/host_audit.sh --deep\nDashboard Cron Jobs (only if CRUSTY_API_KEY is set)\nName\tSchedule\tsessionTarget\tPayload\ncrusty-heartbeat\tevery 300000ms (5 min)\tmain / systemEvent\tCrusty Security heartbeat: Run bash {SKILL_DIR}/scripts/dashboard.sh heartbeat\ncrusty-clawhub-sync\tevery 43200000ms (12h)\tisolated / agentTurn\tRun ClawHub security sync: python3 {SKILL_DIR}/scripts/clawhub_sync.py --push. Report any critical or high severity findings.\n\nCheck cron list first — skip any that already exist (match by name prefix crusty-).\n\nSee references/setup.md for detailed configuration.\n\nDashboard Connection\n\nIf your human has configured CRUSTY_API_KEY, the skill sends scan results to the Crusty Security dashboard (crustysecurity.com):\n\nHeartbeats are sent every 5 minutes automatically — keeps the dashboard showing agent status\nScan results are pushed when you add --push to scan commands\nClawHub sync sends skill inventory with python3 scripts/clawhub_sync.py --push\nIf CRUSTY_API_KEY is NOT set, everything works locally — no data is sent anywhere\nThe dashboard never connects TO the agent — data flows one way (agent → dashboard)\nScanning Workflows\nFile Scanning\n\nTriggers: \"scan this file\", \"is this safe\", \"check this download\", \"virus scan\"\n\nRun bash scripts/scan_file.sh for ClamAV local scan\nReport results:\n✅ Clean — \"No threats detected. Scanned with ClamAV, signatures from [date].\"\n⚠️ Suspicious — \"Low-confidence detection by ClamAV. Recommend quarantine for review.\"\n🚨 Malicious — \"Threat detected: [name]. Recommend quarantine. Options: quarantine, delete, or ignore.\"\n\nFor directories:\n\nbash scripts/scan_file.sh -r /data/workspace # Full recursive scan\nbash scripts/scan_file.sh -r --incremental /data/workspace # Skip unchanged files\n\n\nQuarantine workflow:\n\nbash scripts/scan_file.sh --quarantine /path/to/file # Move to quarantine\n# Quarantine location: $CRUSTY_QUARANTINE (default: /tmp/crusty_quarantine)\n# Manifest: /tmp/crusty_quarantine/manifest.json\n\n\nImportant notes:\n\nClamAV prefers clamdscan (daemon) when available, falls back to clamscan\nMax file size default: 200M (configurable via CRUSTY_MAX_FILE_SIZE)\nEncrypted archives: flagged as \"unscanned\" — cannot inspect contents\nLarge archives: ClamAV handles zip, rar, 7z, tar, gz natively\nSkill Auditing (Supply Chain Security)\n\nTriggers: \"audit this skill\", \"is this skill safe\", \"check skill security\", \"scan skill\"\n\nbash scripts/audit_skill.sh /path/to/skill/directory/\n\nWhat it checks:\n\n🔴 Critical: curl/wget piped to shell, reverse shell patterns, crypto mining indicators\n🟠 High: eval/exec with dynamic input, base64 decode patterns, data exfiltration endpoints (webhook.site, ngrok, etc.), credential harvesting, binary executables, agent config modification\n🟡 Medium: hidden files, system file access, hardcoded IPs, obfuscated code, persistence mechanisms (cron, systemd)\n🔵 Low/Info: large skill size, credential references in docs\n\nOutput: Risk score (low/medium/high/critical) + detailed findings with evidence.\n\nWhen to use:\n\nBefore installing any skill from ClawHub\nWhen reviewing third-party skill contributions\nPeriodically on all installed skills: for d in /data/workspace/skills/*/; do bash scripts/audit_skill.sh \"$d\"; done\nHost Security Audit\n\nTriggers: \"audit host\", \"security audit\", \"check host security\"\n\nbash scripts/host_audit.sh or bash scripts/host_audit.sh --deep\n\nChecks:\n\nSuspicious cron jobs (curl piping, base64, reverse shells)\nUnexpected listening ports\nRecently modified system files (deep mode)\nSSH key audit (excessive keys, no-comment keys, root login)\nSensitive file permissions (world-writable /etc/passwd, etc.)\nClamAV signature freshness\nopenclaw security audit (if available)\n\nOutput: Posture score (0-100) + findings. Score deductions: critical (-25), high (-15), medium (-10), low (-5).\n\nAgent Behavior Monitoring\n\nTriggers: \"check agent integrity\", \"monitor agent\", \"is the agent compromised\"\n\nbash scripts/monitor_agent.sh\n\nWhat it checks:\n\nRecent modifications to AGENTS.md, SOUL.md, MEMORY.md, TOOLS.md, USER.md\nMemory file churn (>10 files modified = suspicious)\nUnexpected cron jobs (anything not clawguard/freshclam/standard maintenance)\nSuspicious outbound connections (IRC ports, backdoor ports, Tor)\nFiles created outside workspace (/tmp executables, home directory changes)\nSuspicious processes (xmrig, nc -l, ncat, socat, chisel)\nHigh CPU processes (>80% — potential miners)\nSensitive file exposure (.env files, world-readable SSH keys)\n\nOutput: Status (healthy / warnings_present / compromised_indicators) + findings.\n\nSecurity Report Generation\n\nTriggers: \"security report\", \"threat report\", \"posture report\"\n\nbash scripts/generate_report.sh or bash scripts/generate_report.sh --days 30 --output report.md\n\nCompiles all recent scan results into a markdown security posture report with:\n\nScan summary (total, clean, threats, errors)\nThreat details with file paths and actions taken\nSecurity posture score with emoji indicators\nRecommendations (missing tools, scan schedules)\nAutomatic Scheduled Scanning\n\nCron jobs are defined in the Setup (First Run) section above. Create them immediately on first install using the OpenClaw cron tool.\n\nTo verify all crons are configured: bash scripts/check_crons.sh\n\nFalse Positive Handling\n\nClamAV has moderate false positive rates. Strategy:\n\nSingle ClamAV detection, known safe source → Likely false positive. Log and skip.\nClamAV detection, unknown source → Quarantine and investigate.\nClamAV detection + skill audit findings → Real threat. Quarantine immediately.\n\nTo handle a false positive:\n\nSubmit to ClamAV: https://www.clamav.net/reports/fp\nDocument in scan logs for future reference\nQuarantine Procedures\n\nLocation: $CRUSTY_QUARANTINE (default: /tmp/crusty_quarantine) Manifest: manifest.json in quarantine directory tracks original paths and timestamps.\n\n# View quarantined files\ncat /tmp/crusty_quarantine/manifest.json | python3 -m json.tool\n\n# Restore a false positive\nmv /tmp/crusty_quarantine/ /original/path/\n\n# Permanently delete\nrm -rf /tmp/crusty_quarantine/*\n\n\nNever use clamscan --remove. Always quarantine first, verify, then delete.\n\nOffline Mode\n\nCrusty Security works fully offline with reduced capability:\n\n✅ ClamAV scanning (local signatures)\n✅ Skill auditing (static analysis, no network needed)\n✅ Host auditing (local checks)\n✅ Agent monitoring (local checks)\n⚠️ ClamAV signatures may be stale (check freshness in host audit)\nResource-Constrained Environments (Raspberry Pi)\n\nFor hosts with <2GB RAM:\n\ninstall_clamav.sh auto-detects low RAM and skips daemon mode\nUse clamscan (on-demand) instead of clamd (daemon)\nUse incremental scanning (--incremental) to reduce scan time\nSkill auditing and agent monitoring have minimal resource requirements\n\nFor hosts with <1GB RAM:\n\nConsider skipping ClamAV entirely\nUse skill auditing + agent monitoring only\nThese tools are shell/Python with negligible memory usage\nEnvironment Variables\nVariable\tDefault\tDescription\nCRUSTY_API_KEY\t(none)\tDashboard API key (cg_live_...)\nCRUSTY_DASHBOARD_URL\thttps://crustysecurity.com\tDashboard URL\nCRUSTY_QUARANTINE\t/tmp/crusty_quarantine\tQuarantine directory\nCRUSTY_LOG_DIR\t/tmp/crusty_logs\tScan log directory\nCRUSTY_MAX_FILE_SIZE\t200M\tMax file size to scan\nCRUSTY_WORKSPACE\tauto-detected\tAgent workspace path\n\nBackwards compat: CLAWGUARD_* env vars are still supported but deprecated. Use CRUSTY_* going forward.\n\nIncident Response\n\nWhen a real threat is confirmed, see references/remediation.md for the full checklist. Quick summary:\n\nQuarantine the file immediately\nAssess scope — was it executed? Did it modify other files?\nCheck persistence — cron jobs, SSH keys, shell profiles, systemd services\nCheck exfiltration — outbound connections, DNS queries, API key usage\nRotate credentials if any were potentially exposed\nFull scan — bash scripts/scan_file.sh -r /\nDocument the incident" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/silentcool/crusty-security", "publisherUrl": "https://clawhub.ai/silentcool/crusty-security", "owner": "silentcool", "version": "0.1.4", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/crusty-security", "downloadUrl": "https://openagent3.xyz/downloads/crusty-security", "agentUrl": "https://openagent3.xyz/skills/crusty-security/agent", "manifestUrl": "https://openagent3.xyz/skills/crusty-security/agent.json", "briefUrl": "https://openagent3.xyz/skills/crusty-security/agent.md" } }