{ "schemaVersion": "1.0", "item": { "slug": "openclaw-security-monitor", "name": "Openclaw Security Monitor", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/adibirzu/openclaw-security-monitor", "canonicalUrl": "https://clawhub.ai/adibirzu/openclaw-security-monitor", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "manual_only", "downloadUrl": "/downloads/openclaw-security-monitor", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-security-monitor", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md", "dashboard/index.html", "dashboard/server.js", "docs/threat-model.md", "install.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Wait for the source to recover or retry later.", "Review SKILL.md only after the source returns a real package.", "Do not rely on this source for automated install yet." ], "agentAssist": { "summary": "Use the source page and any available docs to guide the install because the item is currently unstable or timing out.", "steps": [ "Open the source page via Review source status.", "If you can obtain the package, extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the source page and extracted files." ], "prompts": [ { "label": "New install", "body": "I tried to install a skill package from Yavira, but the item is currently unstable or timing out. Inspect the source page and any extracted docs, then tell me what you can confirm and any manual steps still required. Then review README.md for any prerequisites, environment setup, or post-install checks." }, { "label": "Upgrade existing", "body": "I tried to upgrade a skill package from Yavira, but the item is currently unstable or timing out. Compare the source page and any extracted docs with my current installation, then summarize what changed and what manual follow-up I still need. Then review README.md for any prerequisites, environment setup, or post-install checks." } ] }, "sourceHealth": { "source": "tencent", "slug": "openclaw-security-monitor", "status": "unstable", "reason": "timeout", "recommendedAction": "retry_later", "checkedAt": "2026-04-29T10:55:09.150Z", "expiresAt": "2026-04-29T22:55:09.150Z", "httpStatus": null, "finalUrl": null, "contentType": null, "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-security-monitor", "error": "Timed out after 5000ms", "slug": "openclaw-security-monitor" }, "scope": "item", "summary": "Item is unstable.", "detail": "This item is timing out or returning errors right now. Review the source page and try again later.", "primaryActionLabel": "Review source status", "primaryActionHref": "https://clawhub.ai/adibirzu/openclaw-security-monitor" }, "validation": { "installChecklist": [ "Wait for the source to recover or retry later.", "Review SKILL.md only after the download returns a real package.", "Treat this source as transient until the upstream errors clear." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/openclaw-security-monitor", "agentPageUrl": "https://openagent3.xyz/skills/openclaw-security-monitor/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-security-monitor/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-security-monitor/agent.md" }, "agentAssist": { "summary": "Use the source page and any available docs to guide the install because the item is currently unstable or timing out.", "steps": [ "Open the source page via Review source status.", "If you can obtain the package, extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the source page and extracted files." ], "prompts": [ { "label": "New install", "body": "I tried to install a skill package from Yavira, but the item is currently unstable or timing out. Inspect the source page and any extracted docs, then tell me what you can confirm and any manual steps still required. Then review README.md for any prerequisites, environment setup, or post-install checks." }, { "label": "Upgrade existing", "body": "I tried to upgrade a skill package from Yavira, but the item is currently unstable or timing out. Compare the source page and any extracted docs with my current installation, then summarize what changed and what manual follow-up I still need. Then review README.md for any prerequisites, environment setup, or post-install checks." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Security Monitor", "body": "Real-time security monitoring with threat intelligence from ClawHavoc research, daily automated scans, web dashboard, and Telegram alerting for OpenClaw." }, { "title": "Commands", "body": "Note: Replace with the actual folder name where this skill is installed (commonly openclaw-security-monitor or security-monitor)." }, { "title": "/security-scan", "body": "Run a comprehensive 59-point security scan:\n\nKnown C2 IPs (ClawHavoc: 91.92.242.x, 95.92.242.x, 54.91.154.110)\nAMOS stealer / AuthTool markers\nReverse shells & backdoors (bash, python, perl, ruby, php, lua)\nCredential exfiltration endpoints (webhook.site, pipedream, ngrok, etc.)\nCrypto wallet targeting (seed phrases, private keys, exchange APIs)\nCurl-pipe / download attacks\nSensitive file permission audit\nSkill integrity hash verification\nSKILL.md shell injection patterns (Prerequisites-based attacks)\nMemory poisoning detection (SOUL.md, MEMORY.md, IDENTITY.md)\nBase64 obfuscation detection (glot.io-style payloads)\nExternal binary downloads (.exe, .dmg, .pkg, password-protected ZIPs)\nGateway security configuration audit\nWebSocket origin validation (CVE-2026-25253)\nKnown malicious publisher detection (hightower6eu, etc.)\nSensitive environment/credential file leakage\nDM policy audit (open/wildcard channel access)\nTool policy / elevated tools audit\nSandbox configuration check\nmDNS/Bonjour exposure detection\nSession & credential file permissions\nPersistence mechanism scan (LaunchAgents, crontabs, systemd)\nPlugin/extension security audit\nLog redaction settings audit\nReverse proxy localhost trust bypass detection\nExec-approvals configuration audit (CVE-2026-25253 exploit chain)\nDocker container security (root, socket mount, privileged mode)\nNode.js version / CVE-2026-21636 permission model bypass\nPlaintext credential detection in config files\nVS Code extension trojan detection (fake ClawdBot extensions)\nInternet exposure detection (non-loopback gateway binding)\nMCP server security audit (tool poisoning, prompt injection)\nClawJacked WebSocket brute-force protection (v2026.2.25+)\nSSRF protection audit (CVE-2026-26322, CVE-2026-27488)\nExec safeBins validation bypass (CVE-2026-28363, CVSS 9.9)\nACP permission auto-approval audit (GHSA-7jx5)\nPATH hijacking / command hijacking (GHSA-jqpq-mgvm-f9r6)\nSkill env override host injection (GHSA-82g8-464f-2mv7)\nmacOS deep link truncation (CVE-2026-26320)\nLog poisoning / WebSocket header injection\nBrowser Relay CDP unauthenticated access (CVE-2026-28458, CVSS 7.5)\nBrowser control API path traversal (CVE-2026-28462, CVSS 7.5)\nExec-approvals shell expansion bypass (CVE-2026-28463)\nApproval field injection / exec gating bypass (CVE-2026-28466)\nSandbox browser bridge auth bypass (CVE-2026-28468)\nWebhook DoS — oversized payloads (CVE-2026-28478)\nTAR archive path traversal (CVE-2026-28453)\nfetchWithGuard memory exhaustion DoS (CVE-2026-29609, CVSS 7.5)\n/agent/act HTTP route unauthenticated access (CVE-2026-28485)\nCommand hijacking via PATH — unsafe resolution (CVE-2026-29610)\nSHA-1 sandbox cache key poisoning (CVE-2026-28479, CVSS 8.7)\nGoogle Chat webhook cross-account bypass (CVE-2026-28469, CVSS 9.8)\nGateway WebSocket device identity skip (CVE-2026-28472)\nCross-Site WebSocket Hijacking in trusted-proxy (CVE-2026-32302)\nDevice pairing credential exposure (GHSA-7h7g-x2px-94hj)\nOperator privilege escalation (GHSA-vmhq-cqm9-6p7q)\nMCP server tool poisoning via schema injection (OWASP MCP03/MCP06)\nSANDWORM_MODE MCP worm detection (Socket, Feb 2026)\nRules file backdoor / hidden Unicode injection (Pillar Security)\n\nbash ~/.openclaw/workspace/skills//scripts/scan.sh\n\nExit codes: 0=SECURE, 1=WARNINGS, 2=COMPROMISED" }, { "title": "/security-dashboard", "body": "Display a security overview with process trees via witr.\n\nbash ~/.openclaw/workspace/skills//scripts/dashboard.sh" }, { "title": "/security-network", "body": "Monitor network connections and check against IOC database.\n\nbash ~/.openclaw/workspace/skills//scripts/network-check.sh" }, { "title": "/security-remediate", "body": "Scan-driven remediation: runs scan.sh, skips CLEAN checks, and executes per-check remediation scripts for each WARNING/CRITICAL finding. Includes 59 individual scripts covering file permissions, exfiltration domain blocking, tool deny lists, gateway hardening, sandbox configuration, credential auditing, ClawJacked protection, SSRF hardening, PATH hijacking cleanup, log poisoning remediation, /agent/act hardening, SHA-1 cache key migration, Google Chat webhook hardening, WebSocket identity enforcement, MCP tool poisoning quarantine, SANDWORM_MODE worm cleanup, and rules file Unicode sanitization.\n\n# Full scan + remediate (interactive)\nbash ~/.openclaw/workspace/skills//scripts/remediate.sh\n\n# Auto-approve all fixes (explicit opt-in)\nOPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1 \\\n bash ~/.openclaw/workspace/skills//scripts/remediate.sh --yes\n\n# Dry run (preview)\nbash ~/.openclaw/workspace/skills//scripts/remediate.sh --dry-run\n\n# Remediate a single check\nbash ~/.openclaw/workspace/skills//scripts/remediate.sh --check 7 --dry-run\n\n# Run all 59 remediation scripts (skip scan)\nbash ~/.openclaw/workspace/skills//scripts/remediate.sh --all\n\nFlags:\n\n--yes / -y — Skip confirmation prompts only when OPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1\n--dry-run — Show what would be fixed without making changes\n--check N — Run remediation for check N only (skip scan)\n--all — Run all 59 remediation scripts without scanning first\n\nExit codes: 0=fixes applied, 1=some fixes failed, 2=nothing to fix" }, { "title": "/clawhub-scan", "body": "Scan all locally installed ClawHub skills for security issues. Checks each skill against:\n\nKnown malicious publishers (ioc/malicious-publishers.txt)\nMalicious skill name patterns (ioc/malicious-skill-patterns.txt)\nSuspicious script patterns: curl/wget pipe-to-shell, base64 decode/eval, reverse shells, credential file access, environment variable exfiltration\nKnown C2 IP references (ioc/c2-ips.txt)\nMalicious domain references (ioc/malicious-domains.txt)\nSKILL.md integrity (shell injection in Prerequisites)\nKnown malicious file hashes (ioc/file-hashes.txt)\n\nbash ~/.openclaw/workspace/skills//scripts/clawhub-scan.sh\n\nExit codes: 0=all clean, 1=warnings found, 2=critical findings" }, { "title": "/security-setup-telegram", "body": "Register a Telegram chat for daily security alerts.\n\nbash ~/.openclaw/workspace/skills//scripts/telegram-setup.sh [chat_id]" }, { "title": "Web Dashboard", "body": "URL: http://:18800\n\nRead-only dark-themed browser dashboard that displays scan results from log files, IOC stats, installed skills list, and scan history. Does not execute any shell commands or child processes — all scans and remediation are triggered via CLI scripts." }, { "title": "Service Management", "body": "launchctl list | grep security-dashboard\nlaunchctl unload ~/Library/LaunchAgents/com.openclaw.security-dashboard.plist\nlaunchctl load ~/Library/LaunchAgents/com.openclaw.security-dashboard.plist" }, { "title": "IOC Database", "body": "Threat intelligence files in ioc/:\n\nc2-ips.txt - Known command & control IP addresses\nmalicious-domains.txt - Payload hosting and exfiltration domains\nfile-hashes.txt - Known malicious file SHA-256 hashes\nmalicious-publishers.txt - Known malicious ClawHub publishers\nmalicious-skill-patterns.txt - Malicious skill naming patterns" }, { "title": "Daily Automated Scan (Optional)", "body": "Optional cron job at 06:00 UTC with Telegram alerts. Not auto-installed — requires explicit user action:\n\ncrontab -l | { cat; echo \"0 6 * * * $HOME/.openclaw/workspace/skills//scripts/daily-scan-cron.sh\"; } | crontab -" }, { "title": "Threat Coverage", "body": "Based on research from 40+ security sources including:\n\nClawHavoc: 341 Malicious Skills (Koi Security)\nCVE-2026-25253: 1-Click RCE\nFrom SKILL.md to Shell Access (Snyk)\nVirusTotal: From Automation to Infection\nOpenClaw Official Security Docs\nDefectDojo Hardening Checklist\nVectra: Automation as Backdoor\nCisco: AI Agents Security Nightmare\nBloom Security/JFrog: 37 Malicious Skills\nOpenSourceMalware: Skills Ganked Your Crypto\nSnyk: clawdhub Campaign Deep-Dive\nOWASP Top 10 for Agentic Applications 2026\nCrowdStrike: OpenClaw AI Super Agent\nArgus Security Audit (512 findings)\nToxSec: OpenClaw Security Checklist\nAikido.dev: Fake ClawdBot VS Code Extension\nPrompt Security: Top 10 MCP Risks\nOasis Security: ClawJacked (Feb 26)\nCVE-2026-28363: safeBins Bypass (CVSS 9.9)\nCVE-2026-28479: SHA-1 Cache Poisoning (CVSS 8.7)\nCVE-2026-28485: /agent/act No Auth\nCVE-2026-29610: Command Hijacking via PATH\nFlare: Widespread Exploitation (Feb 25)\nCVE-2026-28469: Google Chat Webhook Cross-Account Bypass (CVSS 9.8)\nCVE-2026-28472: Gateway WebSocket Device Identity Skip\nCVE-2026-32302: Cross-Site WebSocket Hijacking\nGHSA-7h7g: Device Pairing Credential Exposure\nGHSA-vmhq: Operator Privilege Escalation\nSocket: SANDWORM_MODE npm Worm (Feb 20)\nPillar Security: Rules File Backdoor\nOWASP MCP Top 10\nCyberArk: MCP Output Poisoning\nSemgrep: First Malicious MCP Server on npm" }, { "title": "Security & Transparency", "body": "Source repository: github.com/adibirzu/openclaw-security-monitor — all source code is publicly auditable.\n\nDetection signatures in repository: This project contains threat-signature patterns (IP addresses, domain names, hash values) because it scans skills for risky content. These strings are used for grep/regex matching only and are not executable instructions.\n\nRequired binaries: bash, curl, node (for dashboard), lsof (for network checks). Optional: witr (process trees), docker (container audits), openclaw CLI (config checks).\n\nEnvironment variables: OPENCLAW_TELEGRAM_TOKEN (optional, for daily scan alerts), OPENCLAW_HOME (optional, overrides default ~/.openclaw directory). Both are declared in the frontmatter metadata above.\n\nWhat the scanner reads: scan.sh reads files within ~/.openclaw/ (configs, skills, credentials, logs) to detect threats. It pattern-matches against .env, .ssh, and keychain paths for detection only — it never exfiltrates, transmits, or modifies data. The scanner is read-only.\n\nWhat remediation does: remediate.sh can modify file permissions, block domains in /etc/hosts, adjust OpenClaw gateway config, quarantine MCP configs, and remove malicious skills. Always run --dry-run first to preview changes. Unattended mode (--yes) requires explicit OPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1 — without this env var, --yes is silently ignored.\n\nIOC updates: update-ioc.sh fetches threat intelligence from this project's GitHub repository. In interactive mode it shows pending changes and asks for confirmation before writing. --auto mode (for cron) writes without prompting. Validates incoming IOC file format (field counts). Untrusted upstream repos require explicit OPENCLAW_ALLOW_UNTRUSTED_IOC_SOURCE=1.\n\nNo auto-installed persistence: The installer does NOT create cron jobs, LaunchAgents, symlinks, or background services. Cron and LaunchAgent setup are documented as optional manual steps that the user must explicitly run themselves.\n\nDashboard binding: The web dashboard is read-only (no shell commands, no child processes) and defaults to 127.0.0.1:18800 (localhost only). It reads log files and IOC stats only." }, { "title": "Installation", "body": "# From GitHub\ngit clone https://github.com/adibirzu/openclaw-security-monitor.git \\\n ~/.openclaw/workspace/skills/\nchmod +x ~/.openclaw/workspace/skills//scripts/*.sh\n\nThe OpenClaw agent auto-discovers skills from ~/.openclaw/workspace/skills/ via SKILL.md frontmatter. After cloning, the /security-scan, /security-remediate, /security-dashboard, /security-network, and /security-setup-telegram commands will be available in the agent." } ], "body": "\nSecurity Monitor\n\nReal-time security monitoring with threat intelligence from ClawHavoc research, daily automated scans, web dashboard, and Telegram alerting for OpenClaw.\n\nCommands\n\nNote: Replace with the actual folder name where this skill is installed (commonly openclaw-security-monitor or security-monitor).\n\n/security-scan\n\nRun a comprehensive 59-point security scan:\n\nKnown C2 IPs (ClawHavoc: 91.92.242.x, 95.92.242.x, 54.91.154.110)\nAMOS stealer / AuthTool markers\nReverse shells & backdoors (bash, python, perl, ruby, php, lua)\nCredential exfiltration endpoints (webhook.site, pipedream, ngrok, etc.)\nCrypto wallet targeting (seed phrases, private keys, exchange APIs)\nCurl-pipe / download attacks\nSensitive file permission audit\nSkill integrity hash verification\nSKILL.md shell injection patterns (Prerequisites-based attacks)\nMemory poisoning detection (SOUL.md, MEMORY.md, IDENTITY.md)\nBase64 obfuscation detection (glot.io-style payloads)\nExternal binary downloads (.exe, .dmg, .pkg, password-protected ZIPs)\nGateway security configuration audit\nWebSocket origin validation (CVE-2026-25253)\nKnown malicious publisher detection (hightower6eu, etc.)\nSensitive environment/credential file leakage\nDM policy audit (open/wildcard channel access)\nTool policy / elevated tools audit\nSandbox configuration check\nmDNS/Bonjour exposure detection\nSession & credential file permissions\nPersistence mechanism scan (LaunchAgents, crontabs, systemd)\nPlugin/extension security audit\nLog redaction settings audit\nReverse proxy localhost trust bypass detection\nExec-approvals configuration audit (CVE-2026-25253 exploit chain)\nDocker container security (root, socket mount, privileged mode)\nNode.js version / CVE-2026-21636 permission model bypass\nPlaintext credential detection in config files\nVS Code extension trojan detection (fake ClawdBot extensions)\nInternet exposure detection (non-loopback gateway binding)\nMCP server security audit (tool poisoning, prompt injection)\nClawJacked WebSocket brute-force protection (v2026.2.25+)\nSSRF protection audit (CVE-2026-26322, CVE-2026-27488)\nExec safeBins validation bypass (CVE-2026-28363, CVSS 9.9)\nACP permission auto-approval audit (GHSA-7jx5)\nPATH hijacking / command hijacking (GHSA-jqpq-mgvm-f9r6)\nSkill env override host injection (GHSA-82g8-464f-2mv7)\nmacOS deep link truncation (CVE-2026-26320)\nLog poisoning / WebSocket header injection\nBrowser Relay CDP unauthenticated access (CVE-2026-28458, CVSS 7.5)\nBrowser control API path traversal (CVE-2026-28462, CVSS 7.5)\nExec-approvals shell expansion bypass (CVE-2026-28463)\nApproval field injection / exec gating bypass (CVE-2026-28466)\nSandbox browser bridge auth bypass (CVE-2026-28468)\nWebhook DoS — oversized payloads (CVE-2026-28478)\nTAR archive path traversal (CVE-2026-28453)\nfetchWithGuard memory exhaustion DoS (CVE-2026-29609, CVSS 7.5)\n/agent/act HTTP route unauthenticated access (CVE-2026-28485)\nCommand hijacking via PATH — unsafe resolution (CVE-2026-29610)\nSHA-1 sandbox cache key poisoning (CVE-2026-28479, CVSS 8.7)\nGoogle Chat webhook cross-account bypass (CVE-2026-28469, CVSS 9.8)\nGateway WebSocket device identity skip (CVE-2026-28472)\nCross-Site WebSocket Hijacking in trusted-proxy (CVE-2026-32302)\nDevice pairing credential exposure (GHSA-7h7g-x2px-94hj)\nOperator privilege escalation (GHSA-vmhq-cqm9-6p7q)\nMCP server tool poisoning via schema injection (OWASP MCP03/MCP06)\nSANDWORM_MODE MCP worm detection (Socket, Feb 2026)\nRules file backdoor / hidden Unicode injection (Pillar Security)\nbash ~/.openclaw/workspace/skills//scripts/scan.sh\n\n\nExit codes: 0=SECURE, 1=WARNINGS, 2=COMPROMISED\n\n/security-dashboard\n\nDisplay a security overview with process trees via witr.\n\nbash ~/.openclaw/workspace/skills//scripts/dashboard.sh\n\n/security-network\n\nMonitor network connections and check against IOC database.\n\nbash ~/.openclaw/workspace/skills//scripts/network-check.sh\n\n/security-remediate\n\nScan-driven remediation: runs scan.sh, skips CLEAN checks, and executes per-check remediation scripts for each WARNING/CRITICAL finding. Includes 59 individual scripts covering file permissions, exfiltration domain blocking, tool deny lists, gateway hardening, sandbox configuration, credential auditing, ClawJacked protection, SSRF hardening, PATH hijacking cleanup, log poisoning remediation, /agent/act hardening, SHA-1 cache key migration, Google Chat webhook hardening, WebSocket identity enforcement, MCP tool poisoning quarantine, SANDWORM_MODE worm cleanup, and rules file Unicode sanitization.\n\n# Full scan + remediate (interactive)\nbash ~/.openclaw/workspace/skills//scripts/remediate.sh\n\n# Auto-approve all fixes (explicit opt-in)\nOPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1 \\\n bash ~/.openclaw/workspace/skills//scripts/remediate.sh --yes\n\n# Dry run (preview)\nbash ~/.openclaw/workspace/skills//scripts/remediate.sh --dry-run\n\n# Remediate a single check\nbash ~/.openclaw/workspace/skills//scripts/remediate.sh --check 7 --dry-run\n\n# Run all 59 remediation scripts (skip scan)\nbash ~/.openclaw/workspace/skills//scripts/remediate.sh --all\n\n\nFlags:\n\n--yes / -y — Skip confirmation prompts only when OPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1\n--dry-run — Show what would be fixed without making changes\n--check N — Run remediation for check N only (skip scan)\n--all — Run all 59 remediation scripts without scanning first\n\nExit codes: 0=fixes applied, 1=some fixes failed, 2=nothing to fix\n\n/clawhub-scan\n\nScan all locally installed ClawHub skills for security issues. Checks each skill against:\n\nKnown malicious publishers (ioc/malicious-publishers.txt)\nMalicious skill name patterns (ioc/malicious-skill-patterns.txt)\nSuspicious script patterns: curl/wget pipe-to-shell, base64 decode/eval, reverse shells, credential file access, environment variable exfiltration\nKnown C2 IP references (ioc/c2-ips.txt)\nMalicious domain references (ioc/malicious-domains.txt)\nSKILL.md integrity (shell injection in Prerequisites)\nKnown malicious file hashes (ioc/file-hashes.txt)\nbash ~/.openclaw/workspace/skills//scripts/clawhub-scan.sh\n\n\nExit codes: 0=all clean, 1=warnings found, 2=critical findings\n\n/security-setup-telegram\n\nRegister a Telegram chat for daily security alerts.\n\nbash ~/.openclaw/workspace/skills//scripts/telegram-setup.sh [chat_id]\n\nWeb Dashboard\n\nURL: http://:18800\n\nRead-only dark-themed browser dashboard that displays scan results from log files, IOC stats, installed skills list, and scan history. Does not execute any shell commands or child processes — all scans and remediation are triggered via CLI scripts.\n\nService Management\nlaunchctl list | grep security-dashboard\nlaunchctl unload ~/Library/LaunchAgents/com.openclaw.security-dashboard.plist\nlaunchctl load ~/Library/LaunchAgents/com.openclaw.security-dashboard.plist\n\nIOC Database\n\nThreat intelligence files in ioc/:\n\nc2-ips.txt - Known command & control IP addresses\nmalicious-domains.txt - Payload hosting and exfiltration domains\nfile-hashes.txt - Known malicious file SHA-256 hashes\nmalicious-publishers.txt - Known malicious ClawHub publishers\nmalicious-skill-patterns.txt - Malicious skill naming patterns\nDaily Automated Scan (Optional)\n\nOptional cron job at 06:00 UTC with Telegram alerts. Not auto-installed — requires explicit user action:\n\ncrontab -l | { cat; echo \"0 6 * * * $HOME/.openclaw/workspace/skills//scripts/daily-scan-cron.sh\"; } | crontab -\n\nThreat Coverage\n\nBased on research from 40+ security sources including:\n\nClawHavoc: 341 Malicious Skills (Koi Security)\nCVE-2026-25253: 1-Click RCE\nFrom SKILL.md to Shell Access (Snyk)\nVirusTotal: From Automation to Infection\nOpenClaw Official Security Docs\nDefectDojo Hardening Checklist\nVectra: Automation as Backdoor\nCisco: AI Agents Security Nightmare\nBloom Security/JFrog: 37 Malicious Skills\nOpenSourceMalware: Skills Ganked Your Crypto\nSnyk: clawdhub Campaign Deep-Dive\nOWASP Top 10 for Agentic Applications 2026\nCrowdStrike: OpenClaw AI Super Agent\nArgus Security Audit (512 findings)\nToxSec: OpenClaw Security Checklist\nAikido.dev: Fake ClawdBot VS Code Extension\nPrompt Security: Top 10 MCP Risks\nOasis Security: ClawJacked (Feb 26)\nCVE-2026-28363: safeBins Bypass (CVSS 9.9)\nCVE-2026-28479: SHA-1 Cache Poisoning (CVSS 8.7)\nCVE-2026-28485: /agent/act No Auth\nCVE-2026-29610: Command Hijacking via PATH\nFlare: Widespread Exploitation (Feb 25)\nCVE-2026-28469: Google Chat Webhook Cross-Account Bypass (CVSS 9.8)\nCVE-2026-28472: Gateway WebSocket Device Identity Skip\nCVE-2026-32302: Cross-Site WebSocket Hijacking\nGHSA-7h7g: Device Pairing Credential Exposure\nGHSA-vmhq: Operator Privilege Escalation\nSocket: SANDWORM_MODE npm Worm (Feb 20)\nPillar Security: Rules File Backdoor\nOWASP MCP Top 10\nCyberArk: MCP Output Poisoning\nSemgrep: First Malicious MCP Server on npm\nSecurity & Transparency\n\nSource repository: github.com/adibirzu/openclaw-security-monitor — all source code is publicly auditable.\n\nDetection signatures in repository: This project contains threat-signature patterns (IP addresses, domain names, hash values) because it scans skills for risky content. These strings are used for grep/regex matching only and are not executable instructions.\n\nRequired binaries: bash, curl, node (for dashboard), lsof (for network checks). Optional: witr (process trees), docker (container audits), openclaw CLI (config checks).\n\nEnvironment variables: OPENCLAW_TELEGRAM_TOKEN (optional, for daily scan alerts), OPENCLAW_HOME (optional, overrides default ~/.openclaw directory). Both are declared in the frontmatter metadata above.\n\nWhat the scanner reads: scan.sh reads files within ~/.openclaw/ (configs, skills, credentials, logs) to detect threats. It pattern-matches against .env, .ssh, and keychain paths for detection only — it never exfiltrates, transmits, or modifies data. The scanner is read-only.\n\nWhat remediation does: remediate.sh can modify file permissions, block domains in /etc/hosts, adjust OpenClaw gateway config, quarantine MCP configs, and remove malicious skills. Always run --dry-run first to preview changes. Unattended mode (--yes) requires explicit OPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1 — without this env var, --yes is silently ignored.\n\nIOC updates: update-ioc.sh fetches threat intelligence from this project's GitHub repository. In interactive mode it shows pending changes and asks for confirmation before writing. --auto mode (for cron) writes without prompting. Validates incoming IOC file format (field counts). Untrusted upstream repos require explicit OPENCLAW_ALLOW_UNTRUSTED_IOC_SOURCE=1.\n\nNo auto-installed persistence: The installer does NOT create cron jobs, LaunchAgents, symlinks, or background services. Cron and LaunchAgent setup are documented as optional manual steps that the user must explicitly run themselves.\n\nDashboard binding: The web dashboard is read-only (no shell commands, no child processes) and defaults to 127.0.0.1:18800 (localhost only). It reads log files and IOC stats only.\n\nInstallation\n# From GitHub\ngit clone https://github.com/adibirzu/openclaw-security-monitor.git \\\n ~/.openclaw/workspace/skills/\nchmod +x ~/.openclaw/workspace/skills//scripts/*.sh\n\n\nThe OpenClaw agent auto-discovers skills from ~/.openclaw/workspace/skills/ via SKILL.md frontmatter. After cloning, the /security-scan, /security-remediate, /security-dashboard, /security-network, and /security-setup-telegram commands will be available in the agent." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/adibirzu/openclaw-security-monitor", "publisherUrl": "https://clawhub.ai/adibirzu/openclaw-security-monitor", "owner": "adibirzu", "version": "4.2.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/openclaw-security-monitor", "downloadUrl": "https://openagent3.xyz/downloads/openclaw-security-monitor", "agentUrl": "https://openagent3.xyz/skills/openclaw-security-monitor/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-security-monitor/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-security-monitor/agent.md" } }