{ "schemaVersion": "1.0", "item": { "slug": "openclaw-triage", "name": "Openclaw Triage", "source": "tencent", "type": "skill", "category": "效率提升", "sourceUrl": "https://clawhub.ai/AtlasPA/openclaw-triage", "canonicalUrl": "https://clawhub.ai/AtlasPA/openclaw-triage", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/openclaw-triage", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-triage", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "scripts/triage.py", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/openclaw-triage" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/openclaw-triage", "agentPageUrl": "https://openagent3.xyz/skills/openclaw-triage/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-triage/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-triage/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "OpenClaw Triage", "body": "Incident response and forensics for agent workspaces. When something goes wrong — a skill behaves unexpectedly, files change without explanation, or another security tool flags an anomaly — triage investigates what happened, assesses the damage, and guides recovery.\n\nThis is the \"detective\" that pulls together evidence from all OpenClaw security tools into a unified incident report." }, { "title": "Full Investigation", "body": "Run a comprehensive incident investigation. Collects workspace state, checks for signs of compromise (recently modified critical files, new skills, unusual permissions, off-hours modifications, large files, hidden files), cross-references with warden/ledger/signet/sentinel data, builds an event timeline, and calculates an incident severity score (CRITICAL / HIGH / MEDIUM / LOW).\n\npython3 {baseDir}/scripts/triage.py investigate --workspace /path/to/workspace" }, { "title": "Event Timeline", "body": "Build a chronological timeline of all file modifications in the workspace. Groups events by hour, highlights suspicious burst activity (many files modified in a short window), shows which directories and skills were affected, and cross-references with ledger entries if available.\n\npython3 {baseDir}/scripts/triage.py timeline --workspace /path/to/workspace\n\nLook back further than the default 24 hours:\n\npython3 {baseDir}/scripts/triage.py timeline --hours 72 --workspace /path/to/workspace" }, { "title": "Blast Radius (Scope)", "body": "Assess the blast radius of a potential compromise. Categorizes all files by risk level (critical, memory, skill, config), checks for credential exposure patterns in recently modified files, scans for outbound exfiltration URLs, and estimates scope as CONTAINED (single area), SPREADING (multiple skills), or SYSTEMIC (workspace-level).\n\npython3 {baseDir}/scripts/triage.py scope --workspace /path/to/workspace" }, { "title": "Evidence Collection", "body": "Collect and preserve forensic evidence before remediation. Snapshots the full workspace state (file list with SHA-256 hashes, sizes, timestamps), copies all available security tool data (.integrity/, .ledger/, .signet/, .sentinel/), and generates a summary report. Always run this before any remediation to preserve the forensic trail.\n\npython3 {baseDir}/scripts/triage.py evidence --workspace /path/to/workspace\n\nSave to a custom output directory:\n\npython3 {baseDir}/scripts/triage.py evidence --output /path/to/evidence/dir --workspace /path/to/workspace" }, { "title": "Quick Status", "body": "One-line summary of triage state: last investigation timestamp, current threat level, and whether evidence has been collected.\n\npython3 {baseDir}/scripts/triage.py status --workspace /path/to/workspace" }, { "title": "Workspace Auto-Detection", "body": "If --workspace is omitted, the script tries:\n\nOPENCLAW_WORKSPACE environment variable\nCurrent directory (if AGENTS.md exists)\n~/.openclaw/workspace (default)" }, { "title": "Cross-Reference Sources", "body": "Triage automatically checks for data from these OpenClaw tools:\n\nToolData PathWhat Triage ChecksWarden.integrity/manifest.jsonBaseline deviations — files modified since last known-good stateLedger.ledger/chain.jsonlChain breaks, unparseable entries, suspicious log entriesSignet.signet/manifest.jsonTampered skill signatures — skills modified after signingSentinel.sentinel/threats.jsonKnown threats and high-severity findings" }, { "title": "Incident Severity Levels", "body": "LevelMeaningTriggerCRITICALImmediate response requiredAny critical finding, or 3+ high findingsHIGHInvestigation warrantedHigh-severity findings from any sourceMEDIUMReview recommendedMultiple medium findings or volume thresholdLOWNo immediate actionInformational findings only" }, { "title": "Exit Codes", "body": "0 — Clean, no actionable findings\n1 — Findings detected (investigation recommended)\n2 — Critical findings (immediate action needed)" }, { "title": "No External Dependencies", "body": "Python standard library only. No pip install. No network calls. Everything runs locally." }, { "title": "Cross-Platform", "body": "Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification." } ], "body": "OpenClaw Triage\n\nIncident response and forensics for agent workspaces. When something goes wrong — a skill behaves unexpectedly, files change without explanation, or another security tool flags an anomaly — triage investigates what happened, assesses the damage, and guides recovery.\n\nThis is the \"detective\" that pulls together evidence from all OpenClaw security tools into a unified incident report.\n\nCommands\nFull Investigation\n\nRun a comprehensive incident investigation. Collects workspace state, checks for signs of compromise (recently modified critical files, new skills, unusual permissions, off-hours modifications, large files, hidden files), cross-references with warden/ledger/signet/sentinel data, builds an event timeline, and calculates an incident severity score (CRITICAL / HIGH / MEDIUM / LOW).\n\npython3 {baseDir}/scripts/triage.py investigate --workspace /path/to/workspace\n\nEvent Timeline\n\nBuild a chronological timeline of all file modifications in the workspace. Groups events by hour, highlights suspicious burst activity (many files modified in a short window), shows which directories and skills were affected, and cross-references with ledger entries if available.\n\npython3 {baseDir}/scripts/triage.py timeline --workspace /path/to/workspace\n\n\nLook back further than the default 24 hours:\n\npython3 {baseDir}/scripts/triage.py timeline --hours 72 --workspace /path/to/workspace\n\nBlast Radius (Scope)\n\nAssess the blast radius of a potential compromise. Categorizes all files by risk level (critical, memory, skill, config), checks for credential exposure patterns in recently modified files, scans for outbound exfiltration URLs, and estimates scope as CONTAINED (single area), SPREADING (multiple skills), or SYSTEMIC (workspace-level).\n\npython3 {baseDir}/scripts/triage.py scope --workspace /path/to/workspace\n\nEvidence Collection\n\nCollect and preserve forensic evidence before remediation. Snapshots the full workspace state (file list with SHA-256 hashes, sizes, timestamps), copies all available security tool data (.integrity/, .ledger/, .signet/, .sentinel/), and generates a summary report. Always run this before any remediation to preserve the forensic trail.\n\npython3 {baseDir}/scripts/triage.py evidence --workspace /path/to/workspace\n\n\nSave to a custom output directory:\n\npython3 {baseDir}/scripts/triage.py evidence --output /path/to/evidence/dir --workspace /path/to/workspace\n\nQuick Status\n\nOne-line summary of triage state: last investigation timestamp, current threat level, and whether evidence has been collected.\n\npython3 {baseDir}/scripts/triage.py status --workspace /path/to/workspace\n\nWorkspace Auto-Detection\n\nIf --workspace is omitted, the script tries:\n\nOPENCLAW_WORKSPACE environment variable\nCurrent directory (if AGENTS.md exists)\n~/.openclaw/workspace (default)\nCross-Reference Sources\n\nTriage automatically checks for data from these OpenClaw tools:\n\nTool\tData Path\tWhat Triage Checks\nWarden\t.integrity/manifest.json\tBaseline deviations — files modified since last known-good state\nLedger\t.ledger/chain.jsonl\tChain breaks, unparseable entries, suspicious log entries\nSignet\t.signet/manifest.json\tTampered skill signatures — skills modified after signing\nSentinel\t.sentinel/threats.json\tKnown threats and high-severity findings\nIncident Severity Levels\nLevel\tMeaning\tTrigger\nCRITICAL\tImmediate response required\tAny critical finding, or 3+ high findings\nHIGH\tInvestigation warranted\tHigh-severity findings from any source\nMEDIUM\tReview recommended\tMultiple medium findings or volume threshold\nLOW\tNo immediate action\tInformational findings only\nExit Codes\n0 — Clean, no actionable findings\n1 — Findings detected (investigation recommended)\n2 — Critical findings (immediate action needed)\nNo External Dependencies\n\nPython standard library only. No pip install. No network calls. Everything runs locally.\n\nCross-Platform\n\nWorks with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/AtlasPA/openclaw-triage", "publisherUrl": "https://clawhub.ai/AtlasPA/openclaw-triage", "owner": "AtlasPA", "version": "1.0.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/openclaw-triage", "downloadUrl": "https://openagent3.xyz/downloads/openclaw-triage", "agentUrl": "https://openagent3.xyz/skills/openclaw-triage/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-triage/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-triage/agent.md" } }