> clawsec-nanoclaw
Use when checking for security vulnerabilities in NanoClaw skills, before installing new skills, or when asked about security advisories affecting the bot
curl "https://skillshub.wtf/prompt-security/clawsec/clawsec-nanoclaw?format=md"ClawSec for NanoClaw
Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.
Overview
ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.
Core principle: Check before you install. Monitor what's running.
When to Use
Use ClawSec tools when:
- Installing a new skill (check safety first)
- User asks "are my skills secure?"
- Investigating suspicious behavior
- Regular security audits
- After receiving security notifications
Do NOT use for:
- Code review (use other tools)
- Performance issues (different concern)
- General debugging
MCP Tools Available
Pre-Installation Check
// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
skillName: 'new-skill',
skillVersion: '1.0.0' // optional
});
if (!safety.safe) {
// Show user the risks before proceeding
console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}
Security Audit
// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
installRoot: '/home/node/.claude/skills' // optional
});
if (result.matches.some((m) =>
m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
// Alert user immediately
console.error('Urgent advisories found!');
}
Browse Advisories
// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
severity: 'high', // optional
exploitabilityScore: 'high' // optional
});
Quick Reference
| Task | Tool | Key Parameter |
|---|---|---|
| Pre-install check | clawsec_check_skill_safety | skillName |
| Audit all skills | clawsec_check_advisories | installRoot (optional) |
| Browse feed | clawsec_list_advisories | severity, type, exploitabilityScore (optional) |
| Verify package signature | clawsec_verify_skill_package | packagePath |
| Refresh advisory cache | clawsec_refresh_cache | (none) |
| Check file integrity | clawsec_check_integrity | mode, autoRestore (optional) |
| Approve file change | clawsec_approve_change | path |
| View baseline status | clawsec_integrity_status | path (optional) |
| Verify audit log | clawsec_verify_audit | (none) |
Common Patterns
Pattern 1: Safe Skill Installation
// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
skillName: userRequestedSkill
});
if (safety.safe) {
// Proceed with installation
await installSkill(userRequestedSkill);
} else {
// Show user the risks and get confirmation
await showSecurityWarning(safety.advisories);
if (await getUserConfirmation()) {
await installSkill(userRequestedSkill);
}
}
Pattern 2: Periodic Security Check
// Add to scheduled tasks
schedule_task({
prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
schedule_type: "cron",
schedule_value: "0 9 * * *" // Daily at 9am
});
Pattern 3: User Security Query
User: "Are my skills secure?"
You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]
Response:
✅ No urgent issues found.
- 2 low-severity/low-exploitability advisories
- All skills up to date
Common Mistakes
❌ Installing without checking
// DON'T
await installSkill('untrusted-skill');
// DO
const safety = await tools.clawsec_check_skill_safety({
skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');
❌ Ignoring exploitability context
// DON'T: Use severity only
if (advisory.severity === 'high') {
notifyNow(advisory);
}
// DO: Use exploitability + severity
if (
advisory.exploitability_score === 'high' ||
advisory.severity === 'critical'
) {
notifyNow(advisory);
}
❌ Skipping critical severity
// DON'T: Ignore high exploitability in medium severity advisories
if (advisory.severity === 'critical') alert();
// DO: Prioritize exploitability and severity together
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
// Alert immediately
}
Implementation Details
Feed Source: https://clawsec.prompt.security/advisories/feed.json
Update Frequency: Every 6 hours (automatic)
Signature Verification: Ed25519 signed feeds Package Verification Policy: pinned key only, bounded package/signature paths
Cache Location: /workspace/project/data/clawsec-advisory-cache.json
See INSTALL.md for setup and docs/ for advanced usage.
Real-World Impact
- Prevents installation of skills with known RCE vulnerabilities
- Alerts to supply chain attacks in dependencies
- Provides actionable remediation steps
- Zero false positives (curated feed only)
> related_skills --same-repo
> soul-guardian
Drift detection + baseline integrity guard for agent workspace files with automatic alerting support
> prompt-agent
Security audit enforcement for AI agents. Automated security scans and health verification.
> openclaw-audit-watchdog
Automated daily security audits for OpenClaw agents with email reporting. Runs deep audits and sends formatted reports.
> clawtributor
Community incident reporting for AI agents. Contribute to collective security by reporting threats.