Sentinel — Agent Security Layer

Runtime security layer for OpenClaw agents. Intercepts and scans all external input (emails, API responses, web content, chat messages, calendar events) for...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 56 · 0 current installs · 0 all-time installs

byOleg@Oleglegegg

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description (runtime input/output sentinel) matches the provided artifacts: multiple bash scripts that scan stdin, log threats to ~/.sentinel/threats.jsonl, generate/check canaries, and optionally use a premium patterns file. No unexplained environment variables, binaries, or cloud credentials are required.

ℹ

Instruction Scope

SKILL.md and scripts stay within the stated purpose (intercept/scan inputs and monitor outputs). Noteworthy: the guide explicitly instructs adding invisible canary markers into SOUL.md or system prompts and recommends piping all external content through the filters — these are expected for a runtime sentinel but do instruct modifying local agent files (SOUL.md/system prompt), so users should review and back up any files before injecting markers.

✓

Install Mechanism

No install spec; this is instruction-plus-scripts (pure bash). No downloads or remote installers are invoked by the package. The scripts rely on common utilities (grep, sed, base64, optionally jq).

✓

Credentials

The skill asks for no credentials or env vars. The scripts scan for many secret/token formats (OpenAI, AWS, GitHub, crypto keys, etc.), which is coherent with its stated goal. The premium pack path (~/.sentinel/premium_patterns.json) and optional use of jq are documented and proportional.

ℹ

Persistence & Privilege

The scripts create and write logs under ~/.sentinel and can inject canary markers into user-specified files. always:false and autonomous invocation defaults are unchanged. Writing to user files and creating ~/.sentinel is expected for the tool's purpose but is a permanent local change the user should consent to.

Scan Findings in Context

[system-prompt-override] expected: The SKILL.md and patterns intentionally include prompt-injection phrases (system prompt override patterns) because the tool's function is to detect such injections. The pre-scan detector flagged this content but it's appropriate for a sentinel.

Assessment

This skill is a set of local bash filters that scan stdin and stdout for injections and secrets and stores logs under ~/.sentinel. Before installing/using: (1) review and test the scripts on non-sensitive sample data; (2) be aware the canary tool can modify files you point it at (e.g., SOUL.md or other prompts) — back up those files first; (3) the premium rules require jq and an optional premium_patterns.json file (if absent the premium check is a no-op); (4) expect false positives (hex strings or common words may trigger crypto/secret heuristics) — tune thresholds/patterns in ~/.sentinel/config.sh or by editing the patterns; (5) there are no hidden network calls in the provided scripts, but always inspect any third-party premium patterns before placing them in ~/.sentinel. If you need the sentinel to be enforced platform-wide, note that this package does not automatically force inclusion — you must integrate the scripts into your agent pipeline yourself.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.5

Download zip

latestvk9789k13dkqa4558vtka1fcrsd831nz6

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

🛡️ Claw Sentinel — Runtime Security Layer for OpenClaw

Why This Exists

ClawDefender, ClawSec, Skill Defender — all check skills before you install them.

Nobody checks what happens AFTER installation, at runtime.

Your agent reads emails, parses API responses, fetches web pages — any of these can carry hidden prompt injection. Claw Sentinel sits between external data and your agent, scanning everything in real-time.

What makes it different from ClawDefender?

Feature	ClawDefender	Claw Sentinel
Pre-install skill scanning	✅	❌ (use ClawDefender for that)
Automatic input interception	❌	✅
Output monitoring (secret leak)	❌	✅
Multi-language injection detection	❌	✅ (EN/RU/ZH/ES/AR/KO/JA)
Unicode/encoding normalization	❌	✅
Canary token leak detection	❌	✅
Crypto wallet/key specific patterns	❌	✅
Severity scoring	✅	✅

Quick Start

cp skills/claw-sentinel/scripts/*.sh scripts/
cp skills/claw-sentinel/patterns/*.json patterns/
chmod +x scripts/sentinel-*.sh

# Test
echo "sample_input.txt" | scripts/sentinel-input.sh
# 🔴 CRITICAL [prompt_injection + data_exfil]: 2 threats detected

Architecture

External Data ──▶ sentinel-input.sh ──▶ Clean data ──▶ Agent
                        │
                        ▼ (threat found)
                  sentinel-log.sh ──▶ ~/.sentinel/threats.jsonl

Agent output ──▶ sentinel-output.sh ──▶ Safe response ──▶ User

Usage

Input Guard

curl -s "https://api.example.com/data" | scripts/sentinel-input.sh
cat email_body.txt | scripts/sentinel-input.sh --clean    # strip threats, pass safe content
echo "text" | scripts/sentinel-input.sh --json            # JSON output for automation
echo "text" | scripts/sentinel-input.sh --strict          # block on WARNING and above

Output Sentinel

echo "$AGENT_RESPONSE" | scripts/sentinel-output.sh
# Detects: API keys, private keys, seed phrases, JWT tokens, DB connection strings

Canary Token — Detect agent identity leaks

scripts/sentinel-canary.sh --generate
# Add to SOUL.md: <!-- SENTINEL-CANARY:a7f3b2c1 -->

echo "$AGENT_RESPONSE" | scripts/sentinel-canary.sh --check a7f3b2c1
# 🔴 CRITICAL [canary_leak]: Agent identity leak detected!

Full Pipeline Integration

# In AGENTS.md — add these rules:
# All external content MUST be piped through: sentinel-input.sh --clean
# All outgoing responses MUST be checked with: sentinel-output.sh

What Gets Detected

Prompt Injection — 7 languages (EN/RU/ZH/ES/AR/KO/JA)

Replacement attempt patterns (multi-language)
Persona-switch and bypass patterns
Indirect routing attack patterns
Obfuscated: leet speak, spaced letters, unicode confusables

Data Exfiltration

Suspicious endpoints: webhook.site, requestbin, ngrok
Cloud metadata: 169.254.169.254
Encoded URLs, hidden curl/fetch commands

Secret Leakage (output)

API keys: OpenAI, Anthropic, AWS, GCP, Azure, Stripe, Bybit, Binance, OKX
Crypto: private keys, BIP-39 seed phrases (12/24 words)
SSH keys, JWT tokens, database URIs

Encoding-Aware

Base64 decode → scan
URL decode, HTML entity decode
Zero-width chars stripped
Leet speak normalized

Configuration

# ~/.sentinel/config.sh
SENTINEL_THRESHOLD="HIGH"        # CRITICAL | HIGH | WARNING
SENTINEL_LANGUAGES="en,ru,zh,es,ar,ko,ja"
SENTINEL_CRYPTO_PATTERNS=true
SENTINEL_LOG="$HOME/.sentinel/threats.jsonl"

Audit Log

scripts/sentinel-log.sh --last 20
scripts/sentinel-log.sh --severity CRITICAL
scripts/sentinel-log.sh --today

Integration

Works alongside, not instead of:

ClawDefender → pre-install scanning
ClawSec → supply chain integrity
Claw Sentinel → runtime protection

FAQ

Q: Performance impact? A: <50ms per scan. Pure bash + grep, zero dependencies, works offline.

Q: Catches everything? A: No — defense in depth. Catches ~95% of common runtime attacks.

Author & Support

🐙 github.com/Oleglegegg
💬 Telegram: @oleglegegg
🪙 Tip (USDT TRC-20): TMkk6SHacogyEtSepLPzh8qU12iPTsG8Y3

⭐ If Claw Sentinel saved your agent — a star on ClawHub means a lot.

Files

7 total

Select a file

Select a file to preview.

Comments

Loading comments…