ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clauditor

v0.1.2

Tamper-resistant audit watchdog for Clawdbot agents. Detects and logs suspicious filesystem activity with HMAC-chained evidence.

1· 2.3k·0 current·0 all-time
by@apollostreetcompany
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (tamper-resistant audit watchdog) aligns with the code and runtime requirements: building with cargo, installing a systemd service, using fanotify/eBPF for privileged collection, HMAC-chained logs, and a wizard-driven install that requires root. However the project explicitly aims for 'stealth deployment' (service named systemd-journaldd) and includes features that go beyond pure monitoring (optional webhook/Clawdbot gateway alerts, command-execution alert channel), which are coherent with the design but raise operational concerns because they increase the attack surface.
!
Instruction Scope
SKILL.md and AGENTS.md instruct agents/operators to perform privileged installation (create system user, write keys to /etc, install a service, enable/daemon-reload) — expected for a system daemon — but also include a development orchestration workflow (read/update CONTINUITY.md every turn, spawn sub-agents, run cargo test, commit and push after each bead). Those orchestration steps encourage automated commits/pushes and reading/writing project state, which go beyond runtime monitoring and could cause an agent to access or transmit repository data or use Git credentials not declared in requires.env.
Install Mechanism
There is no registry 'install' spec (instruction-only), which is lower risk for hidden downloads. The repo includes wizard scripts (wizard/wizard.sh, wizard/install.sh) that perform privileged operations (useradd, copy to /usr/local/sbin, systemctl enable/start). Review of those scripts is required before running with sudo; they perform system-wide changes and install a binary named to masquerade as a system service.
Credentials
The skill declares no required environment variables or external credentials. It does, however, require root or CAP_SYS_ADMIN for installation and for privileged fanotify collection — this is proportionate to kernel-level monitoring. Note: AGENTS.md describes pushing to GitHub and committing, which would rely on external git credentials not declared by the skill; that is a scope creep risk.
!
Persistence & Privilege
The skill installs a persistent systemd daemon and uses privileged kernel APIs (fanotify with FAN_MARK_FILESYSTEM; mentions eBPF). While expected for a tamper-resistant monitor, the code and docs explicitly aim for stealth (service name mimicking journal) and sentinel behavior to detect tampering. Those choices increase privilege and persistence and could be abused or surprising to operators. The skill does not set always:true, and autonomous invocation remains the platform default.
What to consider before installing
This repo contains a reasonable implementation of a privileged filesystem watchdog, but several things deserve extra scrutiny before you install it or let an agent run it unattended: - Review the install scripts (wizard/wizard.sh, wizard/install.sh) line-by-line before running with sudo. They create a system user, write keys to /etc, install a binary under /usr/local/sbin, and register a systemd service named to resemble systemd internals — this stealth naming is intentional but can be surprising or deceptive. - Understand the privilege requirements: production collection uses fanotify/eBPF and requires CAP_SYS_ADMIN or root. That gives kernel-level visibility and broad ability to observe filesystem activity (and, if misused, to surveil many paths). - The alerter subsystem supports external channels (ClawdbotWake/gateway_url, webhooks, and a 'Command' channel which executes configured commands). Before enabling alerts, confirm no external gateway URL or untrusted command is configured; otherwise sensitive event data could be transmitted or commands executed. - AGENTS.md contains an orchestration/development workflow that tells agents to read/write CONTINUITY.md, run tests, commit, and push to GitHub. That is beyond what the runtime watchdog needs — if you plan to use the skill with an autonomous agent, ensure it cannot push repository content or your runtime artifacts to remote remotes without explicit, audited credentials. - If you decide to use it: build from source locally, inspect/modify config defaults (watch_paths, exec_watchlist, alert channels), run the install in an isolated VM/container first, and restrict file permissions on the key and logs as documented. If you want a higher-confidence assessment change: provide the full wizard scripts and any shortened/truncated code for the alerter send_to_channel implementation (to confirm whether it posts to external endpoints by default), or show the exact contents of wizard/wizard.sh -- these influence whether the skill attempts network exfiltration or other unexpected actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk970mgqhj65ftmtvj005ajynf1803e95

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binscargo, systemctl

Comments