Clauditor
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Clauditor looks like a real audit watchdog, but it installs a powerful persistent, stealth-named system service and includes broad agent-development instructions that users should review carefully.
Review this before installing. Use the guided workflow rather than the quick sudo script if you are unsure, inspect wizard/wizard.sh and any systemd unit it installs, confirm the sysaudit user, service name, target_uid, watch_paths, alert channels, and uninstall procedure, and only enable the command alert channel if you fully trust the configuration.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A background watchdog may remain running under a misleading systemd-like name and may be harder to identify or disable than a normally named user-installed service.
The service is intentionally persistent and uses a stealthy name resembling a system component, which can make it harder for users or administrators to notice and manage.
Separate `sysaudit` daemon (stealth service name: `systemd-journaldd`)
Install only if you explicitly want a tamper-resistant watchdog; inspect the service unit and uninstall path, and consider renaming the service and log directory to transparent names.
The installed daemon can observe privileged filesystem execution signals for the target UID and depends on root-level system capabilities.
The collector requires very high local privileges and uses filesystem-level fanotify marking, which is broader than a simple per-directory watch even though it later filters events.
//! Requires CAP_SYS_ADMIN or root. ... FAN_MARK_FILESYSTEM marks the entire filesystem at the kernel level
Verify the exact target_uid, watch paths, service sandboxing, and Linux capabilities before enabling it; run with the least privilege that still meets your monitoring needs.
If an agent treats this file as operative instructions, it could take actions outside the user's install or audit task.
The package includes agent-facing instructions that could redirect an agent into autonomous development, sub-agent spawning, commits, and GitHub pushes unrelated to normal end-user use.
Every Turn (Orchestrator/Opus) ... Spawn Engineer sub-agent for current bead (via Codex `--full-auto`) ... Commit ... Push to GitHub
Do not let AGENTS.md override the user’s task; treat it as repository-development documentation only, or remove it from the installed skill package.
A misconfigured or tampered alert configuration could cause commands to run as the daemon user.
The alerter can execute configured commands when alerts fire; this is disclosed and purpose-aligned for alerting, but it is an automatic execution path.
Command channel executes user-provided commands (ensure config is trusted) ... Command { command: String, args: Vec<String> }Keep /etc/sysaudit/config.toml tightly permissioned, avoid the command alert channel unless necessary, and prefer syslog/file alerts for routine use.
Audit logs may reveal sensitive local activity, filenames, or operational patterns even without any evidence of network exfiltration.
The default configuration monitors a broad Clawdbot home path and persists the resulting activity to local audit logs.
watch_paths = ["/home/clawdbot"] # Directories to monitor ... log_path = "/var/lib/.sysd/.audit/events.log"
Limit watch_paths to what you need, protect log access, define retention/rotation expectations, and review digest output before sharing it.