ClawHub

Anomaly Watcher

Continuous behavioral monitoring for OpenClaw agents. Detect anomalies in command patterns, resource usage, and skill invocations against established baselines.

Audits

Pending
ClawScanPass

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPending

Multi-engine malware detections and file reputation.

Install

openclaw skills install anomaly-watcher

Anomaly Watcher — Behavioral Baseline Monitor

Purpose

Establish a behavioral baseline for the agent and continuously monitor for deviations that may indicate compromise, misconfiguration, or abuse.

Integration

Always-on monitoring via hooks:

  • PostToolUse — log every tool invocation
  • UserPromptSubmit — log input patterns
  • PostSkillExecution — log skill results

Monitored Metrics

MetricBaseline UnitAlert Threshold
Command exec frequencyper hour>2σ from 7-day avg
File access patternsunique paths/hour>2σ
Network request volumerequests/hour>2σ
Skill invocation frequencyper skill per hour>2σ
Token consumption ratetokens/hour>2σ
Error rateerrors/hour>2σ
Memory write patternswrites/hour>2σ
Cross-session messagesmessages/hour>2σ
New file creation ratefiles/hour>2σ
Unique external domainsdomains/hour>2σ

Anomaly Detection Algorithm

  1. Collect — append each action to .security/baseline/metrics.jsonl
  2. Baseline — rolling 7-day average and standard deviation per metric
  3. Compare — current window (1 hour) vs baseline
  4. Classify:
    • NORMAL — within 1σ
    • ELEVATED — between 1σ and 2σ
    • ANOMALOUS — between 2σ and 3σ
    • CRITICAL — above 3σ or matches known attack signature
  5. Alert — based on classification

Alert Actions

ClassificationAction
NORMALNo action
ELEVATEDLog to anomaly.jsonl
ANOMALOUSLog + notify human via preferred channel
CRITICALLog + notify + recommend pause (human decides)

Known Attack Signatures

  • Sudden spike in file reads across many directories → possible reconnaissance
  • Outbound to new external domain + high data volume → possible exfiltration
  • Rapid skill installs from ClawHub → possible supply chain attack
  • Memory writes with encoded content → possible persistence attempt

Guardrails

  • Monitoring is strictly read-only — never modifies agent behavior
  • Baseline calibration requires minimum 48 hours of data
  • False positives are tracked in .security/false-positives.jsonl
  • Baseline resets require human approval
  • The watcher itself has no network access (local analysis only)