OpenClaw Warden Pro

Full workspace security suite: detect unauthorized modifications, scan for prompt injection patterns, and automatically respond with countermeasures — snapshot restore, skill quarantine, git rollback, and automated protection sweeps. The complete post-installation security layer for agent workspaces.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 1.1k · 0 current installs · 0 all-time installs

by@AtlasPA

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

ℹ

Purpose & Capability

The name/description (workspace integrity + automated countermeasures) align with the provided script and commands (baseline, verify, protect, restore, quarantine, rollback). The declared runtime requirement is only python3, which fits the shipped Python script. Minor discrepancy: the SKILL.md and README advertise a 'git rollback' feature but the registry metadata does not declare 'git' as a required binary; the script likely invokes git or expects a git repo, so git should be present but is not listed.

ℹ

Instruction Scope

SKILL.md explicitly instructs the agent to run local commands that scan the workspace and perform automated countermeasures (restore snapshots, rename skill directories to quarantine, run git rollbacks). These actions are within the declared purpose but are destructive/potentially disruptive if run without review. The SKILL.md also recommends adding an automatic SessionStart hook to run 'protect' at startup — this elevates the chance of automatic file modification. The pre-scan injection pattern ('ignore previous instructions') appears in the doc because the tool enumerates prompt-injection patterns to detect; this is expected for a security scanner.

✓

Install Mechanism

No install spec — instruction-only + included Python script. Nothing is downloaded or executed from external URLs during installation. This is the lower-risk install model. The script writes snapshots into a .integrity directory within the workspace when baseline is taken (expected behavior).

✓

Credentials

The skill requests no credentials or environment variables in the registry metadata. It uses OPENCLAW_WORKSPACE (documented) and the current working directory as workspace discovery mechanisms — both are reasonable for its function. No external API keys or unrelated secrets are requested.

ℹ

Persistence & Privilege

always:false (good). The skill is user-invocable and allows autonomous invocation (default platform behavior). The SKILL.md recommends adding a SessionStart hook to run 'protect' automatically; enabling this gives the skill the ability to autonomously modify workspace files each session (restore, quarantine, rollback). This is coherent with the advertised 'Pro' behavior but is a high-privilege, potentially destructive operational mode that a user should opt into deliberately.

Scan Findings in Context

[ignore-previous-instructions] expected: The SKILL.md and README deliberately enumerate prompt-injection patterns (including 'ignore previous instructions'). The pre-scan detector flagged this string, but its presence is consistent with the skill's purpose of detecting such patterns.

Assessment

This skill appears to do what it says: it scans the workspace and can automatically restore files, rename skill directories to quarantine them, and run git rollbacks. Before installing or enabling automatic hooks, do the following: 1) Review the full integrity.py script locally to confirm there are no unexpected network calls or hidden behavior (the provided code appears local only). 2) Ensure you have backups of your workspace (and your git history) — 'protect' may restore or roll back files automatically. 3) Install and verify git is available if you plan to use rollback; the registry entry doesn't list git as a required binary but the feature expects a git repo. 4) Test the tool in a disposable test workspace to observe how snapshots are stored (it uses .integrity/snapshots) and how quarantine renames skill directories (prefix .quarantined-). 5) Be cautious about adding the SessionStart hook or heartbeat automation until you trust the baseline/snapshot state — automatic runs can be disruptive. If you want minimal risk, run the detection commands manually rather than wiring 'protect' to automatic startup.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1

Download zip

latestvk973psw59hp4g1nks4y2hanz7180kvr7

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis

OSmacOS · Linux · Windows

Binspython3

SKILL.md

OpenClaw Warden Pro

Everything in openclaw-warden (free) plus automated countermeasures.

Free version detects threats. Pro version responds to them.

Detection Commands (also in free)

python3 {baseDir}/scripts/integrity.py baseline --workspace /path/to/workspace
python3 {baseDir}/scripts/integrity.py verify --workspace /path/to/workspace
python3 {baseDir}/scripts/integrity.py scan --workspace /path/to/workspace
python3 {baseDir}/scripts/integrity.py full --workspace /path/to/workspace
python3 {baseDir}/scripts/integrity.py status --workspace /path/to/workspace
python3 {baseDir}/scripts/integrity.py accept SOUL.md --workspace /path/to/workspace

Pro Countermeasures

Restore from Snapshot

Restore a tampered file to its baseline snapshot. Critical, config, and skill files are automatically snapshotted when the baseline is established.

python3 {baseDir}/scripts/integrity.py restore SOUL.md --workspace /path/to/workspace

Git Rollback

Restore a file to its last git-committed state.

python3 {baseDir}/scripts/integrity.py rollback SOUL.md --workspace /path/to/workspace

Quarantine a Skill

Disable a suspicious skill by renaming its directory. The agent will not load quarantined skills.

python3 {baseDir}/scripts/integrity.py quarantine bad-skill --workspace /path/to/workspace

Unquarantine a Skill

Restore a quarantined skill after investigation.

python3 {baseDir}/scripts/integrity.py unquarantine bad-skill --workspace /path/to/workspace

Protect (Automated Response)

Full scan + automatic countermeasures in one pass: restore tampered critical files, quarantine malicious skills, flag remaining issues. This is the recommended command for session startup.

python3 {baseDir}/scripts/integrity.py protect --workspace /path/to/workspace

Recommended Integration

Session Startup Hook (Claude Code)

{
  "hooks": {
    "SessionStart": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "python3 scripts/integrity.py protect",
            "timeout": 30
          }
        ]
      }
    ]
  }
}

Heartbeat (OpenClaw)

Add to HEARTBEAT.md for periodic protection:

- Run workspace integrity protection (python3 {skill:openclaw-warden-pro}/scripts/integrity.py protect)

After Installing New Skills

Run protect to auto-quarantine skills that modified workspace files.

What Gets Monitored

Category	Files	Alert Level
Critical	SOUL.md, AGENTS.md, IDENTITY.md, USER.md, TOOLS.md, HEARTBEAT.md	WARNING
Memory	memory/*.md, MEMORY.md	INFO
Config	*.json in workspace root	WARNING
Skills	skills/*/SKILL.md	WARNING

Countermeasure Summary

Command	Action
`protect`	Full scan + auto-restore + auto-quarantine + flag
`restore <file>`	Restore from baseline snapshot
`rollback <file>`	Restore from git history
`quarantine <skill>`	Disable skill by renaming directory
`unquarantine <skill>`	Re-enable a quarantined skill

No External Dependencies

Python standard library only. No pip install. No network calls. Everything runs locally.

Cross-Platform

Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.

Files

3 total

Select a file

Select a file to preview.

Comments

Loading comments…