clawsec-nanoclaw
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent as a security monitor, but it can automatically change critical NanoClaw files and let agents approve persistent baselines, so it needs careful review before installation.
Review this skill before installing. It appears purpose-aligned for NanoClaw security monitoring, but install it only if you are comfortable giving it host-level access to protected configuration and instruction files. Consider running integrity checks in non-restoring mode first, restrict baseline approval to a human administrator, and fix or validate the snapshot naming behavior before enabling auto-restore.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or misled agent could make hostile changes to agent instructions or group configuration look approved and persistent.
The skill lets an agent approve changes to persistent instruction/configuration files as a new trusted baseline, and the documentation acknowledges that a malicious scheduled task could approve its own changes.
`clawsec_approve_change` ... `path`: `/workspace/group/CLAUDE.md` ... `approved_by`: `agent` ... `Does NOT Protect Against: ... Malicious scheduled tasks that approve their own changes`
Require explicit human/admin approval for baseline changes, restrict `clawsec_approve_change` to trusted operators, and monitor audit logs for unexpected approvals.
If the baseline is stale, wrong, or poisoned, the skill can automatically overwrite legitimate changes to important bot files.
Integrity checks default to automatically restoring protected files, meaning an agent-triggered tool can mutate critical NanoClaw files by default.
`autoRestore` (optional): `true` (default) or `false` ... `If false, drift is detected but not auto-fixed`
Start with `autoRestore: false`, review drift reports manually, and enable automatic restore only after verifying baseline correctness and rollback procedures.
A later restore could apply the wrong approved content across group/global instruction files, potentially corrupting agent behavior.
Approved snapshots are stored using only the file basename. The policy monitors multiple `CLAUDE.md` files, so snapshots can collide and one approved file can overwrite another's saved copy.
const snapshot = path.join(this.approvedDir, path.basename(target.path)); fs.copyFileSync(target.path, snapshot);
Store snapshots using a collision-resistant name derived from the full normalized path, and test policies with duplicate filenames before enabling auto-restore.
Only someone who administers the NanoClaw deployment should install it, because it can influence host-managed files and services.
Installation requires host-level integration and write access. This is expected for a NanoClaw security monitor, but it expands the agent-facing tool surface into privileged host operations.
Prerequisites ... `Write access to NanoClaw installation directory` ... `Add the host-side IPC handlers for ClawSec operations.`
Install only in environments you control, review the source before adding host imports, and limit which agents/users can invoke the privileged tools.
After installation, it will continue refreshing advisory data and may run recurring checks until you remove the integration.
The skill is intended to keep running periodically as a host service. This is disclosed and purpose-aligned, but it is persistent behavior.
`Start the service when your host process starts` ... `setInterval(() => { advisoryCacheManager.refresh().catch(...) }, 6 * 60 * 60 * 1000);`Confirm you want continuous monitoring, document the refresh/check schedule, and remove the host imports and scheduled tasks during uninstall.
Users may over-trust advisory results and skip code review or operational safeguards.
The skill makes an absolute accuracy claim about advisory results. Even curated feeds can be incomplete or mistaken, so users should not treat this as a guarantee.
`Zero false positives (curated feed only)`
Treat ClawSec results as one security signal, and combine them with source review, signature verification, sandboxing, and runtime monitoring.