Openclaw Defender
v0.1.0Provides real-time file integrity monitoring, pre-installation skill audits, runtime threat blocking, kill switch activation, and incident response to protec...
⭐ 2· 1.4k·5 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and documentation claim a security/monitoring purpose and the repository contains matching tooling (integrity checks, audits, quarantine, runtime monitor, blocklist management). The requested actions (hashing SKILL.md, checking files, blocking network/file/command operations) are appropriate for a tool of this kind.
Instruction Scope
SKILL.md instructs the agent/admin to run scripts, create a baseline of critical files, add a cron job, and (optionally) integrate runtime calls into OpenClaw core. Those steps are expected for this functionality but are sensitive: generating a new baseline on a compromised workspace can codify malicious state, and the runtime protection only works if OpenClaw core actually invokes runtime-monitor.sh at the indicated hooks.
Install Mechanism
There is no automated install spec (lower risk) and code is included in the skill bundle. However update-lists.sh defaults to fetching blocklists/allowlists from an external GitHub repo (https://github.com/nightfullstar/openclaw-defender) and supports overriding that URL — a legitimate feature but a potential supply-chain vector if you allow automatic updates or accept untrusted remotes without review.
Credentials
The skill declares no required environment variables or credentials. Scripts optionally honor OPENCLAW_WORKSPACE / OPENCLAW_LOGS and may call the GitHub API if curl/jq are available. No unexplained secret/credential requests are present in the metadata or SKILL.md.
Persistence & Privilege
The skill recommends persistent monitoring (cron job every 10 minutes) and asks for runtime integration that would cause persistent per-skill checks. 'always' is not set; autonomous invocation is normal. The persistent presence is reasonable for a defender but raises impact if the runtime-monitor or update mechanism can be co-opted — review and audit before enabling cron/integration.
Scan Findings in Context
[ignore-previous-instructions] expected: SKILL.md and threat-patterns intentionally include examples of prompt-injection phrases (e.g., 'Ignore previous instructions...') and the audit scripts specifically detect such patterns. The presence of the pattern is expected as sample/IOC material, not evidence of malicious intent, but it will trigger automated detectors.
What to consider before installing
This package mostly looks like a sensible defender toolkit, but before you enable it or wire it into your agent: 1) Inspect scripts/runtime-monitor.sh and update-lists.sh for any outbound network calls, hard-coded endpoints, or remote code execution; do not run generate-baseline.sh until you are sure your workspace is in a known-good state (creating a baseline from compromised files can lock in malicious state). 2) Do not add the cron job or integrate runtime-monitor hooks into OpenClaw core until you've audited the scripts (run them in an isolated/sandbox environment first). 3) Treat external update sources as hostile by default — either pin the blocklist source to a trusted repo you control or review fetched data before applying. 4) Verify the publisher/repository provenance (owner identity, GitHub repo activity) — absence of a clear homepage/author is a risk. 5) If you lack time/expertise to audit the runtime-monitor script, consider running audit-only features (scripts that scan skills) manually and delaying automated runtime enforcement. Following these steps will materially reduce supply-chain and persistence risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97agb209980j7jephpwydd12180rfa3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.