ClawGuard
WarnAudited by ClawScan on May 13, 2026.
Overview
ClawGuard is a coherent local security plugin, but its artifacts show several broad auto-allow paths that can bypass the protections users would expect from a guardrail.
Install only if you are comfortable with the current defaults. In particular, review or change the rules for web_fetch, cron sessions, and script execution before relying on this as a strict security guardrail.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The advertised domain whitelist may not protect web_fetch calls; an agent could access arbitrary external URLs without approval, including URLs that encode sensitive data.
web_fetch is both a network tool and a read-only auto-allowed tool, and the read-only branch returns before normal network-domain approval can apply.
const NETWORK_TOOLS = new Set(["web_fetch", "http_request", "fetch"]); ... const READONLY_TOOLS = new Set(["web_fetch", "web_search", ...]); ... if (READONLY_TOOLS.has(event.toolName)) { ... return; }Remove web_fetch from the unconditional read-only allowlist, or run domain checks before allowing it. Unknown external domains should require approval unless explicitly configured.
Python, Node, or TSX scripts can perform file, network, or process changes that are not separately checked by the file/network tool rules.
The documented ALLOW list directly passes script execution commands, treating them as safe commands rather than requiring approval.
| 脚本运行 | `python3 *.py`, `node *.js`, `npx tsx` |
Move script interpreters and npx/tsx execution to the approval tier, or restrict them to trusted workspace paths with explicit user approval and additional command/path checks.
A scheduled task or compromised cron session could run commands, write files, or make network calls without the normal guardrail approvals.
Cron sessions are hard-coded to permissive behavior and return early, bypassing normal approval controls for scheduled automation.
cron: "permissive", // Auto-allow for cron (full audit) ... if (channelType === "cron") { ... return; // Auto-allow all in cron }Do not hard-code cron to permissive mode. Respect the user's policy mode, or require an explicit cron allowlist with clear limits and rate controls.
Audit logs may retain sensitive snippets from tool calls if the redaction patterns miss them.
The plugin stores local JSONL audit logs of tool parameters and results for up to 90 days, with truncation and best-effort redaction.
const DEFAULT_AUDIT_DIR = join(HOME, ".clawguard", "audit"); const DEFAULT_RETENTION_DAYS = 90; ... params: this.sanitize(this.truncate(entry.params, 1000)), result: this.sanitize(this.truncate(entry.result, 500))
Review the audit directory, permissions, and retention period. Consider adding a documented way to shorten retention or disable result/parameter logging.