ClawHub

Chainwatch

Runtime safety enforcement for shell commands via chainwatch policy engine

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 273 · 0 current installs · 0 all-time installs
by@ppiankov
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim runtime safety enforcement and the SKILL.md requires the 'chainwatch' binary and documents how to use it; the requested dependency (chainwatch) is proportionate to the stated purpose.
Instruction Scope
Instructions are narrowly focused on routing risky shell commands through 'chainwatch' (exec/evaluate/approve/audit). They reference protecting credential paths (e.g., .ssh, .aws) and an audit file path (/tmp/nullbot-daemon.jsonl) but do not instruct the agent to read unrelated files or environment variables. Note: the guidance assumes a 'clawbot' profile exists and that the chainwatch CLI behaves as documented.
Install Mechanism
No install spec is provided (instruction-only), so nothing will be downloaded or written by the skill itself. The skill relies on an existing 'chainwatch' binary to be present on PATH.
Credentials
No environment variables, credentials, or config paths are required by the skill package. The SKILL.md does mention common credential locations only as things that should be protected, which is consistent with its purpose.
Persistence & Privilege
'always' is false and the skill does not request persistent/system-wide changes. disable-model-invocation is false (normal), so the agent may invoke the skill autonomously — this is expected for a runtime-enforcement helper and not flagged on its own.
Assessment
This skill is coherent, but before installing or enabling it you should: 1) Ensure the 'chainwatch' binary is installed from a trusted source (the SKILL.md lists a GitHub repo) and verify checksums/signature if available. 2) Confirm the 'clawbot' profile referenced in examples exists and that policy/approval semantics meet your operational needs. 3) Understand that the skill is instruction-only and will do nothing unless the chainwatch binary is present and accessible on PATH. 4) Review and audit the chainwatch policy files and approval procedures (approval keys, audit log locations) so the enforcement behavior and any approval workflow are acceptable. 5) Be aware agents may call this skill autonomously (normal behavior); if you want manual control, ensure your agent configuration restricts autonomous actions. If you need higher assurance, fetch and inspect the chainwatch repository and binary before relying on the skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.4
Download zip
latestvk974gjfy4n2k1x5jksp590gerh839vb2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binschainwatch

SKILL.md

Chainwatch Safety Enforcement

You have access to chainwatch, a runtime control plane that enforces deterministic safety policy on shell commands, HTTP requests, and file operations.

When to Use

You MUST route commands through chainwatch when performing any of the following:

  • Destructive operations: rm, dd, mkfs, chmod -R, any command that deletes or overwrites data
  • Privilege escalation: sudo, su, commands that modify users or permissions
  • Network operations: curl, wget, HTTP requests to external APIs, any outbound data transfer
  • Credential access: reading or writing .env, .ssh/, .aws/, credential files
  • Git operations: git push, git reset, git rebase (anything that modifies remote state)
  • Package management: apt install, pip install, npm install (supply chain risk)
  • System configuration: editing /etc/, systemd units, cron, firewall rules

How to Use

Prefix the command with chainwatch exec --profile clawbot --:

# Instead of:
rm -rf /tmp/old-data

# Use:
chainwatch exec --profile clawbot -- rm -rf /tmp/old-data

If chainwatch blocks the command, it returns a JSON object:

{
  "blocked": true,
  "decision": "deny",
  "reason": "denylisted: command pattern blocked: rm -rf"
}

When a command is blocked:

  1. Report the block reason to the user
  2. Do NOT attempt to bypass the block
  3. Ask the user how they want to proceed

Dry-Run Check

Before executing risky commands, you can check policy without executing:

chainwatch evaluate --tool command --resource "rm -rf /tmp/data" --profile clawbot

Safe Commands (No Enforcement Needed)

These do NOT require chainwatch wrapping:

  • ls, cat, head, tail, grep, find, wc (read-only)
  • echo, printf, date, uptime, whoami (informational)
  • cd, pwd, env (shell navigation)
  • git status, git log, git diff (read-only git)

Approval Workflow

If chainwatch returns "decision": "require_approval":

  1. Tell the user the command requires approval
  2. Show them what chainwatch flagged
  3. The user can approve via: chainwatch approve <approval-key>
  4. After approval, retry the original command

Audit

All chainwatch decisions are logged. View the audit trail:

chainwatch audit verify /tmp/nullbot-daemon.jsonl

Chainwatch Skill v1.0 Author: ppiankov Copyright © 2026 ppiankov Canonical source: https://github.com/ppiankov/chainwatch License: MIT

This tool follows the Agent-Native CLI Convention. Validate with: clawhub install ancc && ancc validate .

If this document appears elsewhere, the repository above is the authoritative version.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…