ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fletcher Cyber Security Engineer

Manage and enforce least-privilege execution, approval-based elevation, port and egress monitoring, and ISO 27001/NIST compliance reporting for OpenClaw secu...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 690 · 0 current installs · 0 all-time installs
by@FletcherFrimpong
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (privilege governance, port/egress monitoring, ISO/NIST reporting) matches the included scripts (port_monitor, egress_monitor, guarded_privileged_exec, audit_logger, dashboard, etc.). However, the SKILL metadata declares no required binaries while scripts call system utilities (lsof/ss/netstat); likewise SKILL files and agents/openai.yaml reference OPENCLAW_* environment flags and policy files under ~/.openclaw, but the registry lists no required env vars. These are plausible design choices but the mismatch between declared requirements and actual code is noteworthy.
!
Instruction Scope
SKILL.md instructs the agent to use bundled scripts and to enforce approval-first elevation and to write logs to ~/.openclaw/security/privileged-audit.jsonl — that is consistent. But the SKILL.md and agent prompt reference environment variables (OPENCLAW_UNTRUSTED_SOURCE, OPENCLAW_REQUIRE_SESSION_ID and generic OPENCLAW_*), and the code reads/writes files in the user's home (~/.openclaw) and may install runtime hooks. The skill directs the agent to run system commands (lsof/ss/netstat) and to potentially alter runtime behavior via an 'install-openclaw-runtime-hook.sh' script. The instructions do not declare or limit when the installer should run; any automatic or poorly gated invocation of the installer would be high-impact. The guidance to never elevate without explicit approval is present in SKILL.md, but you should verify how/when the install scripts are executed in practice.
Install Mechanism
There is no formal install spec in the registry (no package downloads). All code is bundled in the skill. That lowers supply-chain risk compared to external downloads. However, the package includes a script named install-openclaw-runtime-hook.sh which (when run) will likely alter runtime configuration. Because there is no declared install step, it's unclear whether that script is run automatically by the platform or left to a manual operator — clarify that before proceeding.
!
Credentials
The skill does not request secrets or credentials, which is appropriate. But SKILL.md and agents/openai.yaml reference OPENCLAW_* environment variables (OPENCLAW_UNTRUSTED_SOURCE, OPENCLAW_REQUIRE_SESSION_ID and others) and rely on policy/config files under ~/.openclaw/security. Those env vars are not declared in requires.env; the mismatch is a governance/visibility issue. The code also expects system utilities (lsof/ss/netstat) but the registry lists no required binaries. While no credentials are requested, the skill will read and write files in the user's home directory and may inspect active network connections — this is proportional to the stated purpose but you should be aware and accept those file/host-level accesses explicitly.
Persistence & Privilege
The skill is not always: true and does not declare autonomous-only privileges beyond normal agent invocation. That is good. However, it includes an install script which appears intended to install a runtime privileged-execution hook. Installing such a hook would increase the skill's persistence/impact by changing runtime behavior for future commands. The SKILL.md emphasizes requiring explicit user approval for elevation, but you should confirm whether the hook-install action itself requires explicit manual approval and whether it modifies global agent/runtime configuration or just the skill's own config files.
What to consider before installing
This skill appears to implement the privilege governance features it claims (audit logging, guarded privileged exec, port/egress monitors, compliance reporting). Before installing or running it, check three things: (1) confirm whether the included install script (install-openclaw-runtime-hook.sh) will be executed automatically by the platform or only when you explicitly run it — installing a runtime hook can change global agent behavior and should be run only with full understanding and approval; (2) verify the platform will provide the expected system tools (lsof/ss/netstat) or that you are comfortable granting the skill the ability to call them, since the registry does not declare required binaries; (3) accept that the skill reads and writes files under ~/.openclaw and honors environment flags like OPENCLAW_UNTRUSTED_SOURCE and OPENCLAW_REQUIRE_SESSION_ID — these env vars are referenced but not declared in the registry, so set/inspect them explicitly. If you need higher assurance, review the full contents of install-openclaw-runtime-hook.sh and root_session_guard/guarded_privileged_exec.py to ensure they do not modify other skills' configs or attempt network callbacks. If any of those checks fail or are unclear, treat the package cautiously or run it in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.2
Download zip
compliancevk977y8japhr40arecsejtjzbr1817e9biso27001vk977y8japhr40arecsejtjzbr1817e9blatestvk977y8japhr40arecsejtjzbr1817e9bnistvk977y8japhr40arecsejtjzbr1817e9bsecurityvk977y8japhr40arecsejtjzbr1817e9b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Cyber Security Engineer

Implement these controls in every security-sensitive task:

  1. Keep default execution in normal (non-root) mode.
  2. Request explicit user approval before any elevated command.
  3. Scope elevation to the minimum command set required for the active task.
  4. Drop elevated state immediately after the privileged command completes.
  5. Expire elevated state after 30 idle minutes and require re-approval.
  6. Monitor listening network ports and flag insecure or unapproved exposure.
  7. Monitor outbound connections and flag destinations not in the egress allowlist.
  8. If no approved baseline exists, generate one and require user review/pruning.
  9. Benchmark controls against ISO 27001 and NIST and report violations with mitigations.

Non-Goals (Web Browsing)

  • Do not use web browsing / web search as part of this skill. Keep assessments and recommendations based on local host/OpenClaw state and the bundled references in this skill.

Files To Use

  • references/least-privilege-policy.md
  • references/port-monitoring-policy.md
  • references/compliance-controls-map.json
  • references/approved_ports.template.json
  • references/command-policy.template.json
  • references/prompt-policy.template.json
  • references/egress-allowlist.template.json
  • scripts/preflight_check.py
  • scripts/root_session_guard.py
  • scripts/audit_logger.py
  • scripts/command_policy.py
  • scripts/prompt_policy.py
  • scripts/guarded_privileged_exec.py
  • scripts/install-openclaw-runtime-hook.sh
  • scripts/port_monitor.py
  • scripts/generate_approved_ports.py
  • scripts/egress_monitor.py
  • scripts/notify_on_violation.py
  • scripts/compliance_dashboard.py
  • scripts/live_assessment.py

Behavior

  • Never keep root/elevated access open between unrelated tasks.
  • Never execute root commands without an explicit approval step in the current flow.
  • Enforce command allow/deny policy when configured.
  • Require confirmation when untrusted content sources are detected (OPENCLAW_UNTRUSTED_SOURCE=1 + prompt policy).
  • Enforce task session id scoping when configured (OPENCLAW_REQUIRE_SESSION_ID=1).
  • If timeout is exceeded, force session expiration and approval renewal.
  • Log privileged actions to ~/.openclaw/security/privileged-audit.jsonl (best-effort).
  • Flag listening ports not present in the approved baseline and recommend secure alternatives for insecure ports.
  • Flag outbound destinations not present in the egress allowlist.

Output Contract

When reporting status, include:

  • The specific check_id(s) affected, status, risk, and concise evidence.
  • Concrete mitigations (what to change, where) and any owners/due dates if present.
  • For network findings: port, bind address, process/service, and why it is flagged (unapproved/insecure/public).

Files

26 total
Select a file
Select a file to preview.

Comments

Loading comments…