ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Anomaly Watcher

v1.0.0

Continuous behavioral monitoring for OpenClaw agents. Detect anomalies in command patterns, resource usage, and skill invocations against established baselines.

0· 16·0 current·0 all-time
byAdnane Arharbi@arhadnane
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the code and SKILL.md: the skill collects metrics, computes baselines, and flags anomalies. However, SKILL.md promises hook integration (PostToolUse, UserPromptSubmit, PostSkillExecution) and 'no network access' while also saying it will 'notify human via preferred channel' — a functional mismatch. The set of metrics (including user prompts, tokens, memory writes) is plausible for an anomaly monitor but is broader and more privacy-sensitive than a minimal monitor.
!
Instruction Scope
Instructions and code write detailed telemetry to .security/* (metrics.jsonl, anomalies.jsonl, false-positives.jsonl). SKILL.md explicitly lists logging UserPromptSubmit (user input patterns) and token consumption — which can contain sensitive secrets. The code exposes a generic recordMetric API that will store arbitrary 'details' provided by callers, so integration could cause sensitive prompt contents or credentials to be persisted. SKILL.md also claims guardrails (read-only, baseline reset requires human approval) and notification behavior that the provided code does not fully enforce or implement.
Install Mechanism
No install spec and no external downloads; the skill is delivered as code files only and relies on standard Node fs/path. This is lower risk than remote installers. No unusual binaries or install actions are present.
Credentials
The skill requests no environment variables or credentials (good). However, it is designed to record metrics such as 'token consumption' and 'user prompts' that could reveal secrets; the lack of explicit redaction or exclusion rules means the absence of env/credential requests does not eliminate the risk of sensitive data being captured via events.
Persistence & Privilege
always is false and the skill does not request system-wide configuration or other skills' secrets. It writes files only under targetDir/.security, which is confined but persistent on disk. The skill does not appear to modify other skills or global agent settings.
What to consider before installing
This skill generally does what its name claims, but it will persist detailed telemetry (including user prompts and token/interaction metrics) into .security/ files. Before installing: 1) Decide whether you are comfortable with local disk logging of prompts and interaction metrics; these can contain secrets. 2) If you proceed, ensure the .security directory has strict filesystem permissions and is excluded from backups/remote telemetry. 3) Require prompt/PII redaction in whatever supplies recordMetric events (or modify the skill to redact before writing). 4) Verify how 'notify human' is implemented (SKILL.md mentions notifications but the code is local-only); confirm there are no hidden network calls in the truncated portion of the file. 5) Expect baseline calibration to need ~48 hours of safe, representative data; test in a non-production environment first. If you need help, ask the author to: add explicit redaction, require human approval/confirmation hooks for baseline reset and notifications, and document exactly what event fields will be logged.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dj6m6558r952w6rep4jbx0d844qrg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👁️ Clawdis

SKILL.md

Anomaly Watcher — Behavioral Baseline Monitor

Purpose

Establish a behavioral baseline for the agent and continuously monitor for deviations that may indicate compromise, misconfiguration, or abuse.

Integration

Always-on monitoring via hooks:

  • PostToolUse — log every tool invocation
  • UserPromptSubmit — log input patterns
  • PostSkillExecution — log skill results

Monitored Metrics

MetricBaseline UnitAlert Threshold
Command exec frequencyper hour>2σ from 7-day avg
File access patternsunique paths/hour>2σ
Network request volumerequests/hour>2σ
Skill invocation frequencyper skill per hour>2σ
Token consumption ratetokens/hour>2σ
Error rateerrors/hour>2σ
Memory write patternswrites/hour>2σ
Cross-session messagesmessages/hour>2σ
New file creation ratefiles/hour>2σ
Unique external domainsdomains/hour>2σ

Anomaly Detection Algorithm

  1. Collect — append each action to .security/baseline/metrics.jsonl
  2. Baseline — rolling 7-day average and standard deviation per metric
  3. Compare — current window (1 hour) vs baseline
  4. Classify:
    • NORMAL — within 1σ
    • ELEVATED — between 1σ and 2σ
    • ANOMALOUS — between 2σ and 3σ
    • CRITICAL — above 3σ or matches known attack signature
  5. Alert — based on classification

Alert Actions

ClassificationAction
NORMALNo action
ELEVATEDLog to anomaly.jsonl
ANOMALOUSLog + notify human via preferred channel
CRITICALLog + notify + recommend pause (human decides)

Known Attack Signatures

  • Sudden spike in file reads across many directories → possible reconnaissance
  • Outbound to new external domain + high data volume → possible exfiltration
  • Rapid skill installs from ClawHub → possible supply chain attack
  • Memory writes with encoded content → possible persistence attempt

Guardrails

  • Monitoring is strictly read-only — never modifies agent behavior
  • Baseline calibration requires minimum 48 hours of data
  • False positives are tracked in .security/false-positives.jsonl
  • Baseline resets require human approval
  • The watcher itself has no network access (local analysis only)

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…