Openclaw Sentinel

v1.0.2

Supply chain security for agent skills. Pre-install inspection, post-install scanning, obfuscation detection, and known-bad signature matching. Verify skills are safe before they touch your workspace. Free alert layer — upgrade to openclaw-sentinel-pro for quarantine, blocking, and community threat feeds.

⭐ 1· 1.5k·3 current·3 all-time

by@atlaspa

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for atlaspa/openclaw-sentinel.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Openclaw Sentinel" (atlaspa/openclaw-sentinel) from ClawHub.
Skill page: https://clawhub.ai/atlaspa/openclaw-sentinel
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-sentinel

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-sentinel

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name and description match what is present: a Python-based scanner that inspects skill directories for obfuscation, suspicious patterns, and known-bad hashes. Required binary is only python3, which is appropriate for the functionality.

ℹ

Instruction Scope

Runtime instructions tell the agent to scan or inspect skill directories and to read/write local workspace state (e.g., create .sentinel, .quarantine). That behavior is within scope for a scanner, but the skill will traverse and read many files under your workspace and will persist scan results and a threat DB under workspace/.sentinel (and may write quarantine evidence to workspace/.quarantine). The SKILL.md documents these behaviors; however, confirm whether any quarantine or write actions are optional or require explicit consent before enabling.

✓

Install Mechanism

No install spec (instruction-only with included script). Nothing pulls remote code at runtime; the code claims to use only the Python standard library and does not declare external package installs. This is low installation risk, but you should obtain the skill from a trusted source (the registry metadata lists no homepage).

ℹ

Credentials

The skill does not request credentials and only needs python3. It uses OPENCLAW_WORKSPACE (and falls back to current directory / ~/.openclaw/workspace) to locate the workspace — that environment variable is referenced in SKILL.md but is not listed in the registry 'required env vars' field, which is a metadata mismatch. The scanner also looks for code that reads env vars inside scanned skills (e.g., patterns for SECRET/TOKEN usage) — that is expected for a scanner but means the tool will surface secrets usage patterns if present in scanned files (it does not itself require secrets).

✓

Persistence & Privilege

always:false and model invocation allowed (default). The tool writes its own data under the target workspace (.sentinel, .quarantine) which is expected for a scanner. There is code and constants related to quarantining, but SKILL.md/README state that automated blocking/quarantine features are part of a 'pro' offering — verify whether any destructive actions (renaming/moving skill dirs) are opt-in.

Scan Findings in Context

[eval-base64-decode] expected: The code contains detection rules for eval(base64.b64decode(...)). This is an expected scanner signature (it detects encoded execution patterns), not an execution of such payloads in the scanner itself.

[modify-other-skills] expected: There is a 'modify-other-skills' detection regex and quarantine-related directories. This is appropriate for a scanner that looks for cross-skill writes; however it also indicates the code has logic to manage quarantine evidence and may perform workspace writes—confirm whether destructive quarantine actions are manual or automatic.

[env-var-exfil] expected: The scanner looks for patterns that read sensitive env vars inside scanned skills. That detection rule is expected and appropriate; the scanner itself does not require secrets.

Assessment

This appears to be a legitimate local supply-chain scanner that only needs python3 and will read and write under your OpenClaw workspace. Before installing or running: (1) obtain the repository from a trusted source (registry shows no homepage), (2) review the full scripts/sentinel.py for any code paths that rename/move skill directories or make outbound network calls, (3) run it first in a copied/isolated workspace if you are worried about quarantine actions, (4) confirm whether importing community threat lists (--update-from) is local-only or can fetch remote feeds, and (5) note the metadata mismatch: OPENCLAW_WORKSPACE is used but not declared as a required env var in the registry. If you need higher assurance, request the maintainer's source URL and verify release signatures before trusting automated quarantining or updates.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🏰 Clawdis

OSmacOS · Linux · Windows

Binspython3

latestvk97ew0zsaay9k7asmd3m2nnarn811fv1

1.5kdownloads

1stars

3versions

Updated 2mo ago

v1.0.2

MIT-0

macOS, Linux, Windows

OpenClaw Sentinel

Supply chain security scanner for agent skills. Detects obfuscated code, known-bad signatures, suspicious install behaviors, dependency confusion, and metadata inconsistencies — before and after installation.

The Problem

You install skills from the community. Any skill can contain obfuscated payloads, post-install hooks that execute arbitrary code, or supply chain attacks that modify other skills in your workspace. Existing tools verify file integrity after the fact — nothing inspects skills for supply chain risks before they run.

Commands

Scan Installed Skills

Deep scan of all installed skills for supply chain risks. Checks file hashes against a local threat database, detects obfuscated code patterns, suspicious install behaviors, dependency confusion, and metadata inconsistencies. Generates a risk score (0-100) per skill.

python3 {baseDir}/scripts/sentinel.py scan --workspace /path/to/workspace

Scan a Single Skill

python3 {baseDir}/scripts/sentinel.py scan openclaw-warden --workspace /path/to/workspace

Pre-Install Inspection

Scan a skill directory BEFORE copying it to your workspace. Outputs a SAFE/REVIEW/REJECT recommendation and shows exactly what binaries, network calls, and file operations the skill will perform.

python3 {baseDir}/scripts/sentinel.py inspect /path/to/skill-directory

Manage Threat Database

View current threat database statistics.

python3 {baseDir}/scripts/sentinel.py threats --workspace /path/to/workspace

Import a community-shared threat list.

python3 {baseDir}/scripts/sentinel.py threats --update-from threats.json --workspace /path/to/workspace

Quick Status

Summary of installed skills, scan history, and risk score overview.

python3 {baseDir}/scripts/sentinel.py status --workspace /path/to/workspace

Workspace Auto-Detection

If --workspace is omitted, the script tries:

OPENCLAW_WORKSPACE environment variable
Current directory (if AGENTS.md exists)
~/.openclaw/workspace (default)

What It Detects

Category	Patterns
Encoded Execution	eval(base64.b64decode(...)), exec(compile(...)), eval/exec with encoded strings
Dynamic Imports	__import__('os').system(...), dynamic subprocess/ctypes imports
Shell Injection	subprocess.Popen with shell=True + string concatenation, os.system()
Remote Code Exec	urllib/requests combined with exec/eval — download-and-run patterns
Obfuscation	Lines >1000 chars, high-entropy strings, minified code blocks
Install Behaviors	Post-install hooks, auto-exec in __init__.py, cross-skill file writes
Hidden Files	Non-standard dotfiles and hidden directories
Dependency Confusion	Skills shadowing popular package names, typosquatting near-matches
Metadata Mismatch	Undeclared binaries, undeclared env vars, invocable flag inconsistencies
Serialization	pickle.loads, marshal.loads — arbitrary code execution via deserialization
Known-Bad Hashes	File SHA-256 matches against local threat database

Risk Scoring

Each skill receives a score from 0-100:

Score	Label	Meaning
0	CLEAN	No issues detected
1-19	LOW	Minor findings, likely benign
20-49	MODERATE	Review recommended
50-74	HIGH	Significant risk, review required
75-100	CRITICAL	Serious supply chain risk

Threat Database Format

Community-shared threat lists use this JSON format:

{
  "hashes": {
    "<sha256hex>": {"name": "...", "severity": "...", "description": "..."}
  },
  "patterns": [
    {"name": "...", "regex": "...", "severity": "..."}
  ]
}

Exit Codes

0 — Clean, no issues
1 — Review needed
2 — Threats detected

No External Dependencies

Python standard library only. No pip install. No network calls. Everything runs locally.

Cross-Platform

Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.

Comments

Loading comments...