ClawHub

picoclaw-security-guardian

v0.0.1

Picoclaw security posture skill with advisory awareness, configuration drift detection, and supply-chain verification guidance.

0· 19·0 current·0 all-time
by@davida-ps

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for davida-ps/picoclaw-security-guardian.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "picoclaw-security-guardian" (davida-ps/picoclaw-security-guardian) from ClawHub.
Skill page: https://clawhub.ai/davida-ps/picoclaw-security-guardian
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install davida-ps/picoclaw-security-guardian

ClawHub CLI

Package manager switcher

npx clawhub@latest install picoclaw-security-guardian
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description map to the actual files and runtime behavior: scripts and libs implement advisory filtering, deterministic profile generation, drift diffing, and checksum+signature verification. Declared binaries (node) and optional env vars are Picoclaw-specific and proportionate.
Instruction Scope
SKILL.md and the scripts only read Picoclaw config files / watched files, produce confined outputs under PICOCLAW_HOME, and require a local advisory feed or checksum manifests. The test/regression instructions do start Docker, run a local HTTP registry, and exercise Picoclaw-specific install flows — these are test harness actions, documented and isolated to pre-release regression.
Install Mechanism
No install spec is declared (instruction-only skill). All code is included in the repo and nothing is downloaded from third-party URLs. Tests pull docker images and use system tools, but there is no external archive download at install-time in the skill manifest itself.
Credentials
No required credentials or unrelated env vars are requested. Optional env vars are Picoclaw-specific (PICOCLAW_HOME, PICOCLAW_CONFIG, etc.). The code inspects config files within Picoclaw paths only, which is consistent with the stated purpose.
Persistence & Privilege
Skill does not request always:true and is described as read-only/on-demand in v0.0.1. It does not modify other skills or system-wide agent settings; outputs are confined to PICOCLAW_HOME and the code enforces path confinement and symlink checks.
Assessment
This package appears internally consistent and implements the features it claims. Before installing or running tests: 1) Run the scripts in an isolated/test environment (the regression harness runs Docker and builds/runs Picoclaw code). 2) Only provide verified advisory feeds, checksum manifests, and public keys from trusted sources — the skill enforces signed manifests by default and using '--allow-unsigned*' flags weakens guarantees. 3) Check your PICOCLAW_HOME and any --watch / --artifact paths you pass to avoid scanning or exposing unrelated files. 4) Review the regression/test harness before running it on a machine with sensitive data (it spawns containers, generates keys, and exercises install paths). Overall the code reads as a focused Picoclaw security helper — there are no unexplained network endpoints or unrelated credential requests.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b86g3jd50jhn08xf5h0a8js85k2pt
19downloads
0stars
1versions
Updated 4h ago
v0.0.1
MIT-0
@davida-ps
latest
Download

Picoclaw Security Guardian

Detailed architecture/operator docs: wiki/modules/picoclaw-security-guardian.md.

Goal

Provide Picoclaw with the same support-matrix security capabilities ClawSec tracks for mature platform modules:

Skill namesupported platformsecurity feedconfig driftagent posture-review lanechain of supply verification
picoclaw-security-guardianPicoclawYesYesSeparate packageYes

Threat model

Picoclaw is a lightweight AI gateway that can expose chat channels, a Web UI, tool execution, MCP servers, credentials, schedulers, and embedded/router deployments. This skill focuses on the trust boundaries where those features become security-sensitive.

Default safety posture

  • Read-only by default.
  • No scheduler creation in v0.0.1.
  • No outbound network by default.
  • Writes only explicit report/profile outputs under $PICOCLAW_HOME/security/clawsec/ unless the operator supplies test-local temporary paths.
  • Advisory checks fail closed when verification state is not verified unless the operator passes --allow-unsigned for a documented emergency/offline window.

Security advisory awareness

Use scripts/check_advisories.mjs with a local feed/cache and verification state:

node scripts/check_advisories.mjs   --feed ~/.picoclaw/security/clawsec/feed.json   --state ~/.picoclaw/security/clawsec/feed-verification-state.json

The script filters advisories for picoclaw, ai-gateway, empty/all-platform advisories, or affected package entries containing picoclaw.

Drift protection

Generate a deterministic profile:

node scripts/generate_profile.mjs   --output ~/.picoclaw/security/clawsec/current-profile.json

Compare against an approved baseline:

node scripts/check_drift.mjs   --baseline ~/.picoclaw/security/clawsec/baseline-profile.json   --current ~/.picoclaw/security/clawsec/current-profile.json   --fail-on critical

Critical drift includes public Web UI enablement, Web UI auth disablement, workspace restriction disablement, unsigned/insecure verification mode, verified-feed regression, and watched-file/release-artifact fingerprint changes.

Chain-of-supply verification

Verify a Picoclaw release artifact against a checksum manifest plus detached signature. Signed manifest verification is required for a passing supply-chain verdict:

node scripts/verify_supply_chain.mjs \
  --artifact ./picoclaw \
  --checksums ./checksums.json \
  --signature ./checksums.json.sig \
  --public-key ./feed-signing-public.pem

Checksum-only mode is integrity-only, not provenance. Use --allow-unsigned-checksums only for short, documented offline triage windows; it should not satisfy production install verification.

Operator review notes

  • Treat public UI binding (0.0.0.0, -public) as a critical review item until auth and network allowlists are proven.
  • Treat MCP servers as separate trust boundaries; review each server's filesystem, network, and credential access.
  • Treat third-party OpenWrt/LuCI wrappers as separate supply-chain artifacts. Verify provenance before installing them on routers.
  • Never leave unsigned advisory mode enabled in recurring or production checks.

Validation

python utils/validate_skill.py skills/picoclaw-security-guardian
node skills/picoclaw-security-guardian/test/profile.test.mjs
node skills/picoclaw-security-guardian/test/drift.test.mjs
node skills/picoclaw-security-guardian/test/supply_chain.test.mjs
bash -n skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh

Pre-release install regression

Before publishing v0.0.1 release artifacts, run the isolated install lane from the repo root:

skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh

The regression installs the skill through Picoclaw's own find_skills / install_skill path from a local ClawHub-compatible registry into an isolated Docker-hosted Picoclaw workspace with isolated HOME, PICOCLAW_HOME, and PICOCLAW_WORKSPACE. It verifies signed release-artifact preflight inputs, confirms Picoclaw's skill loader can list/load the installed skill, then runs the installed copy's profile, drift, advisory fail-closed, advisory filtering, and supply-chain verification paths against Picoclaw-style config.json and launcher-config.json files.

Comments

Loading comments...