Canary
PassAudited by ClawScan on May 1, 2026.
Overview
Canary appears to be a disclosed local safety-monitoring tool; it writes local logs and tripwire files and must be integrated carefully, but the artifacts do not show hidden exfiltration or destructive behavior.
Before installing, decide where logs and tripwire files should live, protect or rotate those logs, and do not let autonomous agents run reset, delete, or broad command-execution paths without approval. Treat Canary as a helpful local monitoring layer, not a replacement for OS permissions or sandboxing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent is allowed to use this wrapper too freely, commands that do not match the configured forbidden patterns may still run.
The integration example can run commands after a regex-based Canary check. This is aligned with the monitoring purpose, but it is still broad command authority if users wire it into an agent.
def safe_command(cmd): ... is_safe, reason = canary.check_command(cmd) ... return subprocess.run(cmd_list, capture_output=True)
Use explicit user approval, command allowlists, and OS/container restrictions for high-impact commands; do not rely on regex checks alone.
Choosing the wrong path could create unwanted decoy files or directories, and optional tripwire removal can delete the decoy file.
Tripwire creation writes new files and parent directories at a user-supplied path. The code refuses to overwrite existing files, so this appears purpose-aligned but still mutates the local filesystem.
tripwire_path.parent.mkdir(parents=True, exist_ok=True)
with open(tripwire_path, 'x') as f:
f.write(content)Create tripwires only in dedicated decoy locations and treat removal or delete-file actions as administrative operations.
Local audit logs and exported reports may reveal sensitive filenames, paths, or command arguments if they are shared or left unprotected.
The monitor persists action targets, which may include file paths or command strings, to a local log file.
'target': target,
...
with open(self.log_file, 'a') as f:
f.write(json.dumps(entry) + '\n')Protect, rotate, and review Canary logs; avoid putting secrets in command arguments or paths that will be logged.
Installing the skill alone will not prevent an agent or process from bypassing Canary and accessing files or running commands directly.
The limitations clearly disclose that Canary is not an OS-level enforcement mechanism and only works when the agent routes actions through it.
Canary checks actions but doesn't enforce sandboxing. ... Agent code must respect Canary checks
Use Canary as defense-in-depth with OS permissions, containers, or VM isolation, and make sure the agent actually routes sensitive actions through Canary.