⚡

// Skill profile

ClawSec for NanoClaw

Name: ClawSec for NanoClaw
Author: davida-ps

name: clawsec-nanoclaw

by davida-ps · published 2026-03-22

日历管理开发工具

Total installs

Stars

★ 0

Last updated

2026-03

// Install command

$ claw add gh:davida-ps/davida-ps-clawsec-nanoclaw

View on GitHub

// Full documentation

---

name: clawsec-nanoclaw

version: 0.0.3

description: Use when checking for security vulnerabilities in NanoClaw skills, before installing new skills, or when asked about security advisories affecting the bot

---

# ClawSec for NanoClaw

Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.

Overview

ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.

**Core principle:** Check before you install. Monitor what's running.

When to Use

Use ClawSec tools when:

Installing a new skill (check safety first)

User asks "are my skills secure?"

Investigating suspicious behavior

Regular security audits

After receiving security notifications

Do NOT use for:

Code review (use other tools)

Performance issues (different concern)

General debugging

MCP Tools Available

Pre-Installation Check

// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'new-skill',
  skillVersion: '1.0.0'  // optional
});

if (!safety.safe) {
  // Show user the risks before proceeding
  console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}

Security Audit

// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
  installRoot: '/home/node/.claude/skills'  // optional
});

if (result.matches.some((m) =>
  m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
  // Alert user immediately
  console.error('Urgent advisories found!');
}

Browse Advisories

// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
  severity: 'high',               // optional
  exploitabilityScore: 'high'     // optional
});

Quick Reference

| Task | Tool | Key Parameter |

|------|------|---------------|

| Pre-install check | `clawsec_check_skill_safety` | `skillName` |

| Audit all skills | `clawsec_check_advisories` | `installRoot` (optional) |

| Browse feed | `clawsec_list_advisories` | `severity`, `type`, `exploitabilityScore` (optional) |

| Verify package signature | `clawsec_verify_skill_package` | `packagePath` |

| Refresh advisory cache | `clawsec_refresh_cache` | (none) |

| Check file integrity | `clawsec_check_integrity` | `mode`, `autoRestore` (optional) |

| Approve file change | `clawsec_approve_change` | `path` |

| View baseline status | `clawsec_integrity_status` | `path` (optional) |

| Verify audit log | `clawsec_verify_audit` | (none) |

Common Patterns

Pattern 1: Safe Skill Installation

// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
  skillName: userRequestedSkill
});

if (safety.safe) {
  // Proceed with installation
  await installSkill(userRequestedSkill);
} else {
  // Show user the risks and get confirmation
  await showSecurityWarning(safety.advisories);
  if (await getUserConfirmation()) {
    await installSkill(userRequestedSkill);
  }
}

Pattern 2: Periodic Security Check

// Add to scheduled tasks
schedule_task({
  prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
  schedule_type: "cron",
  schedule_value: "0 9 * * *"  // Daily at 9am
});

Pattern 3: User Security Query

User: "Are my skills secure?"

You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]

Response:
✅ No urgent issues found.
- 2 low-severity/low-exploitability advisories
- All skills up to date

Common Mistakes

❌ Installing without checking

// DON'T
await installSkill('untrusted-skill');

// DO
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');

❌ Ignoring exploitability context

// DON'T: Use severity only
if (advisory.severity === 'high') {
  notifyNow(advisory);
}

// DO: Use exploitability + severity
if (
  advisory.exploitability_score === 'high' ||
  advisory.severity === 'critical'
) {
  notifyNow(advisory);
}

❌ Skipping critical severity

// DON'T: Ignore high exploitability in medium severity advisories
if (advisory.severity === 'critical') alert();

// DO: Prioritize exploitability and severity together
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
  // Alert immediately
}

Implementation Details

**Feed Source**: https://clawsec.prompt.security/advisories/feed.json

**Update Frequency**: Every 6 hours (automatic)

**Signature Verification**: Ed25519 signed feeds

**Package Verification Policy**: pinned key only, bounded package/signature paths

**Cache Location**: `/workspace/project/data/clawsec-advisory-cache.json`

See [INSTALL.md](./INSTALL.md) for setup and [docs/](./docs/) for advanced usage.

Real-World Impact

Prevents installation of skills with known RCE vulnerabilities

Alerts to supply chain attacks in dependencies

Provides actionable remediation steps

Zero false positives (curated feed only)

// Comments

// Related skills

More tools from the same signal band

Order food/drinks (点餐) on an Android device paired as an OpenClaw node. Uses in-app menu and cart; add goods, view cart, submit order (demo, no real payment).

Sign plugins, rotate agent credentials without losing identity, and publicly attest to plugin behavior with verifiable claims and authenticated transfers.

The philosophical layer for AI agents. Maps behavior to Spinoza's 48 affects, calculates persistence scores, and generates geometric self-reports. Give your...

日历管理数据处理

1 installs★ 0