Earlier this year, the ClawHavoc campaign exposed 341 malicious skills on ClawHub distributing Atomic Stealer malware. The registry cleaned up the immediate damage, added VirusTotal scanning, and moved on. But the deeper question the incident raised — how do you actually monitor the ongoing security posture of a running OpenClaw agent? — did not have a good answer yet.
ClawSec, from prompt-security, is the most complete attempt to answer it. It is an installable suite of four security skills that together cover agent file integrity, live threat intelligence, automated auditing, and community incident reporting.
What ClawSec Actually Does
The suite installs as a single command and breaks into four components, each focused on a distinct part of the security problem.
soul-guardian: Drift Detection and Auto-Restoration
This is the most immediately useful component for most users. soul-guardian watches your critical agent workspace files — SOUL.md, IDENTITY.md, AGENTS.md, and others — and detects unauthorized changes using SHA256 checksums. If a file is modified unexpectedly (by a malicious skill, a prompt injection that somehow persisted to disk, or anything else), soul-guardian flags it and can automatically restore the original from a verified baseline.
This matters because an agent’s workspace files are its identity and operating doctrine. A compromised SOUL.md or AGENTS.md is not just a configuration problem — it fundamentally changes how the agent behaves. Monitoring those files for drift is basic hygiene that surprisingly few users have in place.
clawsec-feed: Live CVE Monitoring
clawsec-feed connects to NIST’s National Vulnerability Database and pulls live CVE advisories filtered specifically for OpenClaw and NanoClaw systems. It surfaces exploitability context alongside each advisory, so you are not just seeing a list of CVE numbers — you can see which vulnerabilities are actively being exploited and which are theoretical. Community-reported incidents are folded into the same feed.
For anyone running OpenClaw in a production context or with meaningful external access, this replaces the need to manually track the project’s security advisories across GitHub and forums.
openclaw-audit-watchdog: Daily Automated Audits
openclaw-audit-watchdog runs automated security audits on a daily schedule and emails results. The audits check for prompt injection markers in installed skills, scan for known vulnerability patterns, and cross-reference installed skills against security advisories. It also runs self-check scripts to catch vulnerabilities the static scan might miss.
The daily email report means you get a consistent signal rather than having to remember to check anything manually. Anomalies surface on a schedule rather than only when you happen to notice something wrong.
clawtributor: Community Incident Reporting
clawtributor is opt-in and handles the community side of security: when you encounter a suspicious skill or a security incident, this component lets you report it in a structured way that feeds back into the shared threat intelligence. The ClawHavoc incident spread faster than it was caught partly because community reporting was informal and fragmented. clawtributor is an attempt to give that process some structure.
Who Should Install This
ClawSec is most valuable in three scenarios. The first is anyone running OpenClaw with external-facing integrations — WhatsApp, Telegram, Slack, browser automation — where the agent is regularly processing untrusted input from outside. The attack surface in these setups is real, and drift detection plus prompt injection scanning provide meaningful protection.
The second is anyone who installs skills regularly from ClawHub. Even with VirusTotal scanning in place, the audit-watchdog’s cross-referencing of installed skills against advisories catches things that static malware scans miss — behavioral patterns and known-bad skill fingerprints that emerge after installation.
The third is NanoClaw users specifically. ClawSec is one of the few security tools explicitly built for NanoClaw’s containerized WhatsApp architecture, not just the main OpenClaw runtime.
Installing ClawSec
The suite installs in one command and handles integrity verification of its own components on install:
npx clawhub@latest install clawsecIndividual components (clawsec-feed, soul-guardian, openclaw-audit-watchdog) can also be installed separately if you only want part of the suite. clawtributor is opt-in and not included in the default install.
The source is on GitHub at prompt-security/clawsec if you want to review the implementation before installing — which, given the subject matter, seems like the right approach.
Leave a Reply