ClawSec for NanoClaw

Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.

Overview

ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills and alerts you to issues in existing ones.

Core principle: Check before you install. Monitor what’s running.

When to Use

Use ClawSec tools when:

• Installing a new skill (check safety first)
• User asks “are my skills secure?”
• Investigating suspicious behavior
• Regular security audits
• After receiving security notifications

Do NOT use for:

• Code review (use other tools)
• Performance issues (different concern)
• General debugging

MCP Tools Available

Pre-Installation Check

// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'new-skill',
  version: '1.0.0'  // optional
});

if (!safety.safe) {
  // Show user the risks before proceeding
  console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}

Security Audit

// Check all installed skills
const result = await tools.clawsec_check_advisories({
  skillsRoot: '/workspace/project/skills'  // optional
});

if (result.criticalCount > 0) {
  // Alert user immediately
  console.error('CRITICAL vulnerabilities found!');
}

Browse Advisories

// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
  platform: 'nanoclaw',    // optional: nanoclaw, openclaw, or both
  severity: 'critical'     // optional: critical, high, medium, low
});

Quick Reference

Common Patterns

Pattern 1: Safe Skill Installation

// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
  skillName: userRequestedSkill
});

if (safety.safe) {
  // Proceed with installation
  await installSkill(userRequestedSkill);
} else {
  // Show user the risks and get confirmation
  await showSecurityWarning(safety.advisories);
  if (await getUserConfirmation()) {
    await installSkill(userRequestedSkill);
  }
}

Pattern 2: Periodic Security Check

// Add to scheduled tasks
schedule_task({
  prompt: "Check for security advisories using clawsec_check_advisories and alert if any critical issues found",
  schedule_type: "cron",
  schedule_value: "0 9 * * *"  // Daily at 9am
});

Pattern 3: User Security Query

User: "Are my skills secure?"

You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]

Response:
✅ No critical issues found.
- 2 low-severity advisories (not urgent)
- All skills up to date

Common Mistakes

❌ Installing without checking

// DON'T
await installSkill('untrusted-skill');

// DO
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');

❌ Ignoring platform filters

// DON'T: Check OpenClaw advisories on NanoClaw
const advisories = await tools.clawsec_list_advisories({
  platform: 'openclaw'  // Wrong platform!
});

// DO: Use correct platform or let it auto-filter
const advisories = await tools.clawsec_list_advisories({
  platform: 'nanoclaw'  // Correct
});

❌ Skipping critical severity

// DON'T: Only check low severity
if (result.lowCount > 0) alert();

// DO: Prioritize critical and high
if (result.criticalCount > 0 || result.highCount > 0) {
  // Alert immediately
}

Implementation Details

Feed Source: https://clawsec.prompt.security/advisories/feed.json

Update Frequency: Every 6 hours (automatic)

Signature Verification: Ed25519 signed feeds

Cache Location: /workspace/project/data/clawsec-cache.json

See INSTALL.md for setup and docs/ for advanced usage.

Real-World Impact

• Prevents installation of skills with known RCE vulnerabilities
• Alerts to supply chain attacks in dependencies
• Provides actionable remediation steps
• Zero false positives (curated feed only)