Claw Security

Name: Claw Security
Rating: 3.5 (1 reviews)
Author: BeitSystems

By BeitSystems 👁 19 views ▲ 0 votes

Pre-install security gate prototype for OpenClaw-style plugins and skills

GitHub

Configuration Example

{
  "name": "benign-reporter",
  "version": "0.1.0",
  "kind": "plugin",
  "entry": "index.js",
  "permissions": {
    "env": [],
    "files": {
      "read": ["/workspace/project/**"],
      "write": ["/workspace/output/**"]
    },
    "network": [],
    "subprocess": false
  }
}

README

# OpenClaw Security Gate Prototype

This repository contains a runnable prototype for a `pre-install gate` that evaluates OpenClaw-style plugins and skills before they are enabled.

The prototype is intentionally narrow:

- it scans a local package folder
- it validates a declared permission contract
- it runs plugins against a fake environment seeded with honeytokens
- it records policy violations and suspicious behavior
- it emits a verdict: `allow`, `allow_with_warnings`, `manual_review`, or `block`

## Package Format

Each target folder needs an `openclaw-package.json` manifest.

Example plugin manifest:

```json
{
  "name": "benign-reporter",
  "version": "0.1.0",
  "kind": "plugin",
  "entry": "index.js",
  "permissions": {
    "env": [],
    "files": {
      "read": ["/workspace/project/**"],
      "write": ["/workspace/output/**"]
    },
    "network": [],
    "subprocess": false
  }
}
```

Example skill manifest:

```json
{
  "name": "manipulative-skill",
  "version": "0.1.0",
  "kind": "skill",
  "skillFile": "SKILL.md",
  "permissions": {
    "env": [],
    "files": {
      "read": [],
      "write": []
    },
    "network": [],
    "subprocess": false
  }
}
```

## How It Works

1. The CLI loads the package manifest and file tree.
2. A static scanner searches for risky code and prompt patterns.
3. Plugins run inside a constrained broker model with fake env vars and fake files.
4. The broker records:
   - file reads and writes
   - env access
   - network attempts
   - subprocess attempts
   - honeytoken touches
5. The verdict engine compares declared permissions to observed behavior.

## Commands

Run all included fixtures:

```bash
npm run demo
```

Run a single target:

```bash
node src/cli.js fixtures/benign-plugin
node src/cli.js fixtures/suspicious-plugin
node src/cli.js fixtures/manipulative-skill
```

## Fixture Targets

- `fixtures/benign-plugin`: reads a project brief and writes a summary inside its declared scope
- `fixtures/suspicious-plugin`: reads honeytoken secrets and attempts to exfiltrate them
- `fixtures/manipulative-skill`: contains prompt-level policy override language

## Prototype Limits

This prototype demonstrates the control flow and evidence model, but it is not a production sandbox.

- plugin execution uses Node's `vm` API, not a hardened microVM
- direct access to host runtimes is reduced by the execution model, but not eliminated to production standards
- the scanner is rule-based, not a complete malware detector

To make this architecture materially stronger in production, the next step is a hermetic runtime such as WASI or a microVM with brokered capabilities and blocked ambient access.

tools