clawsec-scanner 0.0.2

clawsec-scanner 0.0.2

Changed

• Replaced simulated DAST checks with real OpenClaw hook execution harness testing
• Updated DAST semantics so high-severity findings are emitted for actual hook execution failures/timeouts, not static payload pattern matches
• Reclassified DAST harness capability limitations (for example missing TypeScript compiler for .ts hooks) to info coverage findings instead of high severity
• Added DAST harness mode guard to prevent recursive scanner execution when hook handlers are tested in isolation

Added

• New DAST helper executor script for isolated per-hook execution and timeout enforcement
• DAST harness regression tests covering no-false-positive baseline and malicious-input crash detection

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawsec-scanner

If you already have clawsec-suite installed:
Ask your agent to pull clawsec-scanner from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-scanner-v0.0.2/clawsec-scanner-v0.0.2.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-scanner-v0.0.2/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-scanner-v0.0.2/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-scanner-v0.0.2/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawsec-scanner-v0.0.2.zip" | sha256sum -c

# 4. Extract (creates clawsec-scanner/ directory)
unzip clawsec-scanner-v0.0.2.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-scanner-v0.0.2/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-scanner-v0.0.2/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-scanner-v0.0.2/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

clawsec-nanoclaw 0.0.3

clawsec-nanoclaw 0.0.3

Security

• Removed runtime public-key override from host-side package signature verification; verification now always uses the pinned ClawSec key.
• Removed unsigned-package override path in host-side verification flow.
• Added strict package/signature path policy for signature verification (/tmp, /var/tmp, /workspace/ipc, /workspace/project/data, /workspace/project/tmp, /workspace/project/downloads) with absolute-path, extension, symlink, and realpath boundary checks.
• Added policy-bound path enforcement for integrity approvals: approvals now require normalized paths that are explicitly present in non-ignored integrity policy targets.

Changed

• Updated MCP signature verification tool docs and behavior to align with bounded path policy and pinned-key-only verification.
• Added regression tests for signature-verification and integrity-approval hardening invariants.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawsec-nanoclaw

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.3/clawsec-nanoclaw-v0.0.3.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.3/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.3/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.3/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawsec-nanoclaw-v0.0.3.zip" | sha256sum -c

# 4. Extract (creates clawsec-nanoclaw/ directory)
unzip clawsec-nanoclaw-v0.0.3.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.3/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.3/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.3/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

clawsec-suite 0.1.4

clawsec-suite 0.1.4

Added

• Advisory output snippets now include exploitability context in suite quick-check and heartbeat examples.

Changed

• Clarified exploitability guidance to match runtime score values (high|medium|low|unknown).
• Prioritization guidance now emphasizes high-exploitability advisories for immediate handling.

Fixed

• Kept exploitability enrichment in advisory workflows non-fatal per item so a single analysis failure does not abort feed updates.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawsec-suite

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.4/clawsec-suite-v0.1.4.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.4/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.4/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.4/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawsec-suite-v0.1.4.zip" | sha256sum -c

# 4. Extract (creates clawsec-suite/ directory)
unzip clawsec-suite-v0.1.4.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.4/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.4/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.4/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

clawsec-feed 0.0.5

clawsec-feed 0.0.5

Added

• Exploitability-focused advisory guidance, including filtering and prioritization examples.
• Notification examples that include exploitability context and rationale.

Changed

• Clarified exploitability scoring guidance to match runtime values (high|medium|low|unknown).
• Updated response-priority guidance to align with exploitability-first triage.
• De-duplicated exploitability filtering guidance in SKILL.md by pointing to canonical docs in wiki/exploitability-scoring.md and clawsec-suite.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawsec-feed

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.5/clawsec-feed-v0.0.5.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.5/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.5/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.5/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawsec-feed-v0.0.5.zip" | sha256sum -c

# 4. Extract (creates clawsec-feed/ directory)
unzip clawsec-feed-v0.0.5.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.5/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.5/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.5/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

openclaw-audit-watchdog 0.1.1

openclaw-audit-watchdog 0.1.1

Added

• Contributor credit: portability and path-hardening improvements in this release were contributed by @aldodelgado in PR #62.
• Cross-shell home-path expansion support in watchdog path inputs (~, $HOME, ${HOME}, %USERPROFILE%, $env:HOME).
• Regression coverage for suppression-config home-token expansion and escaped-token rejection (test/suppression_config.test.mjs).

Changed

• scripts/codex_review.sh now resolves the Codex CLI from CODEX_BIN, then PATH, then Homebrew fallback for improved portability.
• scripts/setup_cron.mjs now normalizes and validates install-dir/home-derived paths before job creation.
• scripts/load_suppression_config.mjs now resolves/normalizes configured file paths consistently across shell styles.

Security

• Escaped or unresolved home tokens in suppression config paths now fail fast to avoid silently using unintended literal paths.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install openclaw-audit-watchdog

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.1/openclaw-audit-watchdog-v0.1.1.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.1/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.1/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.1/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  openclaw-audit-watchdog-v0.1.1.zip" | sha256sum -c

# 4. Extract (creates openclaw-audit-watchdog/ directory)
unzip openclaw-audit-watchdog-v0.1.1.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.1/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.1/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.1/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

clawsec-clawhub-checker 0.0.1

clawsec-clawhub-checker 0.0.1

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawsec-clawhub-checker

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.1/clawsec-clawhub-checker-v0.0.1.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.1/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.1/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.1/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawsec-clawhub-checker-v0.0.1.zip" | sha256sum -c

# 4. Extract (creates clawsec-clawhub-checker/ directory)
unzip clawsec-clawhub-checker-v0.0.1.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.1/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.1/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.1/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

soul-guardian 0.0.2

soul-guardian 0.0.2

Quick Install

Download the complete skill package:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.2/soul-guardian.skill

Or fetch the main skill file directly:

curl -sL https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.2/SKILL.md

Verification

All files include SHA256 checksums. Download checksums.json and verify:

curl -sL https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.2/checksums.json | jq .

Verify a file:

sha256sum SKILL.md
# Compare with value in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.

---

Released by ClawSec skill distribution pipeline

clawtributor 0.0.3

clawtributor 0.0.3

Quick Install

Download the complete skill package:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.3/clawtributor.skill

Or fetch the main skill file directly:

curl -sL https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.3/SKILL.md

Verification

All files include SHA256 checksums. Download checksums.json and verify:

curl -sL https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.3/checksums.json | jq .

Verify a file:

sha256sum SKILL.md
# Compare with value in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.

---

Released by ClawSec skill distribution pipeline