ClawSec for NanoClaw

Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.

Overview

ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.

Core principle: Check before you install. Monitor what's running.

When to Use

Use ClawSec tools when:

Installing a new skill (check safety first)
User asks "are my skills secure?"
Investigating suspicious behavior
Regular security audits
After receiving security notifications

Do NOT use for:

Code review (use other tools)
Performance issues (different concern)
General debugging

MCP Tools Available

Pre-Installation Check

typescript

// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'new-skill',
  skillVersion: '1.0.0'  // optional
});

if (!safety.safe) {
  // Show user the risks before proceeding
  console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}

Security Audit

typescript

// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
  installRoot: '/home/node/.claude/skills'  // optional
});

if (result.matches.some((m) =>
  m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
  // Alert user immediately
  console.error('Urgent advisories found!');
}

Browse Advisories

typescript

// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
  severity: 'high',               // optional
  exploitabilityScore: 'high'     // optional
});

Quick Reference

Task	Tool	Key Parameter
Pre-install check	`clawsec_check_skill_safety`	`skillName`
Audit all skills	`clawsec_check_advisories`	`installRoot` (optional)
Browse feed	`clawsec_list_advisories`	`severity` , `type` , `exploitabilityScore` (optional)
Verify package signature	`clawsec_verify_skill_package`	`packagePath`
Refresh advisory cache	`clawsec_refresh_cache`	(none)
Check file integrity	`clawsec_check_integrity`	`mode` , `autoRestore` (optional)
Approve file change	`clawsec_approve_change`	`path`
View baseline status	`clawsec_integrity_status`	`path` (optional)
Verify audit log	`clawsec_verify_audit`	(none)

Common Patterns

Pattern 1: Safe Skill Installation

typescript

// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
  skillName: userRequestedSkill
});

if (safety.safe) {
  // Proceed with installation
  await installSkill(userRequestedSkill);
} else {
  // Show user the risks and get confirmation
  await showSecurityWarning(safety.advisories);
  if (await getUserConfirmation()) {
    await installSkill(userRequestedSkill);
  }
}

Pattern 2: Periodic Security Check

typescript

// Add to scheduled tasks
schedule_task({
  prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
  schedule_type: "cron",
  schedule_value: "0 9 * * *"  // Daily at 9am
});

Pattern 3: User Security Query

User: "Are my skills secure?"

You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]

Response:
✅ No urgent issues found.
- 2 low-severity/low-exploitability advisories
- All skills up to date

Common Mistakes

❌ Installing without checking

typescript

// DON'T
await installSkill('untrusted-skill');

typescript

// DO
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');

❌ Ignoring exploitability context

typescript

// DON'T: Use severity only
if (advisory.severity === 'high') {
  notifyNow(advisory);
}

typescript

// DO: Use exploitability + severity
if (
  advisory.exploitability_score === 'high' ||
  advisory.severity === 'critical'
) {
  notifyNow(advisory);
}

❌ Skipping critical severity

typescript

// DON'T: Ignore high exploitability in medium severity advisories
if (advisory.severity === 'critical') alert();

typescript

// DO: Prioritize exploitability and severity together
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
  // Alert immediately
}

Implementation Details

Feed Source: https://clawsec.prompt.security/advisories/feed.json

Update Frequency: Every 6 hours (automatic)

Signature Verification: Ed25519 signed feeds

Cache Location:

/workspace/project/data/clawsec-advisory-cache.json

See INSTALL.md for setup and docs/ for advanced usage.

Real-World Impact

Prevents installation of skills with known RCE vulnerabilities
Alerts to supply chain attacks in dependencies
Provides actionable remediation steps
Zero false positives (curated feed only)

clawsec-nanoclaw

NPX Install

Tags

SKILL.md Content

ClawSec for NanoClaw

Overview

When to Use

MCP Tools Available

Pre-Installation Check

Security Audit

Browse Advisories

Quick Reference

Common Patterns

Pattern 1: Safe Skill Installation

Pattern 2: Periodic Security Check

Pattern 3: User Security Query

Common Mistakes

❌ Installing without checking

❌ Ignoring exploitability context

❌ Skipping critical severity

Implementation Details

Real-World Impact