picoclaw-security-guardian

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Picoclaw Security Guardian

Picoclaw安全守护者

Detailed architecture/operator docs:

wiki/modules/picoclaw-security-guardian.md

详细的架构/运维文档：

wiki/modules/picoclaw-security-guardian.md

。

Goal

目标

Provide Picoclaw with the same support-matrix security capabilities ClawSec tracks for mature platform modules:

Skill name	supported platform	security feed	config drift	agent posture-review lane	chain of supply verification
picoclaw-security-guardian	Picoclaw	Yes	Yes	Separate package	Yes

为Picoclaw提供与ClawSec针对成熟平台模块追踪的相同级别的支持矩阵安全能力：

Skill名称	支持的平台	安全源	配置漂移检测	Agent态势审查通道	供应链验证
picoclaw-security-guardian	Picoclaw	是	是	独立包	是

Threat model

威胁模型

Picoclaw is a lightweight AI gateway that can expose chat channels, a Web UI, tool execution, MCP servers, credentials, schedulers, and embedded/router deployments. This skill focuses on the trust boundaries where those features become security-sensitive.

Picoclaw是一款轻量级AI网关，可开放聊天通道、Web UI、工具执行、MCP服务器、凭证、调度器以及嵌入式/路由器部署。本Skill聚焦于这些功能涉及安全敏感场景的信任边界。

Default safety posture

默认安全态势

Read-only by default.
No scheduler creation in v0.0.1.
No outbound network by default.
Writes only explicit report/profile outputs under
```
$PICOCLAW_HOME/security/clawsec/
```
unless the operator supplies test-local temporary paths.
Advisory checks fail closed when verification state is not verified unless the operator passes
```
--allow-unsigned
```
for a documented emergency/offline window.

默认只读模式。
v0.0.1版本不支持创建调度器。
默认禁止出站网络。
仅在
```
$PICOCLAW_HOME/security/clawsec/
```
目录下生成明确的报告/配置文件输出，除非运维人员指定本地测试临时路径。
若验证状态未通过，安全预警检查默认失败阻断，除非运维人员针对有文档记录的紧急/离线时段传入
```
--allow-unsigned
```
参数。

Security advisory awareness

安全预警感知

Use

scripts/check_advisories.mjs

with a local feed/cache and verification state:

bash

node scripts/check_advisories.mjs   --feed ~/.picoclaw/security/clawsec/feed.json   --state ~/.picoclaw/security/clawsec/feed-verification-state.json

The script filters advisories for

picoclaw

ai-gateway

, empty/all-platform advisories, or affected package entries containing

picoclaw

结合本地源/缓存及验证状态使用

scripts/check_advisories.mjs

：

bash

node scripts/check_advisories.mjs   --feed ~/.picoclaw/security/clawsec/feed.json   --state ~/.picoclaw/security/clawsec/feed-verification-state.json

该脚本会筛选针对

picoclaw

、

ai-gateway

、全平台通用预警，或包含

picoclaw

的受影响包条目。

Drift protection

漂移防护

Generate a deterministic profile:

bash

node scripts/generate_profile.mjs   --output ~/.picoclaw/security/clawsec/current-profile.json

Compare against an approved baseline:

bash

node scripts/check_drift.mjs   --baseline ~/.picoclaw/security/clawsec/baseline-profile.json   --current ~/.picoclaw/security/clawsec/current-profile.json   --fail-on critical

Critical drift includes public Web UI enablement, Web UI auth disablement, workspace restriction disablement, unsigned/insecure verification mode, verified-feed regression, and watched-file/release-artifact fingerprint changes.

生成确定性配置文件：

bash

node scripts/generate_profile.mjs   --output ~/.picoclaw/security/clawsec/current-profile.json

与已批准的基线进行对比：

bash

node scripts/check_drift.mjs   --baseline ~/.picoclaw/security/clawsec/baseline-profile.json   --current ~/.picoclaw/security/clawsec/current-profile.json   --fail-on critical

严重漂移场景包括：公共Web UI启用、Web UI认证禁用、工作区限制禁用、未签名/不安全验证模式、已验证安全源退化、受监控文件/发布制品指纹变更。

Chain-of-supply verification

供应链验证

Verify a Picoclaw release artifact against a checksum manifest plus detached signature. Signed manifest verification is required for a passing supply-chain verdict:

bash

node scripts/verify_supply_chain.mjs \
  --artifact ./picoclaw \
  --checksums ./checksums.json \
  --signature ./checksums.json.sig \
  --public-key ./feed-signing-public.pem

Checksum-only mode is integrity-only, not provenance. Use

--allow-unsigned-checksums

only for short, documented offline triage windows; it should not satisfy production install verification.

针对Picoclaw发布制品，结合校验和清单及分离签名进行验证：签名清单验证是供应链验证通过的必要条件：

bash

node scripts/verify_supply_chain.mjs \
  --artifact ./picoclaw \
  --checksums ./checksums.json \
  --signature ./checksums.json.sig \
  --public-key ./feed-signing-public.pem

仅校验和模式仅保障完整性，不验证来源。仅在有文档记录的短期离线排查时段使用

--allow-unsigned-checksums

，该模式无法满足生产环境安装验证要求。

Operator review notes

运维审查注意事项

Treat public UI binding (
```
0.0.0.0
```
,
```
-public
```
) as a critical review item until auth and network allowlists are proven.
Treat MCP servers as separate trust boundaries; review each server's filesystem, network, and credential access.
Treat third-party OpenWrt/LuCI wrappers as separate supply-chain artifacts. Verify provenance before installing them on routers.
Never leave unsigned advisory mode enabled in recurring or production checks.

在认证和网络白名单机制验证通过前，将公共UI绑定（
```
0.0.0.0
```
、
```
-public
```
）视为关键审查项。
将MCP服务器视为独立信任边界；审查每台服务器的文件系统、网络及凭证访问权限。
将第三方OpenWrt/LuCI包装器视为独立供应链制品。在路由器上安装前需验证其来源。
切勿在周期性或生产环境检查中启用未签名预警模式。

Validation

验证

bash

python utils/validate_skill.py skills/picoclaw-security-guardian
node skills/picoclaw-security-guardian/test/profile.test.mjs
node skills/picoclaw-security-guardian/test/drift.test.mjs
node skills/picoclaw-security-guardian/test/supply_chain.test.mjs
bash -n skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh

bash

python utils/validate_skill.py skills/picoclaw-security-guardian
node skills/picoclaw-security-guardian/test/profile.test.mjs
node skills/picoclaw-security-guardian/test/drift.test.mjs
node skills/picoclaw-security-guardian/test/supply_chain.test.mjs
bash -n skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh

Pre-release install regression

预发布安装回归测试

Before publishing v0.0.1 release artifacts, run the isolated install lane from the repo root:

bash

skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh

The regression installs the skill through Picoclaw's own

find_skills

install_skill

path from a local ClawHub-compatible registry into an isolated Docker-hosted Picoclaw workspace with isolated

HOME

PICOCLAW_HOME

, and

PICOCLAW_WORKSPACE

. It verifies signed release-artifact preflight inputs, confirms Picoclaw's skill loader can list/load the installed skill, then runs the installed copy's profile, drift, advisory fail-closed, advisory filtering, and supply-chain verification paths against Picoclaw-style

config.json

and

launcher-config.json

files.

在发布v0.0.1版本制品前，从仓库根目录运行隔离安装流程：

bash

skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh

该回归测试会通过Picoclaw自身的

find_skills

install_skill

路径，从本地兼容ClawHub的注册表将Skill安装到隔离的Docker托管Picoclaw工作区中，该工作区拥有独立的

HOME

、

PICOCLAW_HOME

和

PICOCLAW_WORKSPACE

。测试会验证签名发布制品的预检输入，确认Picoclaw的Skill加载器可列出/加载已安装的Skill，随后针对Picoclaw格式的

config.json

和

launcher-config.json

文件，运行已安装副本的配置文件、漂移检测、预警失败阻断、预警筛选及供应链验证流程。