🛡️ ClawGuard Auditor (CG-A) v3

Enterprise-grade Security Kernel for OpenClaw Skills. ClawGuard Auditor provides comprehensive pre-flight static and semantic analysis, supply chain security verification, and AI-powered anomaly detection.

When to Use

Activate ClawGuard Auditor when:

• - A user asks to install or load a new Skill
• A user asks to audit an existing Skill or repository
• A new external code source is being added to the environment

How to Execute

Follow these steps when auditing a Skill:

Step 1: Read the Target Skill

• - Find and read the SKILL.md file in the target directory
• Read all code files (.js, .py, .sh, etc.)
• Also scan code blocks inside SKILL.md (v3 新增)

Step 2: Check Metadata

• - Verify the SKILL.md has valid frontmatter (name, version, description)
• Check if the metadata.risk field is "safe"
• Check for suspicious binaries in INLINECODE2

Step 3: Scan for Dangerous Patterns

Critical Patterns (Immediate Reject)

Pattern	Description	Example
INLINECODE3	Dynamic code execution	INLINECODE4
INLINECODE5

Command execution | exec(cmd) | | __import__() | Dynamic imports | __import__('os') | | compile() | Dynamic compilation | compile(src, '', 'exec') | | child_process.execSync | Sync command execution | execSync(cmd, {shell: true}) | | subprocess.Popen | Process spawning | Popen(shell=True) | | os.system() | Shell execution | os.system(cmd) |

High Risk Patterns (Block + Review)

Pattern	Description	Example
INLINECODE17 to dynamic URL	Dynamic network requests	INLINECODE18
INLINECODE19

Browser network | new XMLHttpRequest() | | WebSocket | Real-time comms | new WebSocket(url) | | process.env | Env access | process.env[KEY] | | os.environ | Env access | os.environ.get(KEY) |

Step 4: Check Intent Match (v3 核心功能)

Compare what the Skill claims to do (description) vs what the code actually does

If a "Weather Tool" reads SSH keys, that's an INTENT MISMATCH!

Intent Mismatch Detection Process

1. 1. Extract stated purpose from SKILL.md description
2. Analyze actual behavior from code
3. Compute intent score using semantic similarity
4. Flag mismatches if score < threshold

Example Mismatches

Skill Description	Actual Behavior	Intent Score	Action
"Weather Formatter"	Reads INLINECODE27	0.2	REJECT
"File Organizer"

Spawns background process | 0.4 | REJECT | | "Markdown Helper" | Makes HTTP POST to unknown domain | 0.3 | REJECT | | "Calculator" | Writes to /etc/cron | 0.1 | REJECT |

Step 5: Check Dependencies

• - Look at package.json, requirements.txt, go.mod
• Flag known malicious packages
• Check for typosquatting patterns

Step 6: Output Result

Based on findings, output one of:

• - APPROVED: No critical issues found
• CONDITIONAL: Some concerns, needs human review
• REJECTED: Critical security issues detected

Purpose

ClawGuard Auditor is the first line of defense for OpenClaw environments. Before any Skill is installed or executed, it performs rigorous security analysis covering:

• - Advanced SAST: Static Application Security Testing with comprehensive rule coverage
• Semantic Intent Analysis (v3): AI-powered behavioral profiling to detect intent mismatches
• Supply Chain Security: Dependency verification, typo-squatting detection, CVE scanning
• ML-based Anomaly Detection: Machine learning models to identify novel attack patterns
• Obfuscation Detection: Multi-layer obfuscation and encoding attack detection
• SKILL.md Code Scanning (v3): Scan code blocks inside documentation files

Core Workflow

CODEBLOCK0

Phase 1: Metadata Validation

Frontmatter Schema

Field	Required	Validation Rules
name	YES	Must match directory name, lowercase with hyphens
version

YES | Must be valid semver (e.g., 1.0.0) | | description | YES | Min 10 chars, max 500 chars | | author | NO | If present, validate format | | homepage | NO | If present, must be valid HTTPS URL | | metadata.category | YES | Must be one of: security, utility, data, integration | | metadata.risk | YES | Must be "safe" for new Skills | | metadata.requires | NO | If present, validate each binary exists |

Validation Rules

Check	Severity	Action
Missing YAML frontmatter	CRITICAL	REJECT
Invalid name format

HIGH | REJECT | | Version not semver | MEDIUM | WARN | | Missing description | MEDIUM | REJECT | | risk != "safe" | HIGH | WARN | | Suspicious binary in requires | CRITICAL | REJECT |

Enhanced Binary Detection

Reject Skills requiring:

• - Network tools: nc, ncat, socat, netcat, INLINECODE33
• Remote access: ssh, scp, rsync (unless explicitly justified)
• Package managers: pip install, npm install -g (unless in sandbox)
• System modification: chmod, chown, sudo (unless documented)

Phase 2: Provenance Analysis

Trust Scoring Algorithm

CODEBLOCK1

Source Classification

Classification	Score Range	Action
Trusted	80-100	Auto-approve with standard logging
Verified

60-79 | Approve with enhanced logging | | Unknown | 40-59 | Manual review required | | Suspicious | 20-39 | Deep audit required | | Untrusted | 0-19 | Auto-reject |

Phase 3: Advanced SAST Analysis (v3 Enhanced)

Execution Risk Detection

Critical Patterns (Immediate Reject)

Pattern	Description	Example
INLINECODE42	Dynamic code execution	INLINECODE43
INLINECODE44

String evaluation | eval(code) | | __import__() | Dynamic imports | __import__('os') | | compile() | Dynamic compilation | compile(src, '', 'exec') | | child_process.execSync | Sync command execution | execSync(cmd, {shell: true}) | | subprocess.Popen | Process spawning | Popen(shell=True) | | os.system() | Shell execution | os.system(cmd) |

Network Anomaly Detection

Critical Patterns

Pattern	Severity	MITRE ATT&CK
INLINECODE56 with credentials	CRITICAL	T1041
INLINECODE57 with credentials

CRITICAL | T1041 | | Base64 encoded data to network | CRITICAL | T1132 | | DNS exfiltration patterns | CRITICAL | T1048.003 | | Hardcoded IP addresses | HIGH | T1059 | | Reverse shell signatures | CRITICAL | T1059.004 | | IPtables modification | HIGH | T1562 |

Reverse Shell Signatures (Enhanced Detection)

CODEBLOCK2

File System Threat Detection (v3 Enhanced)

Critical Paths (Read/Write Attempt = High Risk)

Also scan these paths inside SKILL.md code blocks!

CODEBLOCK3

Detection Rules

Pattern	Severity	Example
Read critical path	HIGH	INLINECODE58
Write to critical path

CRITICAL | writeFile('/.ssh/authorized_keys') | | Modify cron | CRITICAL | echo '* * * * *' >> /etc/crontab | | SSH key access | CRITICAL | readFile('~/.ssh/id_rsa') |

Obfuscation Detection (v3 Enhanced)

Layer 1: Common Encodings

Encoding	Detection Pattern	Risk
Base64	INLINECODE62 with len > 20	MEDIUM
Hex

/^[0-9a-fA-F]+$/ with len > 16 | MEDIUM | | URL Encoding | %[0-9A-F]{2} repeated | LOW | | Unicode Escape | \u[0-9A-F]{4} | MEDIUM |

Layer 2: Advanced Obfuscation

Technique	Detection	Risk
String concatenation to hide keywords	INLINECODE66	HIGH
Array join

['co','ncat'].join('') | HIGH | | Character codes | String.fromCharCode(99, 111, 110, 99, 97, 116) | HIGH | | Dynamic code evaluation | new Function('code')() | CRITICAL | | JSFuck | /\[!\+\[\]/.test(code) | CRITICAL | | Zero-width characters | \u200B\u200C\u200D | CRITICAL | | Right-to-Left Override | \u202E | CRITICAL |

Layer 3: Multi-stage Obfuscation

Detect chains of encoding:

• - Base64 → URL → Hex
• Character codes → eval
• Compression → Base64 → eval

Phase 4: Semantic Intent Analysis (v3 核心功能)

Intent Mismatch Detection

Unlike basic vetters, ClawGuard analyzes if the Skill's actual behavior matches its stated purpose.

Capability-Behavior Mapping

Map required capabilities to actual usage:

CODEBLOCK4

Phase 5: Supply Chain Security

Dependency Analysis

Package.json Analysis

CODEBLOCK5

Requirements.txt Analysis

CODEBLOCK6

CVE Scanning (Enhanced)

Source	Coverage	Update Frequency
NVD API	CVEs 2002-2024	Daily
GitHub Advisory

npm packages | Hourly | | OSV | All ecosystems | Hourly |

Vulnerability Severity Mapping

Severity	CVSS Score	Action
CRITICAL	9.0-10.0	Auto-reject
HIGH

7.0-8.9 | Block + Warn | | MEDIUM | 4.0-6.9 | Log + Warn | | LOW | 0.1-3.9 | Log only |

Registry Reputation Scoring

Registry	Score	Trust Level
npm (official)	80	High
PyPI (official)

80 | High | | GitHub Packages | 70 | Medium-High | | Unverified mirrors | 10 | Low |

Phase 6: ML-based Anomaly Detection

Feature Extraction

Extract features from code for ML model:

CODEBLOCK7

Novel Attack Detection

ClawGuard uses ensemble detection to identify novel attacks:

CODEBLOCK8

Output Format

Terminal Output (v3 Enhanced)

CODEBLOCK9

Risk Scoring Formula (v3)

CODEBLOCK10

Risk Tier Classification

Tier	Score Range	Color	Action
TIER0	0-10	🟢 GREEN	Auto-approve
TIER1

11-30 | 🟢 GREEN | Approve with logging | | TIER_2 | 31-50 | 🟡 YELLOW | Manual review | | TIER_3 | 51-70 | 🟠 ORANGE | Deep audit required | | TIER_4 | 71-100 | 🔴 RED | Auto-reject |

Integration with OpenClaw

Installation Flow

CODEBLOCK11

Quick Detection Commands

CODEBLOCK12javascript' /SKILL.md | grep -E "exec|eval|readFile|http\."

Check for malicious domains

grep -r "evil\|attacker\|malicious\|hacker" ```

v3 vs v2 Features

Feature	v2	v3
SAST Analysis	✅	✅
Intent Analysis

Basic | Advanced (v3) | | SKILL.md Code Scanning | ❌ | ✅ (v3) | | Supply Chain Security | ✅ | ✅ | | ML Anomaly Detection | ✅ | ✅ | | Obfuscation Detection | ✅ | Enhanced (v3) | | Intent Mismatch Scoring | ❌ | ✅ (v3) | | Five-Tier Risk System | 3 tiers | 5 tiers (v3) |

---

ClawGuard Auditor: Security takes precedence over execution. 🦅