Tracebit Canaries Skill

End-to-end security canary coverage — from signup to human-supervised incident response. You (the agent) perform setup steps yourself, with human confirmation at key decision points.

The Tracebit CLI runs a lightweight background service that refreshes canary token expiry — no other network calls or file access. When the heartbeat inbox check detects a canary alert email, you notify the human, investigate (read-only), and report.

Tracebit Community Edition is free at https://community.tracebit.com

Security & Transparency

This skill is user-initiated, user-supervised, and fully reversible. For full details — including file traceability, enforcement model, and removal — see references/security-compliance.md.

Skill file writes (created by agent instructions in SKILL.md, not by shell scripts):

- /tmp/tracebit-setup-creds — temporary signup password (Step 1, chmod 600, deleted after use)
INLINECODE2 — canary alert check block (Step 6, append)
INLINECODE3 — incident log (playbook Phase 2.2, append-only, only on alert)

CLI writes — tracebit deploy places decoy tokens in standard credential locations, only after human confirmation. The CLI is open-source. No real credentials are read or modified.

CLI installation — SHA256-verified from official GitHub Releases only. No elevated privileges; macOS uses the standard system installer dialog.

Email — read-only search for Tracebit alerts via plugins.email.accounts. No emails sent, deleted, or modified.

Memory reads — memory/* files read during investigation only, gated on human confirmation (playbook Phase 2.4).

Background service — refreshes canary token expiry only. Runs as current user. Fully removable.

Execution Principles

You are the operator. The human is the owner.

- Confirm with the human before: starting deployment, writing credentials to disk, and rotating/remediating after incidents.
Browser steps: use the OpenClaw managed browser tool — verify availability first:

  openclaw browser --browser-profile openclaw status

- Ask the human for: 2FA codes, unreadable CAPTCHAs, or missing tool configuration

Definition of Done

Not done until every item is checked:

CODEBLOCK1

Canaries without alert detection (Step 6) provide no protection. Do not skip it.

Setup Steps

Step 1: Sign Up

Use the browser tool — not any system-installed browser.

CODEBLOCK2bash
python3 -c "import secrets, string; chars = string.asciiletters + string.digits + '!@#\$%^&*'; print(''.join(secrets.choice(chars) for in range(24)))" > /tmp/tracebit-setup-creds && chmod 600 /tmp/tracebit-setup-creds
CODEBLOCK3

Error cases:

- Email already registered: skip to Step 3
CAPTCHA: browser screenshot, read it yourself, type it in. Ask human only if unreadable.
Code not arriving: check spam folder, wait 20s, click "Resend code"

Step 2: Install the CLI

CODEBLOCK4

Verify: INLINECODE10

If the script fails, see references/troubleshooting.md. For manual installation, download the appropriate package from the CLI releases page:

- Linux: download install-tracebit-linux and run INLINECODE13
macOS arm64: download install-tracebit-osx-arm.pkg and open it — the standard macOS installer dialog will guide the user through installation
macOS x64: download install-tracebit-osx-x64.pkg and open it — the standard macOS installer dialog will guide the user through installation

Step 3: Authenticate the CLI

INLINECODE16 starts a listener on localhost:5442 and waits for an OAuth callback.

CODEBLOCK5

Then:

1. INLINECODE18
INLINECODE19 — find the "Authorise" button
Click Authorise using the ref from the snapshot
Callback completes automatically — log shows INLINECODE20

Verify: INLINECODE21

Fallback (if OAuth callback fails): browser navigate https://community.tracebit.com → Settings → API Keys → Create token → INLINECODE23

Step 4: Deploy All Canaries

CODEBLOCK6

The username-password credential is issued before the prompt fires. The error exit is a known CLI quirk. Just continue — tracebit show will confirm it's there.

Deploys 5 types: aws, ssh, cookie, username-password, email. See references/canary-types.md for details on each.

Step 5: Verify Deployment

CODEBLOCK7

All 5 types must appear active.

Step 6: Configure Heartbeat Alert Detection

Not optional. Without this, canaries fire silently.

Append to HEARTBEAT.md (create if needed):

CODEBLOCK8

Also add this weekly check:

CODEBLOCK9

Use a 1-hour search window to avoid missing alerts across heartbeat timing jitter.

Completion Report

Include verbatim when reporting to the human:

CODEBLOCK10

Password handling: After generating the password, write it to a temp file — never include it in conversation output:

echo "<generated-password>" > /tmp/tracebit-setup-creds && chmod 600 /tmp/tracebit-setup-creds

Tell the human the file path and instruct them to save the password to their password manager, then delete the file.

When a Canary Fires

Read and follow references/incident-response-playbook.md immediately. The playbook covers:

1. Notify the human via their configured messaging channel within seconds
Investigate — check canary status and log the incident (one append-only write to memory/security-incidents.md); reading memory files requires human confirmation
Report findings to the human within 5 minutes
Rotate canaries only after human acknowledgement: INLINECODE29

Removal

To fully remove all Tracebit components, see references/security-compliance.md — includes a cleanup script and manual removal steps.

Gotchas

- tracebit deploy all does not include the email canary — always run tracebit deploy email separately
The username-password canary prompts "Have you saved this in your password manager? [y/n]" which fails non-interactively. The credential is issued before the prompt — check tracebit show. If missing: INLINECODE34
Email canary tracking pixel: opening/previewing the canary email fires the alert. This is by design — the email is the bait.
Canary credentials are fake — never use them for real workloads
CLI token stored at the standard Tracebit config location — do not expose in logs or shared contexts
Do not log canary credential values — they become attack vectors if exposed

Reference Files

File	When to Read
INLINECODE35	When a canary fires — full IR procedure
INLINECODE36

Tracebit 金丝雀技能

端到端安全金丝雀覆盖——从注册到人工监督的事件响应。你（代理）自行执行设置步骤，在关键决策点需要人工确认。

Tracebit CLI 运行一个轻量级后台服务，用于刷新金丝雀令牌的过期时间——不进行其他网络调用或文件访问。当心跳收件箱检查检测到金丝雀警报邮件时，你通知人工、调查（只读）并报告。

Tracebit 社区版免费获取地址：https://community.tracebit.com

安全与透明度

本技能由用户发起、用户监督，且完全可逆。完整详情——包括文件可追溯性、执行模型和移除——请参见 references/security-compliance.md。

技能文件写入（由 SKILL.md 中的代理指令创建，而非 shell 脚本）：

- /tmp/tracebit-setup-creds — 临时注册密码（步骤 1，chmod 600，使用后删除）
HEARTBEAT.md — 金丝雀警报检查块（步骤 6，追加）
memory/security-incidents.md — 事件日志（剧本阶段 2.2，仅追加，仅在警报时写入）

CLI 写入 — tracebit deploy 仅在人工确认后，将诱饵令牌放置在标准凭据位置。CLI 是开源的。不会读取或修改真实凭据。

CLI 安装 — 仅通过官方 GitHub Releases 进行 SHA256 验证。无需提升权限；macOS 使用标准系统安装程序对话框。

电子邮件 — 通过 plugins.email.accounts 对 Tracebit 警报进行只读搜索。不发送、删除或修改任何邮件。

内存读取 — 仅在调查期间读取 memory/* 文件，且需人工确认（剧本阶段 2.4）。

后台服务 — 仅刷新金丝雀令牌过期时间。以当前用户身份运行。可完全移除。

执行原则

你是操作者。人类是所有者。

- 在以下情况前需向人工确认：开始部署、将凭据写入磁盘、以及在事件后进行轮换/修复。
浏览器步骤：使用 OpenClaw 托管的 browser 工具——首先验证可用性：

bash openclaw browser --browser-profile openclaw status

- 向人工请求：2FA 验证码、无法识别的验证码、或缺失的工具配置

完成标准

直到每个项目都勾选才算完成：

[ ] 步骤 1：Tracebit 账户已创建——通过浏览器快照确认仪表板
[ ] 步骤 2：CLI 已安装——tracebit --version 返回版本号
[ ] 步骤 3：CLI 已验证——tracebit auth status 显示有效凭据
[ ] 步骤 4：所有 5 种金丝雀类型已部署
[ ] 步骤 5：tracebit show 确认所有 5 种均处于活动状态
[ ] 步骤 6：心跳警报检查块已添加到 HEARTBEAT.md

没有警报检测（步骤 6）的金丝雀不提供任何保护。请勿跳过。

设置步骤

步骤 1：注册

使用 browser 工具——而不是任何系统安装的浏览器。

1. 从配置的电子邮件提供商获取你的电子邮件地址
生成一个强随机密码（20+ 字符，混合大小写、数字、符号）并将其写入临时文件——切勿将其包含在对话输出中：

bash python3 -c import secrets, string; chars = string.asciiletters + string.digits + !@#\$%^&*; print(.join(secrets.choice(chars) for in range(24))) > /tmp/tracebit-setup-creds && chmod 600 /tmp/tracebit-setup-creds

告知人工文件路径，以便他们稍后检索。

3. 浏览器导航至 https://community.tracebit.com
浏览器快照——检查页面
如果出现 Cookie 同意横幅，请先关闭它
点击使用电子邮件注册（不要点击使用 Google 登录——避免 OAuth 循环）
使用快照中的引用，在表单中输入电子邮件和密码
提交——重定向到确认你的账户页面
使用你的电子邮件提供商的技能/工具从收件箱中检索确认码
输入验证码并提交
浏览器快照——确认 Tracebit 仪表板已加载

错误情况：

- 电子邮件已注册：跳至步骤 3
验证码：browser screenshot，自行阅读并输入。仅在无法识别时请求人工帮助。
验证码未收到：检查垃圾邮件文件夹，等待 20 秒，点击重新发送验证码

步骤 2：安装 CLI

bash
bash scripts/install-tracebit.sh

验证：tracebit --version

如果脚本失败，请参见 references/troubleshooting.md。如需手动安装，请从 CLI 发布页面下载相应的软件包：

- Linux：下载 install-tracebit-linux 并运行 bash install-tracebit-linux
macOS arm64：下载 install-tracebit-osx-arm.pkg 并打开——标准 macOS 安装程序对话框将引导用户完成安装
macOS x64：下载 install-tracebit-osx-x64.pkg 并打开——标准 macOS 安装程序对话框将引导用户完成安装

步骤 3：验证 CLI

tracebit auth 在 localhost:5442 上启动一个监听器，并等待 OAuth 回调。

bash
tracebit auth > /tmp/tracebit-auth.log 2>&1 &
TRACEBIT_PID=$!
sleep 3
cat /tmp/tracebit-auth.log

然后：

1. browser navigate https://community.tracebit.com/cli-login
browser snapshot — 找到授权按钮
使用快照中的引用点击授权
回调自动完成——日志显示 Successfully logged into Tracebit

验证：tracebit auth status

备用方案（如果 OAuth 回调失败）：browser navigate https://community.tracebit.com → 设置 → API 密钥 → 创建令牌 → tracebit auth --token

步骤 4：部署所有金丝雀

bash
tracebit deploy all # ⚠️ 会在用户名-密码提示时退出并报错——这是预期行为
tracebit deploy email # 电子邮件金丝雀不包含在 deploy all 中

用户名-密码凭据在提示触发前已发放。错误退出是已知的 CLI 特性。只需继续——tracebit show 将确认其存在。

部署 5 种类型：aws、ssh、cookie、username-password、email。每种类型的详细信息请参见 references/canary-types.md。

步骤 5：验证部署

bash
tracebit show
bash scripts/check-canaries.sh

所有 5 种类型必须显示为活动状态。

步骤 6：配置心跳警报检测

非可选项。 否则，金丝雀将静默触发。

追加到 HEARTBEAT.md（如需要则创建）：

markdown

Tracebit 金丝雀警报检查（每次心跳，约 30 分钟）

搜索（只读）自上次心跳以来新的 Tracebit 金丝雀警报邮件。
使用你的电子邮件提供商的技能/工具，搜索来自 notifications@community.tracebit.com、主题包含Tracebit Canary Triggered且时间在过去一小时的邮件。不发送、删除或修改任何邮件。

如果发现任何警报邮件：

1. 立即通过配置的消息通道通知人工——阅读 references/incident-response-playbook.md
调查——遵循剧本阶段
在 5 分钟内发送后续报告

同时添加此每周检查：

markdown

Tracebit 金丝雀健康检查（每周）

- 运行：tracebit show
如果过期或缺失：tracebit deploy all && tracebit deploy email

使用 1 小时搜索窗口，以避免因心跳时间抖动而错过警报。

完成报告

向人工报告时，请逐字包含以下内容：

Tracebit 金丝雀设置 — 完成报告

[ ] 步骤 1 — 账户：<已确认 / 失败：原因>
[ ] 步骤 2 — CLI 安装：
[ ] 步骤 3 —

tracebit-canaries追踪位诱饵