ClawSec-NanoClaw：WhatsApp 机器人安全监控工具，技能漏洞检测与防护

clawsec-nanoclaw by prompt-security/clawsec

102 周安装量

883 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/prompt-security/clawsec --skill clawsec-nanoclaw

自动化监控安全

🇨🇳中文介绍

ClawSec for NanoClaw

用于监控安全公告的工具，保护您的 WhatsApp 机器人免受技能和依赖项中已知漏洞的影响。

概述

ClawSec 提供 MCP 工具，可根据精心策划的安全公告源检查已安装的技能。它能防止安装存在漏洞的技能，包含用于分类的漏洞可利用性上下文，并提醒您现有技能中存在的问题。

核心原则： 安装前先检查。监控正在运行的内容。

使用时机

在以下情况使用 ClawSec 工具：

安装新技能时（先检查安全性）
用户询问"我的技能安全吗？"
调查可疑行为时
定期安全审计时
收到安全通知后

不要用于：

代码审查（使用其他工具）
性能问题（关注点不同）
常规调试

可用的 MCP 工具

安装前检查

// 在安装任何技能之前
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'new-skill',
  skillVersion: '1.0.0'  // 可选
});

if (!safety.safe) {
  // 在继续之前向用户展示风险
  console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}

安全审计

// 检查所有已安装的技能（默认为容器中的 ~/.claude/skills）
const result = await tools.clawsec_check_advisories({
  installRoot: '/home/node/.claude/skills'  // 可选
});

if (result.matches.some((m) =>
  m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
  // 立即提醒用户
  console.error('Urgent advisories found!');
}

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

任务	工具	关键参数
安装前检查	`clawsec_check_skill_safety`	`skillName`
审计所有技能	`clawsec_check_advisories`	`installRoot` (可选)
浏览公告源	`clawsec_list_advisories`	`severity`, `type`, `exploitabilityScore` (可选)
验证包签名	`clawsec_verify_skill_package`	`packagePath`
刷新公告缓存	`clawsec_refresh_cache`	(无)
检查文件完整性	`clawsec_check_integrity`	`mode`, `autoRestore` (可选)
批准文件变更	`clawsec_approve_change`	`path`
查看基线状态	`clawsec_integrity_status`	`path` (可选)
验证审计日志	`clawsec_verify_audit`	(无)

模式 1：安全技能安装

// 安装前务必检查
const safety = await tools.clawsec_check_skill_safety({
  skillName: userRequestedSkill
});

if (safety.safe) {
  // 继续安装
  await installSkill(userRequestedSkill);
} else {
  // 向用户展示风险并获取确认
  await showSecurityWarning(safety.advisories);
  if (await getUserConfirmation()) {
    await installSkill(userRequestedSkill);
  }
}

模式 2：定期安全检查

// 添加到计划任务中
schedule_task({
  prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
  schedule_type: "cron",
  schedule_value: "0 9 * * *"  // 每天上午 9 点
});

模式 3：用户安全查询

用户："我的技能安全吗？"

你：我来检查一下已安装的技能是否存在已知漏洞。
[使用 clawsec_check_advisories]

回复：
✅ 未发现紧急问题。
- 2 个低严重性/低可利用性公告
- 所有技能均为最新版本

❌ 不检查就安装

// 不要这样做
await installSkill('untrusted-skill');

// 应该这样做
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');

❌ 忽略可利用性上下文

// 不要这样做：仅使用严重性
if (advisory.severity === 'high') {
  notifyNow(advisory);
}

// 应该这样做：结合可利用性和严重性
if (
  advisory.exploitability_score === 'high' ||
  advisory.severity === 'critical'
) {
  notifyNow(advisory);
}

❌ 跳过关键严重性

// 不要这样做：忽略中等严重性公告中的高可利用性
if (advisory.severity === 'critical') alert();

// 应该这样做：同时考虑可利用性和严重性
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
  // 立即发出警报
}

更新频率 : 每 6 小时（自动）

签名验证 : Ed25519 签名公告源 包验证策略 : 仅使用固定密钥，限定包/签名路径

缓存位置 : /workspace/project/data/clawsec-advisory-cache.json

有关设置，请参阅 INSTALL.md；有关高级用法，请参阅 docs/。

防止安装已知存在 RCE 漏洞的技能
提醒依赖项中的供应链攻击
提供可操作的修复步骤
零误报（仅限精选公告源）

🇺🇸English

ClawSec for NanoClaw

Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.

Overview

ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.

Core principle: Check before you install. Monitor what's running.

When to Use

Use ClawSec tools when:

Installing a new skill (check safety first)
User asks "are my skills secure?"
Investigating suspicious behavior
Regular security audits
After receiving security notifications

Do NOT use for:

Code review (use other tools)
Performance issues (different concern)
General debugging

MCP Tools Available

Pre-Installation Check

// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'new-skill',
  skillVersion: '1.0.0'  // optional
});

if (!safety.safe) {
  // Show user the risks before proceeding
  console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}

Security Audit

// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
  installRoot: '/home/node/.claude/skills'  // optional
});

if (result.matches.some((m) =>
  m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
  // Alert user immediately
  console.error('Urgent advisories found!');
}

Browse Advisories

// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
  severity: 'high',               // optional
  exploitabilityScore: 'high'     // optional
});

Quick Reference

Task	Tool	Key Parameter
Pre-install check	`clawsec_check_skill_safety`	`skillName`
Audit all skills	`clawsec_check_advisories`	`installRoot` (optional)
Browse feed	`clawsec_list_advisories`	`severity`, `type`, (optional)

Common Patterns

Pattern 1: Safe Skill Installation

// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
  skillName: userRequestedSkill
});

if (safety.safe) {
  // Proceed with installation
  await installSkill(userRequestedSkill);
} else {
  // Show user the risks and get confirmation
  await showSecurityWarning(safety.advisories);
  if (await getUserConfirmation()) {
    await installSkill(userRequestedSkill);
  }
}

Pattern 2: Periodic Security Check

// Add to scheduled tasks
schedule_task({
  prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
  schedule_type: "cron",
  schedule_value: "0 9 * * *"  // Daily at 9am
});

Pattern 3: User Security Query

User: "Are my skills secure?"

You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]

Response:
✅ No urgent issues found.
- 2 low-severity/low-exploitability advisories
- All skills up to date

Common Mistakes

❌ Installing without checking

// DON'T
await installSkill('untrusted-skill');



// DO
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');

❌ Ignoring exploitability context

// DON'T: Use severity only
if (advisory.severity === 'high') {
  notifyNow(advisory);
}



// DO: Use exploitability + severity
if (
  advisory.exploitability_score === 'high' ||
  advisory.severity === 'critical'
) {
  notifyNow(advisory);
}

❌ Skipping critical severity

// DON'T: Ignore high exploitability in medium severity advisories
if (advisory.severity === 'critical') alert();



// DO: Prioritize exploitability and severity together
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
  // Alert immediately
}

Implementation Details

Feed Source : https://clawsec.prompt.security/advisories/feed.json

Update Frequency : Every 6 hours (automatic)

Signature Verification : Ed25519 signed feeds Package Verification Policy : pinned key only, bounded package/signature paths

Cache Location : /workspace/project/data/clawsec-advisory-cache.json

See INSTALL.md for setup and docs/ for advanced usage.

Real-World Impact

Prevents installation of skills with known RCE vulnerabilities
Alerts to supply chain attacks in dependencies
Provides actionable remediation steps
Zero false positives (curated feed only)

Weekly Installs

Repository

prompt-security/clawsec

GitHub Stars

847

First Seen

Feb 25, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

gemini-cli87

github-copilot87

amp87

codex87

kimi-cli87

opencode87

OpenClaw 安全 Linux 云部署指南：私有优先、SSH隧道、Podman容器化

47,000 周安装

exploitabilityScore

ClawSec-NanoClaw：WhatsApp 机器人安全监控工具，技能漏洞检测与防护

🇨🇳中文介绍

ClawSec for NanoClaw

概述

使用时机

可用的 MCP 工具

安装前检查

安全审计

相关 Skills

浏览公告

快速参考

常见模式

模式 1：安全技能安装

模式 2：定期安全检查

模式 3：用户安全查询

常见错误

❌ 不检查就安装

❌ 忽略可利用性上下文

❌ 跳过关键严重性

实现细节

实际影响

🇺🇸English

ClawSec for NanoClaw

Overview

When to Use

MCP Tools Available

Pre-Installation Check

Security Audit

Browse Advisories

Quick Reference

Common Patterns

Pattern 1: Safe Skill Installation

Pattern 2: Periodic Security Check

Pattern 3: User Security Query

Common Mistakes

❌ Installing without checking

❌ Ignoring exploitability context

❌ Skipping critical severity

Implementation Details

Real-World Impact

最新 Skills