OpenSkillIndex← back to search
claude-code

Skillshub clawsec-nanoclaw

ClawSec for NanoClaw

install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/prompt-security/clawsec/clawsec-nanoclaw" ~/.claude/skills/comeonoliver-skillshub-clawsec-nanoclaw && rm -rf "$T"
manifest: skills/prompt-security/clawsec/clawsec-nanoclaw/SKILL.md
source content

ClawSec for NanoClaw

Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.

Overview

ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.

Core principle: Check before you install. Monitor what's running.

When to Use

Use ClawSec tools when:

  • Installing a new skill (check safety first)
  • User asks "are my skills secure?"
  • Investigating suspicious behavior
  • Regular security audits
  • After receiving security notifications

Do NOT use for:

  • Code review (use other tools)
  • Performance issues (different concern)
  • General debugging

MCP Tools Available

Pre-Installation Check

// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'new-skill',
  skillVersion: '1.0.0'  // optional
});

if (!safety.safe) {
  // Show user the risks before proceeding
  console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}

Security Audit

// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
  installRoot: '/home/node/.claude/skills'  // optional
});

if (result.matches.some((m) =>
  m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
  // Alert user immediately
  console.error('Urgent advisories found!');
}

Browse Advisories

// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
  severity: 'high',               // optional
  exploitabilityScore: 'high'     // optional
});

Quick Reference

TaskToolKey Parameter
Pre-install check
clawsec_check_skill_safety
skillName
Audit all skills
clawsec_check_advisories
installRoot
(optional)
Browse feed
clawsec_list_advisories
severity
, 
type
, 
exploitabilityScore
(optional)
Verify package signature
clawsec_verify_skill_package
packagePath
Refresh advisory cache
clawsec_refresh_cache
(none)
Check file integrity
clawsec_check_integrity
mode
, 
autoRestore
(optional)
Approve file change
clawsec_approve_change
path
View baseline status
clawsec_integrity_status
path
(optional)
Verify audit log
clawsec_verify_audit
(none)

Common Patterns

Pattern 1: Safe Skill Installation

// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
  skillName: userRequestedSkill
});

if (safety.safe) {
  // Proceed with installation
  await installSkill(userRequestedSkill);
} else {
  // Show user the risks and get confirmation
  await showSecurityWarning(safety.advisories);
  if (await getUserConfirmation()) {
    await installSkill(userRequestedSkill);
  }
}

Pattern 2: Periodic Security Check

// Add to scheduled tasks
schedule_task({
  prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
  schedule_type: "cron",
  schedule_value: "0 9 * * *"  // Daily at 9am
});

Pattern 3: User Security Query

User: "Are my skills secure?"

You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]

Response:
✅ No urgent issues found.
- 2 low-severity/low-exploitability advisories
- All skills up to date

Common Mistakes

❌ Installing without checking

// DON'T
await installSkill('untrusted-skill');

// DO
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');

❌ Ignoring exploitability context

// DON'T: Use severity only
if (advisory.severity === 'high') {
  notifyNow(advisory);
}

// DO: Use exploitability + severity
if (
  advisory.exploitability_score === 'high' ||
  advisory.severity === 'critical'
) {
  notifyNow(advisory);
}

❌ Skipping critical severity

// DON'T: Ignore high exploitability in medium severity advisories
if (advisory.severity === 'critical') alert();

// DO: Prioritize exploitability and severity together
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
  // Alert immediately
}

Implementation Details

Feed Source: https://clawsec.prompt.security/advisories/feed.json

Update Frequency: Every 6 hours (automatic)

Signature Verification: Ed25519 signed feeds Package Verification Policy: pinned key only, bounded package/signature paths

Cache Location: 

/workspace/project/data/clawsec-advisory-cache.json

See INSTALL.md for setup and docs/ for advanced usage.

Real-World Impact

  • Prevents installation of skills with known RCE vulnerabilities
  • Alerts to supply chain attacks in dependencies
  • Provides actionable remediation steps
  • Zero false positives (curated feed only)