clawsec-nanoclaw
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseClawSec for NanoClaw
ClawSec for NanoClaw
Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.
安全公告监控功能,可保护你的WhatsApp机器人免受skill和依赖项中已知漏洞的攻击。
Overview
概述
ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.
Core principle: Check before you install. Monitor what's running.
ClawSec提供的MCP工具可对照精心维护的安全公告源,检查已安装的skill。它会阻止存在漏洞的skill安装,提供可用于研判的可利用性上下文,并提醒你现有skill中存在的问题。
核心原则: 安装前检查,运行时监控。
When to Use
使用场景
Use ClawSec tools when:
- Installing a new skill (check safety first)
- User asks "are my skills secure?"
- Investigating suspicious behavior
- Regular security audits
- After receiving security notifications
Do NOT use for:
- Code review (use other tools)
- Performance issues (different concern)
- General debugging
在以下情况使用ClawSec工具:
- 安装新skill(先检查安全性)
- 用户询问「我的skill安全吗?」
- 调查可疑行为
- 定期安全审计
- 收到安全通知后
请勿用于:
- 代码评审(使用其他工具)
- 性能问题(属于不同范畴)
- 通用调试
MCP Tools Available
可用的MCP工具
Pre-Installation Check
安装前检查
typescript
// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
skillName: 'new-skill',
skillVersion: '1.0.0' // optional
});
if (!safety.safe) {
// Show user the risks before proceeding
console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}typescript
// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
skillName: 'new-skill',
skillVersion: '1.0.0' // optional
});
if (!safety.safe) {
// Show user the risks before proceeding
console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}Security Audit
安全审计
typescript
// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
installRoot: '/home/node/.claude/skills' // optional
});
if (result.matches.some((m) =>
m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
// Alert user immediately
console.error('Urgent advisories found!');
}typescript
// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
installRoot: '/home/node/.claude/skills' // optional
});
if (result.matches.some((m) =>
m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
// Alert user immediately
console.error('Urgent advisories found!');
}Browse Advisories
浏览公告
typescript
// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
severity: 'high', // optional
exploitabilityScore: 'high' // optional
});typescript
// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
severity: 'high', // optional
exploitabilityScore: 'high' // optional
});Quick Reference
快速参考
| Task | Tool | Key Parameter |
|---|---|---|
| Pre-install check | | |
| Audit all skills | | |
| Browse feed | | |
| Verify package signature | | |
| Refresh advisory cache | | (none) |
| Check file integrity | | |
| Approve file change | | |
| View baseline status | | |
| Verify audit log | | (none) |
| 任务 | 工具 | 关键参数 |
|---|---|---|
| 安装前检查 | | |
| 审计所有skill | | |
| 浏览公告源 | | |
| 验证包签名 | | |
| 刷新公告缓存 | | 无 |
| 检查文件完整性 | | |
| 批准文件变更 | | |
| 查看基线状态 | | |
| 验证审计日志 | | 无 |
Common Patterns
常见使用模式
Pattern 1: Safe Skill Installation
模式1:安全的Skill安装
typescript
// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
skillName: userRequestedSkill
});
if (safety.safe) {
// Proceed with installation
await installSkill(userRequestedSkill);
} else {
// Show user the risks and get confirmation
await showSecurityWarning(safety.advisories);
if (await getUserConfirmation()) {
await installSkill(userRequestedSkill);
}
}typescript
// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
skillName: userRequestedSkill
});
if (safety.safe) {
// Proceed with installation
await installSkill(userRequestedSkill);
} else {
// Show user the risks and get confirmation
await showSecurityWarning(safety.advisories);
if (await getUserConfirmation()) {
await installSkill(userRequestedSkill);
}
}Pattern 2: Periodic Security Check
模式2:定期安全检查
typescript
// Add to scheduled tasks
schedule_task({
prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
schedule_type: "cron",
schedule_value: "0 9 * * *" // Daily at 9am
});typescript
// Add to scheduled tasks
schedule_task({
prompt: "Check advisories using clawsec_check_advisories and alert when critical or high-exploitability matches appear",
schedule_type: "cron",
schedule_value: "0 9 * * *" // Daily at 9am
});Pattern 3: User Security Query
模式3:用户安全查询
User: "Are my skills secure?"
You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]
Response:
✅ No urgent issues found.
- 2 low-severity/low-exploitability advisories
- All skills up to dateUser: "Are my skills secure?"
You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]
Response:
✅ No urgent issues found.
- 2 low-severity/low-exploitability advisories
- All skills up to dateCommon Mistakes
常见错误
❌ Installing without checking
❌ 未检查直接安装
typescript
// DON'T
await installSkill('untrusted-skill');typescript
// DO
const safety = await tools.clawsec_check_skill_safety({
skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');typescript
// DON'T
await installSkill('untrusted-skill');typescript
// DO
const safety = await tools.clawsec_check_skill_safety({
skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');❌ Ignoring exploitability context
❌ 忽略可利用性上下文
typescript
// DON'T: Use severity only
if (advisory.severity === 'high') {
notifyNow(advisory);
}typescript
// DO: Use exploitability + severity
if (
advisory.exploitability_score === 'high' ||
advisory.severity === 'critical'
) {
notifyNow(advisory);
}typescript
// DON'T: Use severity only
if (advisory.severity === 'high') {
notifyNow(advisory);
}typescript
// DO: Use exploitability + severity
if (
advisory.exploitability_score === 'high' ||
advisory.severity === 'critical'
) {
notifyNow(advisory);
}❌ Skipping critical severity
❌ 跳过严重程度判断
typescript
// DON'T: Ignore high exploitability in medium severity advisories
if (advisory.severity === 'critical') alert();typescript
// DO: Prioritize exploitability and severity together
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
// Alert immediately
}typescript
// DON'T: Ignore high exploitability in medium severity advisories
if (advisory.severity === 'critical') alert();typescript
// DO: Prioritize exploitability and severity together
if (advisory.exploitability_score === 'high' || advisory.severity === 'critical') {
// Alert immediately
}Implementation Details
实现细节
Feed Source: https://clawsec.prompt.security/advisories/feed.json
Update Frequency: Every 6 hours (automatic)
Signature Verification: Ed25519 signed feeds
Cache Location:
/workspace/project/data/clawsec-advisory-cache.jsonSee INSTALL.md for setup and docs/ for advanced usage.
更新频率: 每6小时(自动)
签名验证: Ed25519 signed feeds
缓存位置:
/workspace/project/data/clawsec-advisory-cache.json查看INSTALL.md了解配置步骤,查看docs/了解高级用法。
Real-World Impact
实际价值
- Prevents installation of skills with known RCE vulnerabilities
- Alerts to supply chain attacks in dependencies
- Provides actionable remediation steps
- Zero false positives (curated feed only)
- 阻止安装存在已知RCE漏洞的skill
- 提醒依赖中的供应链攻击
- 提供可落地的修复步骤
- 零误报(仅使用人工维护的公告源)