clawsec-suitelisted

# ClawSec Suite ## Operational Notes - Required runtime: `node`, `npx`, `openclaw`, `curl`, `jq`, `shasum`, `openssl`, `unzip` - Side effects: setup scripts install an advisory hook under `~/.openclaw/hooks`, optionally create an unattended `openclaw cron` job, and use `npx clawhub@latest install` for guarded installs - Network behavior: fetches signed advisory feed artifacts and remote catalog metadata unless you pin local paths - Trust model: the suite can recommend removal or block risky installs, but removal/install overrides stay approval-gated This means `clawsec-suite` can: - monitor the ClawSec advisory feed, - track which advisories are new since last check, - cross-reference advisories against locally installed skills, - recommend removal for malicious-skill advisories and require explicit user approval first, - and still act as the setup/management entrypoint for other ClawSec protections. ## Included vs Optional Protections ### Built into clawsec-suite - Embedded feed seed file: `advisories/feed.json` - Portable heartbeat workflow in `HEARTBEAT.md` - Advisory polling + state tracking + affected-skill checks - OpenClaw advisory guardian hook package: `hooks/clawsec-advisory-guardian/` - Setup scripts for hook and optional cron scheduling: `scripts/` - Guarded installer: `scripts/guarded_skill_install.mjs` - Dynamic catalog discovery for installable skills: `scripts/discover_skill_catalog.mjs` ### Installed separately (dynamic catalog) `clawsec-suite` does not