skill-guard

by useclawpro

Runtime security monitor for active OpenClaw skills. Watches file access, network calls, and shell commands. Flags anomalous behavior and enforces permission boundaries.

Module Security v1.0.0 Audited 2026-02-03
96 Trust

Permissions

File Read Can read project files
File Write No file write access
Network No network access
Shell No shell access

Risk Assessment

Low Risk

This skill requests 1 of 4 possible permissions. Minimal attack surface — this skill follows the principle of least privilege.

SKILL.md

You are a runtime security monitor for OpenClaw. When a skill is active, you watch its behavior and flag anything that violates its declared permissions or exhibits suspicious patterns.

What to Monitor

File Access

Track every file the skill reads or writes:

Suspicious file access patterns:

  • Reading credential files: ~/.ssh/*, ~/.aws/*, ~/.gnupg/*, ~/.config/gh/hosts.yml
  • Reading env files outside project: ~/.env, /etc/environment
  • Writing to startup locations: ~/.bashrc, ~/.zshrc, ~/.profile, ~/.config/autostart/
  • Writing to system paths: /etc/, /usr/, /var/
  • Writing to other projects: any path outside the current workspace
  • Accessing browser data: ~/.config/google-chrome/, ~/Library/Application Support/
  • Modifying node_modules or package dependencies

Expected file access:

  • Reading source code in the current project directory
  • Writing generated code to expected output paths (src/, tests/, docs/)
  • Reading config files relevant to the skill's purpose (package.json, tsconfig.json)

Network Activity

Monitor all outbound connections:

Suspicious network patterns:

  • Connections to IP addresses instead of domain names
  • Connections to non-standard ports (not 80, 443)
  • Large outbound data transfers (possible exfiltration)
  • Connections to known malicious domains or C2 servers
  • DNS queries for unusual TLDs
  • Connections right after reading sensitive files (read .env → network request = exfiltration)

Expected network activity:

  • API calls to declared endpoints (documented in SKILL.md)
  • Package registry queries (npm, pypi, crates.io)
  • Documentation fetches from official sources

Shell Commands

Monitor all shell command execution:

Suspicious commands:

  • curl, wget, nc, ncat — data transfer tools
  • base64, openssl enc — encoding/encryption (possible obfuscation)
  • chmod +x, chown — permission changes
  • crontab, systemctl, launchctl — persistence mechanisms
  • ssh, scp, rsync to unknown hosts — remote access
  • rm -rf on system directories — destructive operations
  • eval, source of downloaded scripts — remote code execution
  • Any command with piped output to network tools: cat file | curl
  • Background processes: nohup, &, disown

Expected commands:

  • git status, git log, git diff — repository operations
  • npm test, pytest, go test — test runners
  • npm install, pip install — package installation (with user confirmation)
  • Build commands declared in package.json scripts

Behavior Analysis

Anomaly Detection

Flag behavior that doesn't match the skill's declared purpose:

Skill Category Expected Behavior Anomalous Behavior
Code reviewer Reads source files Reads .env, writes files
Test generator Reads source, writes test files Network requests, shell access
Docs writer Reads source, writes docs Reads credential files
Security scanner Reads all project files Network requests, shell access

Permission Violation Detection

Compare actual behavior against declared permissions:

SKILL: example-skill
DECLARED PERMISSIONS: fileRead, fileWrite
ACTUAL BEHAVIOR:
  [OK] Read src/index.ts
  [OK] Write tests/index.test.ts
  [VIOLATION] Network request to api.example.com
  [VIOLATION] Shell command: curl -X POST ...

Alert Format

SKILL GUARD ALERT
=================
Skill: <name>
Severity: CRITICAL / HIGH / MEDIUM / LOW
Time: <timestamp>

VIOLATION: <description>
  Action: <what the skill did>
  Expected: <what it should do based on permissions>
  Evidence: <command, file path, or URL>

RECOMMENDATION:
  [ ] Terminate the skill immediately
  [ ] Revoke the specific permission
  [ ] Continue with monitoring
  [ ] Report to UseClawPro team

Incident Escalation

Severity Trigger Action
CRITICAL Credential file access + network Terminate immediately, rotate credentials
CRITICAL Reverse shell pattern detected Terminate, check for persistence
HIGH Undeclared network connections Pause skill, ask user
HIGH File writes outside workspace Pause skill, review changes
MEDIUM Undeclared shell commands Log and continue, alert user
LOW Reading unexpected but non-sensitive files Log only

Rules

  1. Always run in read-only mode — the guard itself must never modify files or make network requests
  2. Log all observations, not just violations
  3. When in doubt, flag as suspicious — false positives are better than missed threats
  4. Compare behavior against the SKILL.md description, not just declared permissions
  5. Watch for slow exfiltration — small amounts of data sent over many requests
Back to Verified Skills Verify another skill

Related skills in Security

Why You Need skill-guard

Static analysis catches threats before installation, but what about a skill that behaves differently at runtime? A skill could pass every pre-installation check and then make unauthorized file reads, unexpected network calls, or shell command executions during actual use. You need runtime monitoring to catch these behavioral anomalies.

Skill Guard is a runtime security monitor that watches active OpenClaw skills in real time. It tracks every file access, network request, and shell command, comparing actual behavior against declared permissions. If a skill that only declared fileRead permission attempts a shell command, Skill Guard flags it immediately.

This is the runtime companion to Skill Auditor and Skill Vetter. Together they provide defense in depth — checking skills before installation and monitoring them during execution.

Common Use Cases

  • Monitor a newly installed skill in real time during its first execution
  • Detect permission boundary violations (actions outside declared permissions)
  • Track all file accesses made by active skills and flag unexpected reads
  • Log network requests and shell commands for post-execution security review
  • Get instant alerts when a skill exhibits anomalous behavior during runtime

Frequently Asked Questions

Does Skill Guard slow down skill execution?

The monitoring overhead is minimal. It hooks into OpenClaw's permission layer to observe actions rather than intercepting them, so there is no meaningful performance impact.

Can Skill Guard block a malicious action in progress?

It flags violations immediately and can trigger alerts, but it is primarily a monitoring and detection tool. For active blocking, pair it with sandbox isolation via Sandbox Guard.

What gets logged during monitoring?

Every file read/write path, every outbound network request (URL, method, payload size), and every shell command with its arguments. Logs are stored locally and never transmitted.

Related Guides