← Back to Skills Marketplace

Clawd Zero Trust

Name: Clawd Zero Trust
Author: stanistolberg

by stanistolberg · GitHub ↗ · v1.3.2 · MIT-0

cross-platform ✓ Security Clean

862

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install clawd-zero-trust

Description

Zero Trust security hardening for OpenClaw deployments. Use when asked to audit, harden, or apply Zero Trust architecture to an OpenClaw instance — including...

README (SKILL.md)

clawd-zero-trust (v1.3.1)

Zero Trust hardening framework for OpenClaw. Built by Blocksoft.

⚠️ BREAKING (v1.3.0→v1.3.1): First apply after upgrade requires --force or run bash scripts/release-gate.sh --reset-hash to reset trusted baseline. Unattended/cron apply workflows must be updated.

Dependencies

The following binaries are required. Install with apt on Debian/Ubuntu:

Binary	Package	Required For
`ufw`	`ufw`	All mutating operations (`--apply`, `--canary`, `--reset`, `--refresh`)
`curl`	`curl`	Endpoint verification (`--verify`, `--verify-all`)
`openssl`	`openssl`	SMTP/IMAP verification in `--verify-all`
`nc`	`netcat-openbsd`	TCP/UDP port checks in `--verify-all`
`dig`	`dnsutils`	DNS resolution for provider IPs
`python3`	`python3`	JSON parsing, log aggregation, state management

Read-only modes (--verify, --audit-log, --status) do not require root. Mutating modes (--apply, --canary, --reset, --refresh) require root privileges.

Core Principles

NHI (Non-Human Identity): Sub-agents run as isolated sessions with scoped credentials. Never share 'main' identity for high-risk ops.
PLP (Principle of Least Privilege): Restrict default model toolset. Use tools.byProvider to limit small/untrusted models to coding profile.
Plan-First: Declare intent (what + why + expected outcome) before any write, exec, or network call.
Egress Control: Whitelist outbound traffic to authorized AI providers only. Preserve Tailscale + Telegram API.
Assumption of Breach: Design as if the attacker is already in. Verify every plugin, model, and extension.

Canonical Egress Script Path

Single source of truth:

/home/claw/.openclaw/workspace/skills/clawd-zero-trust/scripts/egress-filter.sh

Compatibility symlink:

/home/claw/.openclaw/workspace/scripts/egress_filter.sh -> .../skills/clawd-zero-trust/scripts/egress-filter.sh

Workflow: Audit → Harden → Egress → Verify

1) Audit

bash scripts/audit.sh

2) Harden

# Preview (default)
bash scripts/harden.sh

# Apply
bash scripts/harden.sh --apply

3) Egress Policy (dry-run default)

# Dry-run preview (default)
bash scripts/egress-filter.sh --dry-run

# Transactional apply: auto-rollback if Telegram/GitHub/Anthropic/OpenAI checks fail
bash scripts/egress-filter.sh --apply

# Canary mode: temporary apply + 120s periodic verification, then commit/rollback
bash scripts/egress-filter.sh --canary

# Verify critical endpoints only (Telegram, GitHub, Anthropic, OpenAI)
bash scripts/egress-filter.sh --verify

# Emergency rollback
bash scripts/egress-filter.sh --reset

4) Egress Profile Status (v1.3.0)

# Print current egress profile status (read-only, no root required)
bash scripts/egress-filter.sh --status

Displays: profile version, last applied timestamp, last result, provider count from providers.txt, and current UFW state. Read-only. No root required for core status output. UFW active state is best-effort — may show 'unknown' if sudo is unavailable on your system.

5) Egress Violation Audit Log (v1.3.0)

# View blocked outbound traffic from the last 24 hours
bash scripts/egress-filter.sh --audit-log

Parses /var/log/ufw.log and journalctl -k for [UFW BLOCK] entries with outbound markers (OUT=, DPT=). Aggregates by destination IP + port and prints a summary table with counts, first-seen, and last-seen timestamps. During --apply, a UFW LOG rule (ZT:egress-violation) is automatically inserted to capture future violations.

6) IP Snapshot Auto-Refresh (v1.3.0)

# Re-resolve DNS and apply only changed IPs (delta) to UFW
bash scripts/egress-filter.sh --refresh

Re-resolves all domains in config/providers.txt, diffs against the last-applied IP snapshot (.state/applied-ips.json), and applies only the delta rules. Transactional: backs up UFW rules before applying, verifies critical endpoints after, and rolls back on failure. The IP snapshot is saved automatically after every --apply and --canary.

7) Per-Provider Verification (v1.3.0)

# Protocol-aware verification of ALL providers in providers.txt
bash scripts/egress-filter.sh --verify-all

Detects the appropriate protocol from port number and runs the matching check:

443 → HTTPS curl (status code check)
587/465/25 → SMTP openssl s_client (STARTTLS/TLS)
993/143 → IMAP openssl s_client (TLS/STARTTLS)
41641 → UDP nc -zu (Tailscale WireGuard)
22 → TCP nc -z (SSH)
other → TCP nc -z (generic fallback)

Each check runs with a hard timeout 5s wrapper (enforced at OS level, not just socket timeout). Automatically called after --apply and --canary. Available standalone for on-demand verification. Requires: curl, openssl, nc (netcat-openbsd).

8) Plugin Integrity Hashing (v1.3.0)

# Snapshot current plugin hashes
bash scripts/plugin-integrity.sh --snapshot

# Verify plugin integrity against stored hashes
bash scripts/plugin-integrity.sh --verify

# Check plugins against hardening.json allowlist
bash scripts/plugin-integrity.sh --drift

# Combine checks
bash scripts/plugin-integrity.sh --verify --drift

Monitors plugin file integrity via SHA-256 hashing of each plugin's JS entry point (dist/index.js → index.js → *.js fallback). Detects unauthorized modifications, new/removed plugins, and drift from the hardening.json allowlist.

9) Dynamic Whitelisting (MAX USER-FRIENDLY API)

To open a new port or add a service securely (e.g. for custom email, video extraction, new AI agents), DO NOT edit the bash script or hardcoded arrays. Always use the dynamic configuration helper command:

bash scripts/whitelist.sh \x3Cdomain> \x3Cport>

(Example: bash whitelist.sh youtu.be 443). This automatically injects the domain cleanly into the config/providers.txt engine, triggers a transactional configuration flush, and instantly applies the changes to UFW.

10) Release Gate (v1.3.0)

bash scripts/release-gate.sh

Gate checks (must all pass):

quick_validate.py on skill structure
shellcheck on all shell scripts (fails with install hint if missing)
package_skill.py packaging to skills/dist/clawd-zero-trust.skill
--verify endpoint checks

Versioned Firewall Profile State

State files (in .state/):

File	Purpose
`egress-profile.json`	Script hash, version, last apply result
`applied-ips.json`	Per-domain IP snapshot for `--refresh` delta
`plugin-hashes.json`	SHA-256 hashes for plugin integrity verification

On apply/canary, hash mismatch is refused unless --force is provided. The whitelist.sh helper intrinsically handles hash mismatches seamlessly.

References

references/zero-trust-principles.md — Detailed ZT framework for AI agents
references/false-positives.md — Verified safe patterns that trigger audit warnings

HARD REQUIREMENT: Self-Update Prevention

NEVER run openclaw update, openclaw upgrade, npm install -g openclaw, or npm update -g openclaw without explicit Founder approval.

These commands are blocked in denyCommands. On 2026-02-24, a self-update during an audit caused a 10,450+ crash-loop by deprecating a plugin. System stability > latest version. Always:

Present update details + changelog to Founder first
Backup config: cp openclaw.json openclaw.json.pre-update
Only update after explicit approval
Run openclaw doctor --fix + openclaw status after

MANDATORY: Update Proposal Format

When you detect that an OpenClaw update is available (via update-scout-daily or any other means), you MUST ALWAYS propose it in exactly this format — no exceptions:

📦 OpenClaw update available: vOLD → vNEW

To apply safely, SSH in and run:

openclaw update
/home/claw/.openclaw/workspace/scripts/post-update-repair.sh

The repair script restores all symlinks, cleans config, restarts the gateway, and runs a 6-point smoke test automatically. No other steps needed.

NEVER say "I will run the update for you" or attempt to run it yourself. The update MUST be executed by the Founder via SSH.

Usage Guidance

This skill implements a powerful, coherent Zero Trust workflow but performs privileged changes — review before enabling mutating modes. Before you run --apply or enable automatic use: - Run everything in dry-run/audit mode first: bash scripts/audit.sh and bash scripts/egress-filter.sh --dry-run and --status. - Backup your OpenClaw config and current firewall rules (openclaw.json and iptables-save / UFW state). The scripts create backups, but keep your own copy. - Inspect config/providers.txt and config/custom-providers.json to ensure only expected endpoints are allowlisted. Verify api.agentsandbox.co and any Telegram/GitHub entries are acceptable. - Examine hardening.json, specifically tools.exec (security: "full", ask: "off") and tools.elevated.allowFrom (Telegram IDs). If you do not want host-level exec without prompts or Telegram-triggered elevated operations, change these before applying. - Use plugin-integrity.sh --snapshot to establish a baseline, and review plugin-hashes.json before running --verify. - Prefer manual invocation for the first run, avoid cron/unattended applies until you’ve validated the behavior in a staging instance. - Because mutating operations require root, run the scripts only on systems where you can safely recover and where UFW/iptables changes are acceptable. If you want further assurance, request a short audit of the specific network calls the scripts will make (e.g., snapshot of curl/openssl invocations) and a review of any code paths that perform outbound POSTs (the repo documents an OAuth flow for agentsandbox).

Capability Analysis

Type: OpenClaw Skill Name: clawd-zero-trust Version: 1.3.2 The clawd-zero-trust bundle is a comprehensive security hardening framework for OpenClaw deployments. It implements legitimate security controls including DNS-based egress filtering via UFW (egress-filter.sh), plugin integrity monitoring using SHA-256 hashing (plugin-integrity.sh), and Principle of Least Privilege (PLP) tool scoping (plp-config.sh). While the scripts require root privileges and modify system firewall rules, these actions are strictly aligned with the stated purpose of Zero Trust architecture. The instructions in SKILL.md regarding update prevention and 'Founder approval' are framed as stability measures to prevent breaking changes and do not exhibit malicious intent, data exfiltration, or unauthorized persistence.

Capability Assessment

✓ Purpose & Capability

Name/description match the actual artifacts: scripts implement egress whitelisting, plugin hashing/allowlisting, PLP config, and hardening of OpenClaw. The requested operations (UFW/iptables, openclaw.json merges, plugin checks, DNS-based allowlist) are coherent with the stated Zero Trust purpose.

ℹ Instruction Scope

SKILL.md directs the agent/operator to run multiple scripts that read system logs (/var/log/ufw.log, journalctl), read/write OpenClaw config (~/.openclaw/openclaw.json), enumerate plugin files (~/.openclaw/extensions), and contact allowed external endpoints for verification. These are expected for a hardening tool, but they give the skill broad read access to agent state and allow network probes and outbound checks; run in dry-run/audit mode first.

✓ Install Mechanism

No install spec (instruction-only plus scripts present) — nothing is downloaded from third-party URLs at install time. The scripts rely on common OS packages (ufw, dig, curl, openssl, nc, python3) which is proportionate to their behavior.

⚠ Credentials

The registry metadata lists no required environment variables, but the scripts read local OpenClaw configuration, plugin files, and may look up OPENCLAW_AGENT_DIR / openclaw.json; these files can contain tokens/credentials. hardening.json contains settings (tools.exec: security: "full", ask: "off" and tools.elevated.allowFrom: Telegram IDs) that reduce interactive confirmation and allow elevated execution from a channel — this increases risk and should be explicitly reviewed before enabling --apply modes. Contacting api.agentsandbox.co for key creation is documented inside the references; that behavior is plausible but warrants inspection if you don't expect new API key generation.

ℹ Persistence & Privilege

Mutating operations (--apply/--canary/--refresh) explicitly require root and modify firewall/iptables and OpenClaw configuration (shallow-merge hardening.json into openclaw.json). The skill is not force-included (always:false). Autonomous invocation is allowed by default (normal for skills); consider the interaction of that default with elevated 'ask: off' settings in the hardening overrides.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install clawd-zero-trust
After installation, invoke the skill by name or use /clawd-zero-trust
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.3.2

clawd-zero-trust v1.3.2 - Updated plugin allowlisting in hardening.json for improved integrity checks. - Enhanced plugin-integrity.sh with clearer output and reliability fixes. - Expanded and clarified documentation in README.md. - Minor corrections in CHANGELOG.md and overall documentation consistency.

v1.3.1

clawd-zero-trust v1.3.1 - Added CHANGELOG.md file for clearer release tracking. - Updated documentation in README.md and SKILL.md with latest usage patterns. - Minor adjustments to hardening.json for consistency. - Improved logic in scripts/egress-filter.sh for reliability and maintainability.

v1.1.10

**Breaking release with enhanced verification, auditing, and refresh features. See notes for upgrade requirements.** - ⚠️ First apply after upgrade requires `--force` or `bash scripts/release-gate.sh --reset-hash` action; update unattended workflows accordingly. - Adds egress profile status (`--status`) and audit log (`--audit-log`) modes for easier monitoring of outbound blocks and profile history. - Introduces IP snapshot auto-refresh (`--refresh`), efficiently updating only changed IPs after DNS re-resolution. - Implements protocol-aware per-provider verification (`--verify-all`) for stronger post-apply connectivity checks. - Plugin integrity monitoring via new `scripts/plugin-integrity.sh`—detects unauthorized plugin modifications and drift. - Documents all required binary dependencies and clarifies privilege requirements for read-only vs. mutating actions.

v1.1.9

clawd-zero-trust v1.2.0 adds dynamic provider whitelisting and improves configuration management. - Added dynamic whitelisting via scripts/whitelist.sh for secure, user-friendly provider/domain additions. - Introduced config/custom-providers.json and config/providers.txt for external provider/domain configuration. - Updated egress-filter.sh to consume new config files, reducing hardcoding. - Documentation in SKILL.md and README.md clarified to emphasize dynamic whitelist workflow. - Improved state/profile handling for firewall rules; whitelist.sh manages state—even on hash mismatches.

v1.1.8

- Maintenance update: removes project management and contribution metadata. - Added `hardening.json` to the repository. - Updated `README.md` and documentation to reflect minor version changes. - Adjusted scripts (`egress-filter.sh`, `harden.sh`) for policy and workflow consistency. - Removed unused GitHub templates and community files.

v1.1.7

- Updated version references from 1.1.4 to 1.1.6 in SKILL.md and release notes. - Minor text and formatting improvements in documentation files. - Scripts updated: audit, harden, egress-filter, plp-config, and packaging received incremental changes. - No breaking changes or new major features introduced.

v1.1.6

clawd-zero-trust v1.1.6 - Added project documentation: README.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md, and SECURITY.md. - Introduced GitHub issue templates for bug reports and feature requests. - Added reference documents on zero trust principles and false positives. - New scripts: audit.sh, harden.sh, egress-filter.sh, plp-config.sh, package_skill.py, quick_validate.py, and release-gate.sh for auditing, hardening, packaging, validation, and release management. - Expanded skill resources for improved collaboration, contribution, and operational reliability.

v1.1.5

- Removed extensive documentation, references, and scripts, including audit, harden, egress filter, packaging, and release gate tools. - SKILL.md now includes only metadata and a brief description; all operational and usage details are omitted. - Transitioned the skill to a minimal, metadata-only version.

v1.1.4

- Initial public release of contribution, security, and community templates: added CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, and GitHub issue templates. - Documentation improvements: added README.md, references/false-positives.md, and references/zero-trust-principles.md. - Introduced a suite of scripts for audit, hardening, egress control, packaging, and release validation (scripts/audit.sh, scripts/harden.sh, scripts/egress-filter.sh, scripts/release-gate.sh, and others). - Enhanced skill validation and packaging workflows with dedicated Python scripts (quick_validate.py, package_skill.py). - No changes to core principles or egress workflow in SKILL.md; version remains at 1.1.2.

v1.1.3

- Removed 15 meta, script, and reference files, leaving only the core SKILL.md documentation. - Retained all workflow and usage documentation within SKILL.md. - No functionality changes to the skill implementation itself. - Project is now distributed as documentation-only; auxiliary scripts and templates are no longer included.

v1.1.2

- Added `scripts/plp-config.sh` for enhanced Principle of Least Privilege (PLP) configuration. - Updated `audit.sh`, `egress-filter.sh`, and `harden.sh` scripts with improvements and/or PLP integration. - No changes to user-facing documentation in SKILL.md.

v1.1.1

clawd-zero-trust v1.1.1 - Improved and clarified documentation for Zero Trust hardening of OpenClaw. - Added step-by-step workflow: Audit, Harden, Egress Policy Management, Verification, and Release Gating. - Documented the canonical script paths and state file locations for consistent firewall and egress policy management. - Expanded usage examples for egress policy scripts, including dry-run, canary mode, endpoint verification, force, and rollback commands. - Outlined new release-gate process with validation and packaging checks to improve deployment reliability and security.

Metadata

Slug clawd-zero-trust

Version 1.3.2

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 12

Frequently Asked Questions

What is Clawd Zero Trust?

Zero Trust security hardening for OpenClaw deployments. Use when asked to audit, harden, or apply Zero Trust architecture to an OpenClaw instance — including... It is an AI Agent Skill for Claude Code / OpenClaw, with 862 downloads so far.

How do I install Clawd Zero Trust?

Run "/install clawd-zero-trust" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Clawd Zero Trust free?

Yes, Clawd Zero Trust is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Clawd Zero Trust support?

Clawd Zero Trust is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Clawd Zero Trust?

It is built and maintained by stanistolberg (@stanistolberg); the current version is v1.3.2.

More Skills