Tamper-resistant audit watchdog for Clawdbot agents. Detects and logs suspicious filesystem activity with HMAC-chained evidence.

This repo contains a reasonable implementation of a privileged filesystem watchdog, but several things deserve extra scrutiny before you install it or let an agent run it unattended: - Review the install scripts (wizard/wizard.sh, wizard/install.sh) line-by-line before running with sudo. They create a system user, write keys to /etc, install a binary under /usr/local/sbin, and register a systemd service named to resemble systemd internals — this stealth naming is intentional but can be surprising or deceptive. - Understand the privilege requirements: production collection uses fanotify/eBPF and requires CAP_SYS_ADMIN or root. That gives kernel-level visibility and broad ability to observe filesystem activity (and, if misused, to surveil many paths). - The alerter subsystem supports external channels (ClawdbotWake/gateway_url, webhooks, and a 'Command' channel which executes configured commands). Before enabling alerts, confirm no external gateway URL or untrusted command is configured; otherwise sensitive event data could be transmitted or commands executed. - AGENTS.md contains an orchestration/development workflow that tells agents to read/write CONTINUITY.md, run tests, commit, and push to GitHub. That is beyond what the runtime watchdog needs — if you plan to use the skill with an autonomous agent, ensure it cannot push repository content or your runtime artifacts to remote remotes without explicit, audited credentials. - If you decide to use it: build from source locally, inspect/modify config defaults (watch_paths, exec_watchlist, alert channels), run the install in an isolated VM/container first, and restrict file permissions on the key and logs as documented. If you want a higher-confidence assessment change: provide the full wizard scripts and any shortened/truncated code for the alerter send_to_channel implementation (to confirm whether it posts to external endpoints by default), or show the exact contents of wizard/wizard.sh -- these influence whether the skill attempts network exfiltration or other unexpected actions.

Type: OpenClaw Skill Name: clauditor Version: 0.1.2 The skill bundle is a security watchdog with strong defensive features like HMAC-chained logs, UID-filtered monitoring, and detection rules for exfiltration, injection, and tampering. However, it is classified as suspicious due to a few risky capabilities and inconsistencies. The `alerter` crate (crates/alerter/src/lib.rs) includes an `AlertChannel::Command` that allows executing arbitrary commands configured in the daemon's TOML file, which, while protected by file permissions, is a powerful primitive. Additionally, the `wizard/wizard.sh` script grants the `sysaudit` user membership to the `clawdbot` group for `/proc` access, a privilege escalation for a stated purpose. There's also a discrepancy in the GitHub repository URL between `SKILL.md` and `wizard/install.sh`, and the `systemd-core-check` sentinel binary is installed by `wizard/wizard.sh` but not provided in the analyzed files, indicating a potential incompleteness or packaging issue.