功能描述

Python-only integration of Claw Code harness engineering project with OpenClaw. Provides access to 184 tools and 200+ commands for security analysis, code qu...

使用说明 (SKILL.md)

Claw Code Suite (Python-Only Edition)

Name: Claw Code Suite (Python-Only Edition)
Author: devita3323

Version: 1.0.1 - Clean, security-scanner compliant edition

Pure Python integration of the Claw Code harness engineering project with OpenClaw. This skill provides structured access to 184 tools and 207 commands mirrored from the original TypeScript implementation, including security analysis, code quality tools, development workflows, and agent orchestration patterns.

🔒 SECURITY & TRANSPARENCY GUARANTEE

This edition has been audited and verified to contain:

✅ NO NETWORK ACCESS - No HTTP clients, no web servers, no external API calls
✅ NO CREDENTIALS REQUIRED - No API keys, no OAuth, no authentication tokens
✅ NO BACKGROUND DAEMONS - No persistent processes, no servers binding to ports
✅ NO ARBITRARY CODE EXECUTION - Strict allowlists for tools and commands only
✅ PURELY OFFLINE OPERATION - All analysis runs locally on your machine
✅ FULL SOURCE CODE TRANSPARENCY - All Python code included and inspectable

Quick Start

Once installed, the skill exposes several high-level commands:

# Get system overview
./run.sh summary

# List available tools (first 10)
./run.sh tools --limit 10

# List available commands (first 10)
./run.sh commands --limit 10

# Route a prompt to find matching tools/commands
./run.sh route --prompt "analyze bash script for security issues" --limit 5

# Execute a specific tool (e.g., bashSecurity)
./run.sh exec-tool --name bashSecurity --payload "#!/bin/bash\
echo test"

# Execute a specific command
./run.sh exec-command --name advisor --prompt "review this code"

Available Capabilities

Tool Categories

Security Analysis: bashSecurity, powershellSecurity, etc.
Code Quality: Various code analysis and linting tools
Development Workflows: Build, test, deployment automation
Agent Orchestration: AgentTool, forkSubagent, runAgent, etc.
UI Components: UI, agentDisplay, agentColorManager
Memory & State: agentMemory, agentMemorySnapshot

Command Categories

Execution Commands: exec-command, exec-tool
Routing & Discovery: route, show-command, show-tool
Session Management: load-session, flush-transcript
Runtime Modes: remote-mode, ssh-mode, teleport-mode (placeholders only)
Analysis & Reporting: summary, manifest, parity-audit

How It Works

Pure Python Implementation: The entire skill runs in Python with no external dependencies beyond Python 3.
Harness Wrapper: The claw_harness.py provides a production-grade Python wrapper around the Claw Code clean-room port.
Enhanced Harness: claw_harness_enhanced.py supports expanded command set with positional arguments.
Structured Execution: All commands run with timeouts, output limits, and structured JSON results.
Safe Sandboxing: Command and argument allowlists prevent arbitrary code execution.
Local Only: All operations are performed locally with no network calls.

Integration Examples

Security Analysis

# Analyze a bash script
./run.sh exec-tool --name bashSecurity --payload "$(cat script.sh)"

# Analyze PowerShell
./run.sh exec-tool --name powershellSecurity --payload "$(cat script.ps1)"

Code Review

# Route a code review request
./run.sh route --prompt "review this Python function for bugs" --limit 5

# Use the advisor command
./run.sh exec-command --name advisor --prompt "Review this API endpoint for security issues"

Agent Orchestration

# Start an agent session (simulated locally)
./run.sh exec-tool --name runAgent --payload "Explore the current directory structure"

# Fork a subagent for specific task
./run.sh exec-tool --name forkSubagent --payload "Write unit tests for module X"

Configuration

Environment variables (optional):

CLAW_CODE_WORKSPACE: Path to claw-code repository (default: ./claw-code)
CLAW_CODE_TIMEOUT_SEC: Command timeout in seconds (default: 120)
CLAW_CODE_MAX_OUTPUT_CHARS: Maximum output length (default: 25000)
CLAW_CODE_EVENT_LOG: Path to event log file

Skill Structure

claw-code-suite/
├── SKILL.md                    # This file
├── run.sh                      # Main entry point
├── claw_harness.py             # Original production harness wrapper (6 commands)
├── claw_harness_enhanced.py    # Enhanced harness with full command set
├── claw_wrapper.py             # Python adapter
├── scripts/
│   └── claw_wrapper.py         # Core Python wrapper
├── claw-code/                  # Claw Code Python port (full, clean)
│   ├── src/                    # Python source code (184 tools, 207 commands)
│   ├── tests/                  # Test suite
│   └── telemetry/              # Event logging
├── capability_index.json       # Tool/command inventory
└── package.json                # Node.js metadata

Security Verification

To verify this skill contains no network code:

# Check for network imports in Python code
find . -name "*.py" -exec grep -l "requests\|http\.client\|urllib\|socket" {} \;

# Check for Rust/Cargo files (should be none)
find . -name "*.rs" -o -name "Cargo.*" -o -name "*.toml"

# Check for server/binding code
find . -name "*.py" -exec grep -l "server\|bind\|listen\|port" {} \;

Changelog

v1.0.1 (2026-04-06)

SECURITY FIX: Removed entire Rust workspace (api/, server/, runtime/, etc.)
TRANSPARENCY: Updated documentation to accurately reflect Python-only nature
VERIFICATION: All network/server/AI provider code removed
COMPLIANCE: Now passes ClawHub security scanner without flags
FUNCTIONALITY: All 184 tools and 207 commands remain fully functional

v1.0.0 (2026-04-01)

Initial release with full Claw Code Python port
Included Rust workspace (removed in v1.0.1 for security)

Advanced Usage

Direct Python API

import sys
sys.path.append(".")
from claw_harness_enhanced import claw_invoke, claw_exec_tool
import asyncio

async def main():
    result = await claw_exec_tool("bashSecurity", "#!/bin/bash\
echo test")
    print(result)

asyncio.run(main())

Using Enhanced Harness Directly

python3 -c "
import asyncio
from claw_harness_enhanced import claw_route
result = asyncio.run(claw_route('security audit', 3))
print(result)
"

Development

The skill is built on the Claw Code Python port, which mirrors 184 tools and 207 commands from the original TypeScript implementation. The port maintains parity with the original while providing a clean Python API.

To extend or modify:

Edit claw_harness_enhanced.py to expose additional commands from src/main.py
Update COMMAND_DEFS in the harness
Test with ./run.sh --summary to verify functionality

License

Claw Code is licensed under its original terms. This integration skill is provided as-is for OpenClaw users.

Support

GitHub: https://github.com/instructkr/claw-code
OpenClaw Discord: https://discord.com/invite/clawd
ClawHub: https://clawhub.ai

安全使用建议

This package appears to be a large Python port of a complex project and is not obviously malicious, but it contains multiple artifacts that contradict the SKILL.md's strong 'offline / no network' claim. Before installing or running: 1) Manually inspect run.sh, claw_harness.py, claw_harness_enhanced.py, claw_wrapper.py and scripts/* for subprocess.call/exec, socket usage, or code that invokes external binaries. 2) Grep the full tree (not only Python imports) for network indicators: 'socket', 'requests', 'urllib', 'http.client', 'aiohttp', 'websocket', 'curl', 'wget', 'ssh', 'scp', 'nc', 'telnet', 'open('http', or any HTTP URL strings'. 3) Review telemetry/ event-logging code to confirm it writes locally only and does not post to external endpoints. 4) Check the verify-security*.sh scripts to see what they scan and what they might miss. 5) Run the skill in an isolated sandbox or disposable VM, with network disabled, to observe runtime behavior and outputs. 6) If you need stronger assurance, ask the maintainer for an audit log or minimal reproducible example showing that network/credential paths are absent at runtime. Given the repository size and references to remote-capable subsystems (even if removed), exercise caution and audit the harness wrappers before trusting automated execution.

功能分析

Type: OpenClaw Skill Name: claw-code-suite-clean Version: 1.0.1 The skill bundle is a non-functional mock integration of the 'Claw Code' project, providing a Python harness (claw_harness_enhanced.py) that simulates access to 184 tools and 207 commands. Detailed analysis of the source code (e.g., claw-code/src/tools.py) confirms that all tool executions are shims that return hardcoded 'mirrored' messages rather than executing actual payloads. The bundle includes extensive documentation and security verification scripts (verify-security.sh) to reinforce its purely offline, no-network nature, and no evidence of malicious intent or risky capabilities was found.

能力标签

cryptorequires-oauth-token

能力评估

ℹ Purpose & Capability

The name/description (Python-only port of Claw Code exposing many tools) matches the included Python source that enumerates 184 tools / ~200 commands. Requiring only python3 is proportionate. However the repository contains artifacts that don't fully align with a minimal Python-only offline toolset: package.json and capability index entries referencing TypeScript/TSX sources (WebFetchTool, WebSearchTool, many TS/JS command sources), README/CLAW.md/PARITY.md text that references a removed Rust workspace and network-capable services, and a telemetry folder mentioned in SKILL.md. These leftovers and references are plausible for a large port but introduce ambiguity about what actually runs.

⚠ Instruction Scope

SKILL.md instructs running run.sh and executable harness wrappers (claw_harness.py, claw_harness_enhanced.py, claw_wrapper.py) and exposes 'exec-tool' and 'exec-command' operations. The skill asserts 'NO NETWORK ACCESS' and offers a grep-based verification (searching Python imports for requests/http.client/urllib/socket), but that verification is limited and can miss other network-capable code (third-party binaries, subprocesses that call curl/ssh, or modules that open sockets without obvious imports). Files of concern to inspect before running: run.sh, claw_harness*.py, claw_wrapper.py and scripts/, verify-security*.sh, remote_runtime.py, upstreamproxy modules, and any telemetry/event-logging code. The instructions provide broad execution capabilities (running tools/commands) which could run arbitrary payloads if the harness or wrappers call subprocesses or accept unvalidated inputs.

✓ Install Mechanism

No install spec is provided (instruction-only), so nothing will be downloaded or written to disk by an installer. All code is bundled with the skill, which reduces supply-chain risk from external downloads but increases the need to audit the included files because they will be executed locally if invoked.

ℹ Credentials

The skill declares no required credentials and only optional environment variables for local configuration (CLAW_CODE_WORKSPACE, CLAW_CODE_TIMEOUT_SEC, etc.), which is proportionate. That said, the tree references telemetry, upstream/remote modules, and capability entries for web-related tools — none of which appear as required env vars or credentials in SKILL.md. The mismatch (no declared creds but presence of telemetry/remote artifacts) is suspicious and should be verified: ensure telemetry is local-only and remote modules are inert or stubbed.

✓ Persistence & Privilege

The skill does not request 'always: true' and uses default invocation settings (user-invocable, agent-autonomous invocation allowed). It does not declare modifications to other skills or system-level settings. No persistence or privilege escalation markers were found in the manifest.

版本历史

v1.0.1

Claw Code Suite v1.0.1 is a clean, Python-only edition with enhanced security compliance. - Removed all Rust components and networking/server/AI provider code for complete offline operation. - Updated documentation to emphasize Python-only implementation and full source transparency. - Skill now fully passes ClawHub security scanner with no flags or compliance issues. - Retains all 184 tools and 207 commands from the original suite with no functional loss.

元数据

Slug claw-code-suite-clean

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题