← 返回 Skills 市场
stanistolberg

Clawd Zero Trust

作者 stanistolberg · GitHub ↗ · v1.3.2 · MIT-0
cross-platform ✓ 安全检测通过
862
总下载
2
收藏
1
当前安装
12
版本数
在 OpenClaw 中安装
/install clawd-zero-trust
功能描述
Zero Trust security hardening for OpenClaw deployments. Use when asked to audit, harden, or apply Zero Trust architecture to an OpenClaw instance — including...
使用说明 (SKILL.md)

clawd-zero-trust (v1.3.1)

Zero Trust hardening framework for OpenClaw. Built by Blocksoft.

⚠️ BREAKING (v1.3.0→v1.3.1): First apply after upgrade requires --force or run bash scripts/release-gate.sh --reset-hash to reset trusted baseline. Unattended/cron apply workflows must be updated.

Dependencies

The following binaries are required. Install with apt on Debian/Ubuntu:

Binary Package Required For
ufw ufw All mutating operations (--apply, --canary, --reset, --refresh)
curl curl Endpoint verification (--verify, --verify-all)
openssl openssl SMTP/IMAP verification in --verify-all
nc netcat-openbsd TCP/UDP port checks in --verify-all
dig dnsutils DNS resolution for provider IPs
python3 python3 JSON parsing, log aggregation, state management

Read-only modes (--verify, --audit-log, --status) do not require root. Mutating modes (--apply, --canary, --reset, --refresh) require root privileges.

Core Principles

  1. NHI (Non-Human Identity): Sub-agents run as isolated sessions with scoped credentials. Never share 'main' identity for high-risk ops.
  2. PLP (Principle of Least Privilege): Restrict default model toolset. Use tools.byProvider to limit small/untrusted models to coding profile.
  3. Plan-First: Declare intent (what + why + expected outcome) before any write, exec, or network call.
  4. Egress Control: Whitelist outbound traffic to authorized AI providers only. Preserve Tailscale + Telegram API.
  5. Assumption of Breach: Design as if the attacker is already in. Verify every plugin, model, and extension.

Canonical Egress Script Path

Single source of truth:

/home/claw/.openclaw/workspace/skills/clawd-zero-trust/scripts/egress-filter.sh

Compatibility symlink:

/home/claw/.openclaw/workspace/scripts/egress_filter.sh -> .../skills/clawd-zero-trust/scripts/egress-filter.sh

Workflow: Audit → Harden → Egress → Verify

1) Audit

bash scripts/audit.sh

2) Harden

# Preview (default)
bash scripts/harden.sh

# Apply
bash scripts/harden.sh --apply

3) Egress Policy (dry-run default)

# Dry-run preview (default)
bash scripts/egress-filter.sh --dry-run

# Transactional apply: auto-rollback if Telegram/GitHub/Anthropic/OpenAI checks fail
bash scripts/egress-filter.sh --apply

# Canary mode: temporary apply + 120s periodic verification, then commit/rollback
bash scripts/egress-filter.sh --canary

# Verify critical endpoints only (Telegram, GitHub, Anthropic, OpenAI)
bash scripts/egress-filter.sh --verify

# Emergency rollback
bash scripts/egress-filter.sh --reset

4) Egress Profile Status (v1.3.0)

# Print current egress profile status (read-only, no root required)
bash scripts/egress-filter.sh --status

Displays: profile version, last applied timestamp, last result, provider count from providers.txt, and current UFW state. Read-only. No root required for core status output. UFW active state is best-effort — may show 'unknown' if sudo is unavailable on your system.

5) Egress Violation Audit Log (v1.3.0)

# View blocked outbound traffic from the last 24 hours
bash scripts/egress-filter.sh --audit-log

Parses /var/log/ufw.log and journalctl -k for [UFW BLOCK] entries with outbound markers (OUT=, DPT=). Aggregates by destination IP + port and prints a summary table with counts, first-seen, and last-seen timestamps. During --apply, a UFW LOG rule (ZT:egress-violation) is automatically inserted to capture future violations.

6) IP Snapshot Auto-Refresh (v1.3.0)

# Re-resolve DNS and apply only changed IPs (delta) to UFW
bash scripts/egress-filter.sh --refresh

Re-resolves all domains in config/providers.txt, diffs against the last-applied IP snapshot (.state/applied-ips.json), and applies only the delta rules. Transactional: backs up UFW rules before applying, verifies critical endpoints after, and rolls back on failure. The IP snapshot is saved automatically after every --apply and --canary.

7) Per-Provider Verification (v1.3.0)

# Protocol-aware verification of ALL providers in providers.txt
bash scripts/egress-filter.sh --verify-all

Detects the appropriate protocol from port number and runs the matching check:

  • 443 → HTTPS curl (status code check)
  • 587/465/25 → SMTP openssl s_client (STARTTLS/TLS)
  • 993/143 → IMAP openssl s_client (TLS/STARTTLS)
  • 41641 → UDP nc -zu (Tailscale WireGuard)
  • 22 → TCP nc -z (SSH)
  • other → TCP nc -z (generic fallback)

Each check runs with a hard timeout 5s wrapper (enforced at OS level, not just socket timeout). Automatically called after --apply and --canary. Available standalone for on-demand verification. Requires: curl, openssl, nc (netcat-openbsd).

8) Plugin Integrity Hashing (v1.3.0)

# Snapshot current plugin hashes
bash scripts/plugin-integrity.sh --snapshot

# Verify plugin integrity against stored hashes
bash scripts/plugin-integrity.sh --verify

# Check plugins against hardening.json allowlist
bash scripts/plugin-integrity.sh --drift

# Combine checks
bash scripts/plugin-integrity.sh --verify --drift

Monitors plugin file integrity via SHA-256 hashing of each plugin's JS entry point (dist/index.jsindex.js*.js fallback). Detects unauthorized modifications, new/removed plugins, and drift from the hardening.json allowlist.

9) Dynamic Whitelisting (MAX USER-FRIENDLY API)

To open a new port or add a service securely (e.g. for custom email, video extraction, new AI agents), DO NOT edit the bash script or hardcoded arrays. Always use the dynamic configuration helper command:

bash scripts/whitelist.sh \x3Cdomain> \x3Cport>

(Example: bash whitelist.sh youtu.be 443). This automatically injects the domain cleanly into the config/providers.txt engine, triggers a transactional configuration flush, and instantly applies the changes to UFW.

10) Release Gate (v1.3.0)

bash scripts/release-gate.sh

Gate checks (must all pass):

  • quick_validate.py on skill structure
  • shellcheck on all shell scripts (fails with install hint if missing)
  • package_skill.py packaging to skills/dist/clawd-zero-trust.skill
  • --verify endpoint checks

Versioned Firewall Profile State

State files (in .state/):

File Purpose
egress-profile.json Script hash, version, last apply result
applied-ips.json Per-domain IP snapshot for --refresh delta
plugin-hashes.json SHA-256 hashes for plugin integrity verification

On apply/canary, hash mismatch is refused unless --force is provided. The whitelist.sh helper intrinsically handles hash mismatches seamlessly.

References

  • references/zero-trust-principles.md — Detailed ZT framework for AI agents
  • references/false-positives.md — Verified safe patterns that trigger audit warnings

HARD REQUIREMENT: Self-Update Prevention

NEVER run openclaw update, openclaw upgrade, npm install -g openclaw, or npm update -g openclaw without explicit Founder approval.

These commands are blocked in denyCommands. On 2026-02-24, a self-update during an audit caused a 10,450+ crash-loop by deprecating a plugin. System stability > latest version. Always:

  1. Present update details + changelog to Founder first
  2. Backup config: cp openclaw.json openclaw.json.pre-update
  3. Only update after explicit approval
  4. Run openclaw doctor --fix + openclaw status after

MANDATORY: Update Proposal Format

When you detect that an OpenClaw update is available (via update-scout-daily or any other means), you MUST ALWAYS propose it in exactly this format — no exceptions:

📦 OpenClaw update available: vOLD → vNEW

To apply safely, SSH in and run:

openclaw update
/home/claw/.openclaw/workspace/scripts/post-update-repair.sh

The repair script restores all symlinks, cleans config, restarts the gateway, and runs a 6-point smoke test automatically. No other steps needed.

NEVER say "I will run the update for you" or attempt to run it yourself. The update MUST be executed by the Founder via SSH.

安全使用建议
This skill implements a powerful, coherent Zero Trust workflow but performs privileged changes — review before enabling mutating modes. Before you run --apply or enable automatic use: - Run everything in dry-run/audit mode first: bash scripts/audit.sh and bash scripts/egress-filter.sh --dry-run and --status. - Backup your OpenClaw config and current firewall rules (openclaw.json and iptables-save / UFW state). The scripts create backups, but keep your own copy. - Inspect config/providers.txt and config/custom-providers.json to ensure only expected endpoints are allowlisted. Verify api.agentsandbox.co and any Telegram/GitHub entries are acceptable. - Examine hardening.json, specifically tools.exec (security: "full", ask: "off") and tools.elevated.allowFrom (Telegram IDs). If you do not want host-level exec without prompts or Telegram-triggered elevated operations, change these before applying. - Use plugin-integrity.sh --snapshot to establish a baseline, and review plugin-hashes.json before running --verify. - Prefer manual invocation for the first run, avoid cron/unattended applies until you’ve validated the behavior in a staging instance. - Because mutating operations require root, run the scripts only on systems where you can safely recover and where UFW/iptables changes are acceptable. If you want further assurance, request a short audit of the specific network calls the scripts will make (e.g., snapshot of curl/openssl invocations) and a review of any code paths that perform outbound POSTs (the repo documents an OAuth flow for agentsandbox).
功能分析
Type: OpenClaw Skill Name: clawd-zero-trust Version: 1.3.2 The clawd-zero-trust bundle is a comprehensive security hardening framework for OpenClaw deployments. It implements legitimate security controls including DNS-based egress filtering via UFW (egress-filter.sh), plugin integrity monitoring using SHA-256 hashing (plugin-integrity.sh), and Principle of Least Privilege (PLP) tool scoping (plp-config.sh). While the scripts require root privileges and modify system firewall rules, these actions are strictly aligned with the stated purpose of Zero Trust architecture. The instructions in SKILL.md regarding update prevention and 'Founder approval' are framed as stability measures to prevent breaking changes and do not exhibit malicious intent, data exfiltration, or unauthorized persistence.
能力评估
Purpose & Capability
Name/description match the actual artifacts: scripts implement egress whitelisting, plugin hashing/allowlisting, PLP config, and hardening of OpenClaw. The requested operations (UFW/iptables, openclaw.json merges, plugin checks, DNS-based allowlist) are coherent with the stated Zero Trust purpose.
Instruction Scope
SKILL.md directs the agent/operator to run multiple scripts that read system logs (/var/log/ufw.log, journalctl), read/write OpenClaw config (~/.openclaw/openclaw.json), enumerate plugin files (~/.openclaw/extensions), and contact allowed external endpoints for verification. These are expected for a hardening tool, but they give the skill broad read access to agent state and allow network probes and outbound checks; run in dry-run/audit mode first.
Install Mechanism
No install spec (instruction-only plus scripts present) — nothing is downloaded from third-party URLs at install time. The scripts rely on common OS packages (ufw, dig, curl, openssl, nc, python3) which is proportionate to their behavior.
Credentials
The registry metadata lists no required environment variables, but the scripts read local OpenClaw configuration, plugin files, and may look up OPENCLAW_AGENT_DIR / openclaw.json; these files can contain tokens/credentials. hardening.json contains settings (tools.exec: security: "full", ask: "off" and tools.elevated.allowFrom: Telegram IDs) that reduce interactive confirmation and allow elevated execution from a channel — this increases risk and should be explicitly reviewed before enabling --apply modes. Contacting api.agentsandbox.co for key creation is documented inside the references; that behavior is plausible but warrants inspection if you don't expect new API key generation.
Persistence & Privilege
Mutating operations (--apply/--canary/--refresh) explicitly require root and modify firewall/iptables and OpenClaw configuration (shallow-merge hardening.json into openclaw.json). The skill is not force-included (always:false). Autonomous invocation is allowed by default (normal for skills); consider the interaction of that default with elevated 'ask: off' settings in the hardening overrides.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install clawd-zero-trust
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /clawd-zero-trust 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.2
clawd-zero-trust v1.3.2 - Updated plugin allowlisting in hardening.json for improved integrity checks. - Enhanced plugin-integrity.sh with clearer output and reliability fixes. - Expanded and clarified documentation in README.md. - Minor corrections in CHANGELOG.md and overall documentation consistency.
v1.3.1
clawd-zero-trust v1.3.1 - Added CHANGELOG.md file for clearer release tracking. - Updated documentation in README.md and SKILL.md with latest usage patterns. - Minor adjustments to hardening.json for consistency. - Improved logic in scripts/egress-filter.sh for reliability and maintainability.
v1.1.10
**Breaking release with enhanced verification, auditing, and refresh features. See notes for upgrade requirements.** - ⚠️ First apply after upgrade requires `--force` or `bash scripts/release-gate.sh --reset-hash` action; update unattended workflows accordingly. - Adds egress profile status (`--status`) and audit log (`--audit-log`) modes for easier monitoring of outbound blocks and profile history. - Introduces IP snapshot auto-refresh (`--refresh`), efficiently updating only changed IPs after DNS re-resolution. - Implements protocol-aware per-provider verification (`--verify-all`) for stronger post-apply connectivity checks. - Plugin integrity monitoring via new `scripts/plugin-integrity.sh`—detects unauthorized plugin modifications and drift. - Documents all required binary dependencies and clarifies privilege requirements for read-only vs. mutating actions.
v1.1.9
clawd-zero-trust v1.2.0 adds dynamic provider whitelisting and improves configuration management. - Added dynamic whitelisting via scripts/whitelist.sh for secure, user-friendly provider/domain additions. - Introduced config/custom-providers.json and config/providers.txt for external provider/domain configuration. - Updated egress-filter.sh to consume new config files, reducing hardcoding. - Documentation in SKILL.md and README.md clarified to emphasize dynamic whitelist workflow. - Improved state/profile handling for firewall rules; whitelist.sh manages state—even on hash mismatches.
v1.1.8
- Maintenance update: removes project management and contribution metadata. - Added `hardening.json` to the repository. - Updated `README.md` and documentation to reflect minor version changes. - Adjusted scripts (`egress-filter.sh`, `harden.sh`) for policy and workflow consistency. - Removed unused GitHub templates and community files.
v1.1.7
- Updated version references from 1.1.4 to 1.1.6 in SKILL.md and release notes. - Minor text and formatting improvements in documentation files. - Scripts updated: audit, harden, egress-filter, plp-config, and packaging received incremental changes. - No breaking changes or new major features introduced.
v1.1.6
clawd-zero-trust v1.1.6 - Added project documentation: README.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md, and SECURITY.md. - Introduced GitHub issue templates for bug reports and feature requests. - Added reference documents on zero trust principles and false positives. - New scripts: audit.sh, harden.sh, egress-filter.sh, plp-config.sh, package_skill.py, quick_validate.py, and release-gate.sh for auditing, hardening, packaging, validation, and release management. - Expanded skill resources for improved collaboration, contribution, and operational reliability.
v1.1.5
- Removed extensive documentation, references, and scripts, including audit, harden, egress filter, packaging, and release gate tools. - SKILL.md now includes only metadata and a brief description; all operational and usage details are omitted. - Transitioned the skill to a minimal, metadata-only version.
v1.1.4
- Initial public release of contribution, security, and community templates: added CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, and GitHub issue templates. - Documentation improvements: added README.md, references/false-positives.md, and references/zero-trust-principles.md. - Introduced a suite of scripts for audit, hardening, egress control, packaging, and release validation (scripts/audit.sh, scripts/harden.sh, scripts/egress-filter.sh, scripts/release-gate.sh, and others). - Enhanced skill validation and packaging workflows with dedicated Python scripts (quick_validate.py, package_skill.py). - No changes to core principles or egress workflow in SKILL.md; version remains at 1.1.2.
v1.1.3
- Removed 15 meta, script, and reference files, leaving only the core SKILL.md documentation. - Retained all workflow and usage documentation within SKILL.md. - No functionality changes to the skill implementation itself. - Project is now distributed as documentation-only; auxiliary scripts and templates are no longer included.
v1.1.2
- Added `scripts/plp-config.sh` for enhanced Principle of Least Privilege (PLP) configuration. - Updated `audit.sh`, `egress-filter.sh`, and `harden.sh` scripts with improvements and/or PLP integration. - No changes to user-facing documentation in SKILL.md.
v1.1.1
clawd-zero-trust v1.1.1 - Improved and clarified documentation for Zero Trust hardening of OpenClaw. - Added step-by-step workflow: Audit, Harden, Egress Policy Management, Verification, and Release Gating. - Documented the canonical script paths and state file locations for consistent firewall and egress policy management. - Expanded usage examples for egress policy scripts, including dry-run, canary mode, endpoint verification, force, and rollback commands. - Outlined new release-gate process with validation and packaging checks to improve deployment reliability and security.
元数据
Slug clawd-zero-trust
版本 1.3.2
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 12
常见问题

Clawd Zero Trust 是什么?

Zero Trust security hardening for OpenClaw deployments. Use when asked to audit, harden, or apply Zero Trust architecture to an OpenClaw instance — including... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 862 次。

如何安装 Clawd Zero Trust?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawd-zero-trust」即可一键安装,无需额外配置。

Clawd Zero Trust 是免费的吗?

是的,Clawd Zero Trust 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Clawd Zero Trust 支持哪些平台?

Clawd Zero Trust 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Clawd Zero Trust?

由 stanistolberg(@stanistolberg)开发并维护,当前版本 v1.3.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论