← 返回 Skills 市场
31
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install clawsec-openclaw-soul-guardian
功能描述
Drift detection + baseline integrity guard for agent workspace files with automatic alerting support
使用说明 (SKILL.md)
soul-guardian 👻
Protects your agent's core files (SOUL.md, AGENTS.md, etc.) from unauthorized changes with automatic detection, restoration, and user alerting.
Vercel Skills Installation
Install with the Vercel Skills CLI for this harness:
npx skills add prompt-security/clawsec --skill soul-guardian -a openclaw -y
Operational Notes
- Required runtime:
python3 - Optional runtime:
openclawfor cron integration,launchctlfor macOS scheduling,bashfor the demo helper - Side effects: can auto-restore protected files to their approved baseline and writes audit/quarantine state locally
- Network behavior: none by default
- Trust model: any scheduling is opt-in, but restore mode intentionally overwrites drifted files
Release Artifact Verification
For standalone installs, verify the signed release manifest before trusting SKILL.md, skill.json, or the archive. The skill.json file is the package metadata/SBOM source, and the release pipeline signs checksums.json with the ClawSec release key.
set -euo pipefail
SKILL_NAME="soul-guardian"
VERSION="0.0.7"
REPO="prompt-security/clawsec"
TAG="${SKILL_NAME}-v${VERSION}"
BASE="https://github.com/${REPO}/releases/download/${TAG}"
ZIP_NAME="${SKILL_NAME}-v${VERSION}.zip"
TMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TMP_DIR"' EXIT
RELEASE_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8"
curl -fsSL "$BASE/checksums.json" -o "$TMP_DIR/checksums.json"
curl -fsSL "$BASE/checksums.sig" -o "$TMP_DIR/checksums.sig"
curl -fsSL "$BASE/signing-public.pem" -o "$TMP_DIR/signing-public.pem"
curl -fsSL "$BASE/$ZIP_NAME" -o "$TMP_DIR/$ZIP_NAME"
curl -fsSL "$BASE/SKILL.md" -o "$TMP_DIR/SKILL.md"
curl -fsSL "$BASE/skill.json" -o "$TMP_DIR/skill.json"
ACTUAL_PUBKEY_SHA256="$(openssl pkey -pubin -in "$TMP_DIR/signing-public.pem" -outform DER | shasum -a 256 | awk '{print $1}')"
if [ "$ACTUAL_PUBKEY_SHA256" != "$RELEASE_PUBKEY_SHA256" ]; then
echo "ERROR: signing-public.pem fingerprint mismatch" >&2
exit 1
fi
openssl base64 -d -A -in "$TMP_DIR/checksums.sig" -out "$TMP_DIR/checksums.sig.bin"
openssl pkeyutl -verify -rawin -pubin \
-inkey "$TMP_DIR/signing-public.pem" \
-sigfile "$TMP_DIR/checksums.sig.bin" \
-in "$TMP_DIR/checksums.json" >/dev/null
hash_file() {
if command -v shasum >/dev/null 2>&1; then
shasum -a 256 "$1" | awk '{print $1}'
else
sha256sum "$1" | awk '{print $1}'
fi
}
verify_manifest_file() {
asset="$1"
path="$2"
expected="$(jq -r --arg asset "$asset" '.files[$asset].sha256 // empty' "$TMP_DIR/checksums.json")"
if [ -z "$expected" ]; then
echo "ERROR: checksums.json missing $asset" >&2
exit 1
fi
actual="$(hash_file "$path")"
if [ "$actual" != "$expected" ]; then
echo "ERROR: checksum mismatch for $asset" >&2
exit 1
fi
}
expected_archive="$(jq -r '.archive.sha256 // empty' "$TMP_DIR/checksums.json")"
if [ -z "$expected_archive" ]; then
echo "ERROR: checksums.json missing archive.sha256" >&2
exit 1
fi
actual_archive="$(hash_file "$TMP_DIR/$ZIP_NAME")"
if [ "$actual_archive" != "$expected_archive" ]; then
echo "ERROR: archive checksum mismatch" >&2
exit 1
fi
verify_manifest_file "SKILL.md" "$TMP_DIR/SKILL.md"
verify_manifest_file "skill.json" "$TMP_DIR/skill.json"
echo "Signed release manifest, archive, SKILL.md, and skill.json verified."
Only install or extract the archive after this verification succeeds.
Quick Start (3 Steps)
Step 1: Initialize baselines
cd ~/.openclaw/workspace
python3 skills/soul-guardian/scripts/soul_guardian.py init --actor setup --note "initial baseline"
Step 2: Enable monitoring
python3 skills/soul-guardian/scripts/soul_guardian.py enable-monitoring
This shows you how to add monitoring to your workflow.
Step 3: Add to HEARTBEAT.md (Recommended)
Add this to your HEARTBEAT.md for automatic monitoring:
## Soul Guardian Check
- Run `python3 skills/soul-guardian/scripts/soul_guardian.py check --actor heartbeat --output-format alert`
- If any output is produced, relay it to the user immediately as a security alert
That's it! Soul Guardian will now:
- ✅ Detect unauthorized changes to protected files
- ✅ Auto-restore SOUL.md and AGENTS.md to approved baseline
- ✅ Alert you when drift is detected and handled
What it protects (default policy)
| File | Mode | Action on drift |
|---|---|---|
| SOUL.md | restore | Auto-restore + alert |
| AGENTS.md | restore | Auto-restore + alert |
| USER.md | alert | Alert only |
| TOOLS.md | alert | Alert only |
| IDENTITY.md | alert | Alert only |
| HEARTBEAT.md | alert | Alert only |
| MEMORY.md | alert | Alert only |
| memory/*.md | ignore | Ignored |
Commands
Check for drift (with alert output)
python3 skills/soul-guardian/scripts/soul_guardian.py check --output-format alert
- Silent if no drift
- Outputs human-readable alert if drift detected
- Perfect for heartbeat integration
Watch mode (continuous monitoring)
python3 skills/soul-guardian/scripts/soul_guardian.py watch --interval 30
Runs continuously, checking every 30 seconds.
Approve intentional changes
python3 skills/soul-guardian/scripts/soul_guardian.py approve --file SOUL.md --actor user --note "intentional update"
View status
python3 skills/soul-guardian/scripts/soul_guardian.py status
Verify audit log integrity
python3 skills/soul-guardian/scripts/soul_guardian.py verify-audit
Alert Format
When drift is detected, the --output-format alert produces output like:
==================================================
🚨 SOUL GUARDIAN SECURITY ALERT
==================================================
📄 FILE: SOUL.md
Mode: restore
Status: ✅ RESTORED to approved baseline
Expected hash: abc123def456...
Found hash: 789xyz000111...
Diff saved: /path/to/patches/drift.patch
==================================================
Review changes and investigate the source of drift.
If intentional, run: soul_guardian.py approve --file \x3Cpath>
==================================================
This output is designed to be relayed directly to the user in TUI/chat.
Security Model
What it does:
- Detects filesystem drift vs approved baseline (sha256)
- Produces unified diffs for review
- Maintains tamper-evident audit log with hash chaining
- Refuses to operate on symlinks
- Uses atomic writes for restores
What it doesn't do:
- Cannot prove WHO made a change (actor is best-effort metadata)
- Cannot protect if attacker controls both workspace AND state directory
- Is not a substitute for backups
Recommendation: Store state directory outside workspace for better resilience.
Demo
Run the full demo flow to see soul-guardian in action:
bash skills/soul-guardian/scripts/demo.sh
This will:
- Verify clean state (silent check)
- Inject malicious content into SOUL.md
- Run heartbeat check (produces alert)
- Show SOUL.md was restored
Troubleshooting
"Not initialized" error:
Run init first to set up baselines.
Drift keeps happening: Check what's modifying your files. Review the audit log and patches.
Want to approve a change:
Run approve --file \x3Cpath> after reviewing the change.
安全使用建议
Before installing, understand that normal checks can overwrite drifted SOUL.md and AGENTS.md back to the approved baseline. Initialize baselines only after reviewing the files, keep the state directory private because it stores snapshots and diffs, use --no-restore for alert-only operation, and review any cron or launchd setup before enabling persistent monitoring.
能力评估
Purpose & Capability
The file reads, baseline snapshots, diffs, quarantine copies, audit log, and restore behavior all match the stated purpose of detecting drift in OpenClaw workspace prompt/instruction files.
Instruction Scope
The default policy is narrow and documented, but restore mode intentionally overwrites SOUL.md and AGENTS.md; users should review policy.json before enabling checks or scheduling.
Install Mechanism
Installation is documented through the skills CLI, with standalone release-verification instructions; macOS launchd scheduling is optional and requires an explicit installer flag to load/start the job.
Credentials
Local filesystem access, Python execution, and optional launchctl/OpenClaw cron integration are proportionate for a workspace integrity guard; no network egress is used by the runtime by default.
Persistence & Privilege
No automation is installed by default, but heartbeat, cron, watch mode, and launchd workflows can create ongoing monitoring; state directories may contain sensitive snapshots, diffs, and quarantined copies.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install clawsec-openclaw-soul-guardian - 安装完成后,直接呼叫该 Skill 的名称或使用
/clawsec-openclaw-soul-guardian触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.7
Release 0.0.7 via CI
元数据
常见问题
soul-guardian 是什么?
Drift detection + baseline integrity guard for agent workspace files with automatic alerting support. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 31 次。
如何安装 soul-guardian?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawsec-openclaw-soul-guardian」即可一键安装,无需额外配置。
soul-guardian 是免费的吗?
是的,soul-guardian 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
soul-guardian 支持哪些平台?
soul-guardian 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 soul-guardian?
由 davida-ps(@davida-ps)开发并维护,当前版本 v0.0.7。
推荐 Skills