CoralShades/clawsec-nanoclaw
.agent/skills/clawsec-nanoclaw/SKILL.md
Use when checking for security vulnerabilities in NanoClaw skills, before installing new skills, or when asked about security advisories affecting the bot
testing
Updated Apr 17, 2026
$ install --global
skillsauthnpx skillsauth add CoralShades/CurryDash-Central-Hub clawsec-nanoclawInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 11:16 AM44.2s18 files scanned
SKILL.md
- name:
- clawsec-nanoclaw
- version:
- 0.0.1
- description:
- Use when checking for security vulnerabilities in NanoClaw skills, before installing new skills, or when asked about security advisories affecting the bot
ClawSec for NanoClaw
Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.
Overview
ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills and alerts you to issues in existing ones.
Core principle: Check before you install. Monitor what's running.
When to Use
Use ClawSec tools when:
- Installing a new skill (check safety first)
- User asks "are my skills secure?"
- Investigating suspicious behavior
- Regular security audits
- After receiving security notifications
Do NOT use for:
- Code review (use other tools)
- Performance issues (different concern)
- General debugging
MCP Tools Available
Pre-Installation Check
// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
skillName: 'new-skill',
version: '1.0.0' // optional
});
if (!safety.safe) {
// Show user the risks before proceeding
console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}
Security Audit
// Check all installed skills
const result = await tools.clawsec_check_advisories({
skillsRoot: '/workspace/project/skills' // optional
});
if (result.criticalCount > 0) {
// Alert user immediately
console.error('CRITICAL vulnerabilities found!');
}
Browse Advisories
// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
platform: 'nanoclaw', // optional: nanoclaw, openclaw, or both
severity: 'critical' // optional: critical, high, medium, low
});
Quick Reference
| Task | Tool | Key Parameter |
|------|------|---------------|
| Pre-install check | clawsec_check_skill_safety | skillName |
| Audit all skills | clawsec_check_advisories | installRoot (optional) |
| Browse feed | clawsec_list_advisories | severity, type (optional) |
| Verify package signature | clawsec_verify_skill_package | packagePath |
| Refresh advisory cache | clawsec_refresh_cache | (none) |
| Check file integrity | clawsec_check_integrity | mode, autoRestore (optional) |
| Approve file change | clawsec_approve_change | path |
| View baseline status | clawsec_integrity_status | path (optional) |
| Verify audit log | clawsec_verify_audit | (none) |
Common Patterns
Pattern 1: Safe Skill Installation
// ALWAYS check before installing
const safety = await tools.clawsec_check_skill_safety({
skillName: userRequestedSkill
});
if (safety.safe) {
// Proceed with installation
await installSkill(userRequestedSkill);
} else {
// Show user the risks and get confirmation
await showSecurityWarning(safety.advisories);
if (await getUserConfirmation()) {
await installSkill(userRequestedSkill);
}
}
Pattern 2: Periodic Security Check
// Add to scheduled tasks
schedule_task({
prompt: "Check for security advisories using clawsec_check_advisories and alert if any critical issues found",
schedule_type: "cron",
schedule_value: "0 9 * * *" // Daily at 9am
});
Pattern 3: User Security Query
User: "Are my skills secure?"
You: I'll check installed skills for known vulnerabilities.
[Use clawsec_check_advisories]
Response:
✅ No critical issues found.
- 2 low-severity advisories (not urgent)
- All skills up to date
Common Mistakes
❌ Installing without checking
// DON'T
await installSkill('untrusted-skill');
// DO
const safety = await tools.clawsec_check_skill_safety({
skillName: 'untrusted-skill'
});
if (safety.safe) await installSkill('untrusted-skill');
❌ Ignoring platform filters
// DON'T: Check OpenClaw advisories on NanoClaw
const advisories = await tools.clawsec_list_advisories({
platform: 'openclaw' // Wrong platform!
});
// DO: Use correct platform or let it auto-filter
const advisories = await tools.clawsec_list_advisories({
platform: 'nanoclaw' // Correct
});
❌ Skipping critical severity
// DON'T: Only check low severity
if (result.lowCount > 0) alert();
// DO: Prioritize critical and high
if (result.criticalCount > 0 || result.highCount > 0) {
// Alert immediately
}
Implementation Details
Feed Source: https://clawsec.prompt.security/advisories/feed.json
Update Frequency: Every 6 hours (automatic)
Signature Verification: Ed25519 signed feeds
Cache Location: /workspace/project/data/clawsec-cache.json
See INSTALL.md for setup and docs/ for advanced usage.
Real-World Impact
- Prevents installation of skills with known RCE vulnerabilities
- Alerts to supply chain attacks in dependencies
- Provides actionable remediation steps
- Zero false positives (curated feed only)
Related Skills
CoralShades/executing-plans
testing
VerifiedTrustedCommunity
Use when you have a written implementation plan to execute in a separate session with review checkpoints
SKILL.mdUpdated Apr 17, 2026
CoralShades/docx
development
VerifiedTrustedCommunity
Use this skill whenever the user wants to create, read, edit, or manipulate Word documents (.docx files). Triggers include: any mention of 'Word doc', 'word document', '.docx', or requests to produce professional documents with formatting like tables of contents, headings, page numbers, or letterheads. Also use when extracting or reorganizing content from .docx files, inserting or replacing images in documents, performing find-and-replace in Word files, working with tracked changes or comments, or converting content into a polished Word document. If the user asks for a 'report', 'memo', 'letter', 'template', or similar deliverable as a Word or .docx file, use this skill. Do NOT use for PDFs, spreadsheets, Google Docs, or general coding tasks unrelated to document generation.
SKILL.mdUpdated Apr 17, 2026
CoralShades/dispatching-parallel-agents
testing
VerifiedTrustedCommunity
Use when facing 2+ independent tasks that can be worked on without shared state or sequential dependencies
SKILL.mdUpdated Apr 17, 2026
CoralShades/differential-review
development
VerifiedTrustedCommunity
Performs security-focused differential review of code changes (PRs, commits, diffs). Adapts analysis depth to codebase size, uses git history for context, calculates blast radius, checks test coverage, and generates comprehensive markdown reports. Automatically detects and prevents security regressions.
SKILL.mdUpdated Apr 17, 2026