automateyournetwork/defenseclaw-ops
workspace/skills/defenseclaw-ops/SKILL.md
Manage DefenseClaw enterprise security - scan components, manage tool permissions, view alerts, configure guardrails
$ install --global
skillsauthnpx skillsauth add automateyournetwork/netclaw defenseclaw-opsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 3:29 AM6.8s1 file scanned
SKILL.md
- name:
- defenseclaw-ops
- description:
- Manage DefenseClaw enterprise security - scan components, manage tool permissions, view alerts, configure guardrails
- version:
- 1.0.0
- license:
- Apache-2.0
- author:
- netclaw
- tags:
- [security, enterprise, defenseclaw, audit, compliance]
DefenseClaw Operations
This skill manages DefenseClaw enterprise security for NetClaw deployments.
Overview
DefenseClaw from Cisco AI Defense provides enterprise-grade security:
- OpenShell kernel-level sandbox
- Component scanning (skills, MCPs, plugins)
- Runtime guardrails (LLM inspection, tool call inspection)
- Audit logging with SIEM integration
Prerequisites
- DefenseClaw installed and enabled
defenseclawCLI in PATH
Check status:
defenseclaw --version
Common Operations
Check Security Status
# View DefenseClaw version
defenseclaw --version
# Check gateway status
pgrep defenseclaw-gateway
# View current configuration
cat ~/.openclaw/config/openclaw.json | grep -A2 security
Scan Components
Before deploying new skills, MCPs, or plugins, scan them:
# Scan a skill
defenseclaw skill scan pyats-health-check
# Scan an MCP server
defenseclaw mcp scan meraki-mcp
# Scan a plugin
defenseclaw plugin scan custom-tool
Expected output for clean component:
Scanning skill: pyats-health-check
✓ No HIGH/CRITICAL findings
Status: ALLOWED
Expected output for blocked component:
Scanning skill: bad-skill
✗ HIGH: Hardcoded credential detected
Location: config.py:15
Status: BLOCKED
Manage Tool Permissions
Block or allow specific tools:
# Block a destructive tool
defenseclaw tool block delete_file --reason "destructive operation"
# Block all write operations
defenseclaw tool block "*_write" --reason "read-only policy"
# Allow a previously blocked tool
defenseclaw tool allow delete_file
# List all tool rules
defenseclaw tool list
View Security Alerts
# View recent alerts
defenseclaw alerts
# View last 50 alerts
defenseclaw alerts --limit 50
# Filter by severity
defenseclaw alerts --severity HIGH
# Filter by date
defenseclaw alerts --after 2026-04-01
Export Audit Data
For compliance reporting:
# Export to JSON
defenseclaw alerts --export json > audit-$(date +%Y%m%d).json
# Export to CSV
defenseclaw alerts --export csv > audit-$(date +%Y%m%d).csv
Configure Guardrail Mode
# Check current mode
defenseclaw config get guardrail.mode
# Enable observe mode (logging only - default)
defenseclaw setup guardrail --mode observe
# Enable action mode (blocking)
defenseclaw setup guardrail --mode action --restart
# Restart gateway after mode change
defenseclaw setup guardrail --restart
Guardrail Modes
| Mode | Behavior | Use Case | |------|----------|----------| | observe | Log violations, allow execution | Development, onboarding | | action | Log violations AND block | Production, compliance |
Security Categories
Guardrails check for these categories:
| Category | Description |
|----------|-------------|
| secret | Credential exfiltration |
| command | Shell command execution |
| sensitive-path | File system access |
| c2 | Command & control communication |
| cognitive-file | AI memory manipulation |
| trust-exploit | Prompt injection |
SIEM Integration
Configure external SIEM:
# Splunk HEC
defenseclaw config siem --type splunk \
--endpoint https://splunk.example.com:8088 \
--token $SPLUNK_HEC_TOKEN
# OTLP
defenseclaw config siem --type otlp \
--endpoint https://otel-collector.example.com:4318
# Test connectivity
defenseclaw config siem --test
Webhook Notifications
# Slack
defenseclaw config webhook --slack $SLACK_WEBHOOK_URL
# PagerDuty
defenseclaw config webhook --pagerduty $PD_ROUTING_KEY
# Webex
defenseclaw config webhook --webex $WEBEX_WEBHOOK_URL
Troubleshooting
DefenseClaw Not in PATH
export PATH="$HOME/.local/bin:$PATH"
Gateway Not Running
# Check status
pgrep defenseclaw-gateway
# Start manually
defenseclaw-gateway start
# Check logs
tail -f ~/.defenseclaw/logs/gateway.log
Component Falsely Blocked
# View detailed findings
defenseclaw skill scan <name> --verbose
# Add exception if false positive
defenseclaw exception add <component> --finding <id> --reason "reviewed"
Related Documentation
- docs/DEFENSECLAW.md - Full enterprise guide
- docs/SOUL-DEFENSE.md - Security principles
- docs/UPGRADE-TO-DEFENSECLAW.md - Migration guide
Related Skills
automateyournetwork/humanrail-escalation
testing
VerifiedTrustedCommunity
Human-in-the-loop escalation via HumanRail — route low-confidence agent decisions, pre-destructive operation approvals, and ambiguous incident tickets to real human engineers. Human answers are verified and returned as structured output. Workers are paid via Lightning Network. Use when the agent is uncertain, when a destructive change needs explicit human sign-off beyond a ServiceNow CR, or when an ambiguous ticket requires human triage before automated handling.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-node-operations
testing
VerifiedTrustedCommunity
Manage EVE-NG node lifecycle. Use when listing nodes, checking runtime state, creating or deleting nodes, starting or stopping nodes or whole labs, verifying node details, or wiping node NVRAM back to factory defaults.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-lab-management
development
VerifiedTrustedCommunity
Manage EVE-NG labs and platform inventory. Use when listing labs, checking lab metadata, creating or deleting labs, importing or exporting lab archives, checking EVE-NG health or auth, or verifying available node images before build work.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-console-ops
tools
VerifiedTrustedCommunity
Execute live CLI commands on running EVE-NG nodes over telnet console. Use when running show commands, making live config changes, verifying protocol state, testing connectivity, checking console readiness, or interacting with IOS, Junos, VPCS, EOS, or NX-OS nodes.
491SKILL.mdUpdated May 12, 2026