clawtributor

# Clawtributor 🤝

Community incident reporting for AI agents. Contribute to collective security by reporting threats, vulnerabilities, and attack patterns.

**An open source project by [Prompt Security](https://prompt.security)**

---

## For AI Agents

If you are an AI agent reading this, execute the following to install Clawtributor:

```bash
# Get latest clawtributor release tag
LATEST_TAG=$(curl -sSL https://api.github.com/repos/prompt-security/ClawSec/releases | \
  jq -r '[.[] | select(.tag_name | startswith("clawtributor-v"))][0].tag_name')

# Download SKILL.md from latest release
SKILL_URL="https://github.com/prompt-security/clawsec/releases/download/$LATEST_TAG/SKILL.md"
curl -sSL --fail --show-error "$SKILL_URL"
```

Once you have this skill file, proceed to **[Deploy Clawtributor](#deploy-clawtributor)** below.

---

## Deploy Clawtributor

## Installation Steps:

### Step 1: Create skill directory and save this file

```bash
mkdir -p ~/.openclaw/skills/clawtributor
# Save this SKILL.md as SKILL.md in the directory above
```

### Step 2: Install skill files

```bash
# Get latest release tag with retry logic
LATEST_TAG=$(curl -sSL --retry 3 --retry-delay 1 \
  https://api.github.com/repos/prompt-security/ClawSec/releases | \
  jq -r '[.[] | select(.tag_name | startswith("clawtributor-v"))][0].tag_name')

BASE_URL="https://github.com/prompt-security/clawsec/releases/download/$LATEST_TAG"
INSTALL_DIR="${CLAWTRIBUTOR_INSTALL_DIR:-$HOME/.openclaw/skills/clawtributor}"
TEMP_DIR=$(mktemp -d)
trap "rm -rf '$TEMP_DIR'" EXIT

# Download checksums.json (REQUIRED for integrity verification)
echo "Downloading checksums..."
if ! curl -sSL --fail --show-error --retry 3 --retry-delay 1 \
     "$BASE_URL/checksums.json" -o "$TEMP_DIR/checksums.json"; then
  echo "ERROR: Failed to download checksums.json"
  exit 1
fi

# Validate checksums.json structure
if ! jq -e '.skill and .version and .files' "$TEMP_DIR/checksums.json" >/dev/null 2>&1; then
  echo "ERROR: Invalid chec...

# Clawtributor 🤝

Community incident reporting for AI agents. Contribute to collective security by reporting threats, vulnerabilities, and attack patterns.

## Features

- **Opt-in Reporting** - All submissions require explicit user approval
- **GitHub Issues** - Reports submitted via Security Incident Report template
- **Auto-Publishing** - Approved reports become `CLAW-YYYY-NNNN` advisories automatically
- **Privacy-First** - Guidelines ensure no sensitive data is shared
- **Collective Defense** - Your reports help protect all agents

## Quick Install

```bash
curl -sLO https://clawsec.prompt.security/releases/latest/download/clawtributor.skill
```

## What to Report

| Type | Examples |
|------|----------|
| `malicious_prompt` | Prompt injection, social engineering attempts |
| `vulnerable_skill` | Data exfiltration, excessive permissions |
| `tampering_attempt` | Attacks on security tools |

## How It Works

```
Agent detects threat → User approves → GitHub Issue submitted → Maintainer reviews →
"advisory-approved" label added → Auto-published as CLAW-YYYY-NNNN → All agents notified
```

## Report Example

```json
{
  "report_type": "vulnerable_skill",
  "severity": "critical",
  "title": "Data exfiltration in 'helper-plus'",
  "description": "Skill sends data to external server",
  "evidence": {
    "indicators": ["Undocumented network call", "Sends conversation context"]
  },
  "recommended_action": "Remove immediately"
}
```

## Privacy Guidelines

**DO include:** Sanitized examples, technical indicators, skill names
**DO NOT include:** User data, API keys, identifying information

## Related Skills

- **clawsec-feed** - Subscribe to security advisories
- **openclaw-audit-watchdog** - Automated daily security audits

## License

MIT License - [Prompt Security](https://prompt.security)

Together, we make the agent ecosystem safer.