clawsec-nanoclaw

# ClawSec for NanoClaw

Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.

## Overview

ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.

**Core principle:** Check before you install. Monitor what's running.

## When to Use

Use ClawSec tools when:
- Installing a new skill (check safety first)
- User asks "are my skills secure?"
- Investigating suspicious behavior
- Regular security audits
- After receiving security notifications

Do NOT use for:
- Code review (use other tools)
- Performance issues (different concern)
- General debugging

## MCP Tools Available

### Pre-Installation Check

```typescript
// Before installing any skill
const safety = await tools.clawsec_check_skill_safety({
  skillName: 'new-skill',
  skillVersion: '1.0.0'  // optional
});

if (!safety.safe) {
  // Show user the risks before proceeding
  console.warn(`Security issues: ${safety.advisories.map(a => a.id)}`);
}
```

### Security Audit

```typescript
// Check all installed skills (defaults to ~/.claude/skills in the container)
const result = await tools.clawsec_check_advisories({
  installRoot: '/home/node/.claude/skills'  // optional
});

if (result.matches.some((m) =>
  m.advisory.severity === 'critical' || m.advisory.exploitability_score === 'high'
)) {
  // Alert user immediately
  console.error('Urgent advisories found!');
}
```

### Browse Advisories

```typescript
// List advisories with filters
const advisories = await tools.clawsec_list_advisories({
  severity: 'high',               // optional
  exploitabilityScore: 'high'     // optional
});
```

## Quick Reference

| Task | Tool | Key Parameter |
|------|------|---------------|
| Pre-install check | `clawsec_check_skill_safety` | `skillName` |
| Audit all skills | `clawsec_check...

# ClawSec for NanoClaw

ClawSec now supports NanoClaw, a containerized WhatsApp bot powered by Claude agents.

## What Changed

### Advisory Feed Monitoring
- **NVD CVE Pipeline**: Now monitors for NanoClaw-specific keywords
  - "NanoClaw", "WhatsApp-bot", "baileys" (WhatsApp library)
  - Container-related vulnerabilities
- **Platform Targeting**: Advisories can specify `platforms: ["nanoclaw"]` for NanoClaw-specific issues

### Keywords Added
The CVE monitoring now includes:
- `NanoClaw` - Direct product name
- `WhatsApp-bot` - Core functionality
- `baileys` - WhatsApp client library dependency

## Advisory Schema

Advisories now support optional `platforms` field:

```json
{
  "id": "CVE-2026-XXXXX",
  "platforms": ["openclaw", "nanoclaw"],
  "severity": "critical",
  "type": "prompt_injection",
  "affected": ["skill-name@1.0.0"],
  "action": "Update to version 1.0.1"
}
```

**Platform values:**
- `"openclaw"` - Affects OpenClaw/ClawdBot/MoltBot only
- `"nanoclaw"` - Affects NanoClaw only
- `["openclaw", "nanoclaw"]` - Affects both platforms
- (empty/missing) - Applies to all platforms (backward compatible)

## ClawSec NanoClaw Skill

ClawSec provides a complete security skill for NanoClaw deployments:

**Location**: `skills/clawsec-nanoclaw/`

### Features

- **9 MCP Tools** for agents to manage security:
  - `clawsec_check_advisories` - Scan installed skills for vulnerabilities
  - `clawsec_check_skill_safety` - Pre-installation safety checks
  - `clawsec_list_advisories` - Browse advisory feed with filtering
  - `clawsec_refresh_cache` - Request immediate advisory cache refresh
  - `clawsec_verify_skill_package` - Verify Ed25519 signatures on skill packages
  - `clawsec_check_integrity` - Check protected files for unauthorized changes
  - `clawsec_approve_change` - Approve intentional file modifications
  - `clawsec_integrity_status` - View file baseline status
  - `clawsec_verify_audit` - Verify audit log hash chain

- **Advisory Cache Service**: Host-managed...