Openclaw Sentinel
by @atlaspa
Supply chain security for agent skills. Pre-install inspection, post-install scanning, obfuscation detection, and known-bad signature matching. Verify skills are safe before they touch your workspace. Free alert layer β upgrade to openclaw-sentinel-pro for quarantine, blocking, and community threat feeds.
clawhub install openclaw-sentinelπ About This Skill
name: openclaw-sentinel user-invocable: true metadata: {"openclaw":{"emoji":"π°","requires":{"bins":["python3"]},"os":["darwin","linux","win32"]}}
OpenClaw Sentinel
Supply chain security scanner for agent skills. Detects obfuscated code, known-bad signatures, suspicious install behaviors, dependency confusion, and metadata inconsistencies β before and after installation.
The Problem
You install skills from the community. Any skill can contain obfuscated payloads, post-install hooks that execute arbitrary code, or supply chain attacks that modify other skills in your workspace. Existing tools verify file integrity after the fact β nothing inspects skills for supply chain risks before they run.
Commands
Scan Installed Skills
Deep scan of all installed skills for supply chain risks. Checks file hashes against a local threat database, detects obfuscated code patterns, suspicious install behaviors, dependency confusion, and metadata inconsistencies. Generates a risk score (0-100) per skill.
python3 {baseDir}/scripts/sentinel.py scan --workspace /path/to/workspace
Scan a Single Skill
python3 {baseDir}/scripts/sentinel.py scan openclaw-warden --workspace /path/to/workspace
Pre-Install Inspection
Scan a skill directory BEFORE copying it to your workspace. Outputs a SAFE/REVIEW/REJECT recommendation and shows exactly what binaries, network calls, and file operations the skill will perform.
python3 {baseDir}/scripts/sentinel.py inspect /path/to/skill-directory
Manage Threat Database
View current threat database statistics.
python3 {baseDir}/scripts/sentinel.py threats --workspace /path/to/workspace
Import a community-shared threat list.
python3 {baseDir}/scripts/sentinel.py threats --update-from threats.json --workspace /path/to/workspace
Quick Status
Summary of installed skills, scan history, and risk score overview.
python3 {baseDir}/scripts/sentinel.py status --workspace /path/to/workspace
Workspace Auto-Detection
If --workspace is omitted, the script tries:
1. OPENCLAW_WORKSPACE environment variable
2. Current directory (if AGENTS.md exists)
3. ~/.openclaw/workspace (default)
What It Detects
| Category | Patterns | |----------|----------| | Encoded Execution | eval(base64.b64decode(...)), exec(compile(...)), eval/exec with encoded strings | | Dynamic Imports | \_\_import\_\_('os').system(...), dynamic subprocess/ctypes imports | | Shell Injection | subprocess.Popen with shell=True + string concatenation, os.system() | | Remote Code Exec | urllib/requests combined with exec/eval β download-and-run patterns | | Obfuscation | Lines >1000 chars, high-entropy strings, minified code blocks | | Install Behaviors | Post-install hooks, auto-exec in \_\_init\_\_.py, cross-skill file writes | | Hidden Files | Non-standard dotfiles and hidden directories | | Dependency Confusion | Skills shadowing popular package names, typosquatting near-matches | | Metadata Mismatch | Undeclared binaries, undeclared env vars, invocable flag inconsistencies | | Serialization | pickle.loads, marshal.loads β arbitrary code execution via deserialization | | Known-Bad Hashes | File SHA-256 matches against local threat database |
Risk Scoring
Each skill receives a score from 0-100:
| Score | Label | Meaning | |-------|-------|---------| | 0 | CLEAN | No issues detected | | 1-19 | LOW | Minor findings, likely benign | | 20-49 | MODERATE | Review recommended | | 50-74 | HIGH | Significant risk, review required | | 75-100 | CRITICAL | Serious supply chain risk |
Threat Database Format
Community-shared threat lists use this JSON format:
{
"hashes": {
"": {"name": "...", "severity": "...", "description": "..."}
},
"patterns": [
{"name": "...", "regex": "...", "severity": "..."}
]
}
Exit Codes
0 β Clean, no issues1 β Review needed2 β Threats detectedNo External Dependencies
Python standard library only. No pip install. No network calls. Everything runs locally.
Cross-Platform
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.