👁️ Anomaly Watcher
v1.0.0Continuous behavioral monitoring for OpenClaw agents. Detect anomalies in command patterns, resource usage, and skill invocations against established baselines.
0· 60·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and instructions broadly match its stated monitoring purpose, but it instructs extensive logging (including user prompts and token/interaction metrics), claims notification behavior and 'no network access' that aren't consistently implemented, and could collect sensitive data into local files without safeguards.
评估建议
This skill generally does what its name claims, but it will persist detailed telemetry (including user prompts and token/interaction metrics) into .security/ files. Before installing: 1) Decide whether you are comfortable with local disk logging of prompts and interaction metrics; these can contain secrets. 2) If you proceed, ensure the .security directory has strict filesystem permissions and is excluded from backups/remote telemetry. 3) Require prompt/PII redaction in whatever supplies recordM...详细分析 ▾
ℹ 用途与能力
Name/description align with the code and SKILL.md: the skill collects metrics, computes baselines, and flags anomalies. However, SKILL.md promises hook integration (PostToolUse, UserPromptSubmit, PostSkillExecution) and 'no network access' while also saying it will 'notify human via preferred channel' — a functional mismatch. The set of metrics (including user prompts, tokens, memory writes) is plausible for an anomaly monitor but is broader and more privacy-sensitive than a minimal monitor.
⚠ 指令范围
Instructions and code write detailed telemetry to .security/* (metrics.jsonl, anomalies.jsonl, false-positives.jsonl). SKILL.md explicitly lists logging UserPromptSubmit (user input patterns) and token consumption — which can contain sensitive secrets. The code exposes a generic recordMetric API that will store arbitrary 'details' provided by callers, so integration could cause sensitive prompt contents or credentials to be persisted. SKILL.md also claims guardrails (read-only, baseline reset requires human approval) and notification behavior that the provided code does not fully enforce or implement.
✓ 安装机制
No install spec and no external downloads; the skill is delivered as code files only and relies on standard Node fs/path. This is lower risk than remote installers. No unusual binaries or install actions are present.
ℹ 凭证需求
The skill requests no environment variables or credentials (good). However, it is designed to record metrics such as 'token consumption' and 'user prompts' that could reveal secrets; the lack of explicit redaction or exclusion rules means the absence of env/credential requests does not eliminate the risk of sensitive data being captured via events.
✓ 持久化与权限
always is false and the skill does not request system-wide configuration or other skills' secrets. It writes files only under targetDir/.security, which is confined but persistent on disk. The skill does not appear to modify other skills or global agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/4
Initial release of anomaly-watcher: Always-on behavioral monitoring for OpenClaw agents. - Establishes rolling behavioral baselines for key agent metrics (commands, files, network, skills, etc.). - Detects and classifies anomalies using statistical deviation from a 7-day average. - Alerts are logged and escalated based on severity (NORMAL, ELEVATED, ANOMALOUS, CRITICAL). - Monitors for known attack signatures (recon, exfiltration, supply chain, persistence). - Strictly read-only: never modifies agent behavior or requires network access.
● Pending
安装命令 点击复制
官方npx clawhub@latest install anomaly-watcher
镜像加速npx clawhub@latest install anomaly-watcher --registry https://cn.clawhub-mirror.com
技能文档
Purpose
Establish a behavioral baseline for the agent and continuously monitor for deviations that may indicate compromise, misconfiguration, or abuse.
Integration
Always-on monitoring via hooks:
PostToolUse— log every tool invocationUserPromptSubmit— log input patternsPostSkillExecution— log skill results
Monitored Metrics
| Metric | Baseline Unit | Alert Threshold |
|---|---|---|
| Command exec frequency | per hour | >2σ from 7-day avg |
| File access patterns | unique paths/hour | >2σ |
| Network request volume | requests/hour | >2σ |
| Skill invocation frequency | per skill per hour | >2σ |
| Token consumption rate | tokens/hour | >2σ |
| Error rate | errors/hour | >2σ |
| Memory write patterns | writes/hour | >2σ |
| Cross-session messages | messages/hour | >2σ |
| New file creation rate | files/hour | >2σ |
| Unique external domains | domains/hour | >2σ |
Anomaly Detection Algorithm
- Collect — append each action to
.security/baseline/metrics.jsonl - Baseline — rolling 7-day average and standard deviation per metric
- Compare — current window (1 hour) vs baseline
- Classify:
NORMAL — within 1σ
- ELEVATED — between 1σ and 2σ
- ANOMALOUS — between 2σ and 3σ
- CRITICAL — above 3σ or matches known attack signature
- Alert — based on classification
Alert Actions
| Classification | Action |
|---|---|
| NORMAL | No action |
| ELEVATED | Log to anomaly.jsonl |
| ANOMALOUS | Log + notify human via preferred channel |
| CRITICAL | Log + notify + recommend pause (human decides) |
Known Attack Signatures
- Sudden spike in file reads across many directories → possible reconnaissance
- Outbound to new external domain + high data volume → possible exfiltration
- Rapid skill installs from ClawHub → possible supply chain attack
- Memory writes with encoded content → possible persistence attempt
Guardrails
- Monitoring is strictly read-only — never modifies agent behavior
- Baseline calibration requires minimum 48 hours of data
- False positives are tracked in
.security/false-positives.jsonl - Baseline resets require human approval
- The watcher itself has no network access (local analysis only)
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制