Skip to content

npow/clawbreaker

BranchesTags

Repository files navigation

CLAW-BREAKER

Docs

CLAW-BREAKER exists for one outcome:

Give you a clear trust decision before a third-party OpenClaw skill can touch your real environment.

Most malicious skills look normal during code review. The risk shows up only when they run. CLAW-BREAKER runs skills in a sandbox first, triggers risky behavior with adversarial prompts, and returns evidence you can act on.

Why It Matters

Without runtime validation, you are guessing.

  • A bad skill can exfiltrate data or abuse tools after installation.
  • A static read can miss hidden trigger conditions.
  • A false sense of safety is worse than a visible warning.

CLAW-BREAKER reduces that uncertainty before deployment.

What You Decide

When evaluating a new skill, you need to answer three questions fast:

  1. Will this skill try to do things it should not?
  2. Can I reproduce that behavior, or is this a false alarm?
  3. Should I block, review, or allow this skill?

CLAW-BREAKER is designed to answer those questions with observed behavior, not assumptions.

Value You Get

For each scan, CLAW-BREAKER gives you:

  • A go/no-go trust signal (allow, review, or block)
  • Sandbox evidence showing what the skill actually did
  • Reproducible traces (prompt paths, outputs, violations)
  • Faster reviews with less manual triage

How It Works (Decision Flow)

  1. Submit a skill source (GitHub or local path).
  2. CLAW-BREAKER stages and runs the skill in an isolated sandbox.
  3. It drives the skill with adversarial prompts to trigger hidden behavior.
  4. Runtime monitoring captures suspicious actions.
  5. A report is generated with severity and supporting evidence.

The output is intended for one operational action: install, quarantine, or reject.

Who This Is For

  • Operators running OpenClaw agents with third-party skills
  • Teams curating internal skill allowlists
  • Security reviewers who need runtime evidence before approval

Non-Goals

CLAW-BREAKER is not trying to be:

  • A generic SAST platform
  • A full SOC/SIEM replacement
  • A guarantee that no future exploit is possible

It is a pre-installation behavioral gate for skill trust decisions.

API

Start a scan

POST /api/v1/scan

{
  "skill_source": {
    "type": "github",
    "url": "https://github.com/openclaw/openclaw/tree/main/skills/weather"
  }
}

Get the report

GET /api/v1/report/{execution_id}

Local Run

Prerequisites:

  • Python 3.11+
  • Docker
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt -r requirements-dev.txt
uvicorn src.main:app --host 0.0.0.0 --port 8000 --reload

Tests:

pytest -q

Security Stance

  • Execute skills in sandbox, not on host.
  • Keep runtime environment minimal and non-sensitive.
  • Treat reports as decision support for trust gating.

If sandboxing is unavailable, scans should be treated as non-authoritative.

About

Dynamic adversarial scanner that executes OpenClaw skills in a sandbox before install.

Topics

python sandbox dynamic-analysis security-scanner devsecops ai-security fastapi behavioral-analysis agent-security openclaw

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages