picoclaw-self-pen-testing 0.0.1

picoclaw-self-pen-testing 0.0.1

Added

• Initial extraction from picoclaw-security-guardian to isolate self-pen-testing checks as a standalone Picoclaw skill.
• Local read-only finding engine (lib/self_pen_test.mjs).
• CLI runner (scripts/self_pen_test.mjs) and unit test (test/self_pen_test.test.mjs).

Quick Install

Via clawhub (recommended):

npx clawhub@latest install picoclaw-self-pen-testing

If you already have clawsec-suite installed:
Ask your agent to pull picoclaw-self-pen-testing from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-self-pen-testing-v0.0.1/picoclaw-self-pen-testing-v0.0.1.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-self-pen-testing-v0.0.1/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-self-pen-testing-v0.0.1/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-self-pen-testing-v0.0.1/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  picoclaw-self-pen-testing-v0.0.1.zip" | sha256sum -c

# 4. Extract (creates picoclaw-self-pen-testing/ directory)
unzip picoclaw-self-pen-testing-v0.0.1.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-self-pen-testing-v0.0.1/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-self-pen-testing-v0.0.1/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-self-pen-testing-v0.0.1/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

picoclaw-security-guardian 0.0.1

picoclaw-security-guardian 0.0.1

Added

• Initial Picoclaw-specific ClawSec skill package for advisory awareness, deterministic profile generation, drift detection, and supply-chain verification.
• Picoclaw-native Docker pre-release install regression harness using find_skills / install_skill and skill-loader validation.

Changed

• Split optional posture-review checks into separate picoclaw-self-pen-testing package so this package remains the core public guardian lane.
• Updated metadata/docs/regression expectations to keep this package focused on advisory, drift, and supply-chain checks.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install picoclaw-security-guardian

If you already have clawsec-suite installed:
Ask your agent to pull picoclaw-security-guardian from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-security-guardian-v0.0.1/picoclaw-security-guardian-v0.0.1.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-security-guardian-v0.0.1/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-security-guardian-v0.0.1/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-security-guardian-v0.0.1/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  picoclaw-security-guardian-v0.0.1.zip" | sha256sum -c

# 4. Extract (creates picoclaw-security-guardian/ directory)
unzip picoclaw-security-guardian-v0.0.1.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-security-guardian-v0.0.1/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-security-guardian-v0.0.1/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/picoclaw-security-guardian-v0.0.1/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

hermes-attestation-guardian 0.1.0

hermes-attestation-guardian 0.1.0

• Added mandatory release verification gate guidance before install: checksums.json, checksums.sig, and pinned signing public-key fingerprint.
• Added explicit Hermes guard trust-policy note for signature-aware trust (trusted signer fingerprint allowlist) over source-name-only trust.
• Moved sandbox regression harness into the skill test surface (test/hermes_attestation_sandbox_regression.sh) and fixed in-skill default path resolution.
• Tightened advisory feed verification to require checksum-manifest artifacts when checksum-manifest verification is enabled (fail-closed when missing).
• Added feed regression coverage for missing local/remote checksum-manifest artifacts under strict verification mode.
• Refactored cron setup scripts to share managed-block helpers from lib/cron.mjs, reducing drift risk.
• Added explicit .mjs scan/test coverage guidance so Hermes-side scanner scope and regression harness context stay aligned with scripts/*.mjs, lib/*.mjs, and test/*.test.mjs.
• Clarified fresh-node first-run edge-case documentation.
• Clarified Hermes runtime metadata/frontmatter and README capability coverage for ClawHub publishing.
• Removed compatibility-report wiki page references in favor of README capability matrix as the primary compatibility surface.
• Updated skill metadata/docs to v0.1.0 and aligned README quickstart with fail-closed verification expectations.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install hermes-attestation-guardian

If you already have clawsec-suite installed:
Ask your agent to pull hermes-attestation-guardian from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/hermes-attestation-guardian-v0.1.0/hermes-attestation-guardian-v0.1.0.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/hermes-attestation-guardian-v0.1.0/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/hermes-attestation-guardian-v0.1.0/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/hermes-attestation-guardian-v0.1.0/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  hermes-attestation-guardian-v0.1.0.zip" | sha256sum -c

# 4. Extract (creates hermes-attestation-guardian/ directory)
unzip hermes-attestation-guardian-v0.1.0.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/hermes-attestation-guardian-v0.1.0/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/hermes-attestation-guardian-v0.1.0/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/hermes-attestation-guardian-v0.1.0/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

openclaw-audit-watchdog 0.1.4

openclaw-audit-watchdog 0.1.4

Changed

• Re-released metadata and docs updates under a new version after detecting that 0.1.3 was already present in ClawHub with older artifact content.
• No runtime behavior changes to audit execution, cron setup, or report delivery logic.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install openclaw-audit-watchdog

If you already have clawsec-suite installed:
Ask your agent to pull openclaw-audit-watchdog from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.4/openclaw-audit-watchdog-v0.1.4.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.4/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.4/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.4/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  openclaw-audit-watchdog-v0.1.4.zip" | sha256sum -c

# 4. Extract (creates openclaw-audit-watchdog/ directory)
unzip openclaw-audit-watchdog-v0.1.4.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.4/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.4/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/openclaw-audit-watchdog-v0.1.4/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

clawtributor 0.0.5

clawtributor 0.0.5

Changed

• Replaced release-artifact bootstrap instructions in SKILL.md with registry-based installation guidance.
• Switched submission instructions to manual browser-form workflow after explicit approval (no scripted CLI submission flow).
• Reduced declared runtime requirements to openclaw for the packaged skill guidance.

Security

• Removed automatic remote-install and automated issue-submission guidance patterns that were being classified as suspicious.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawtributor

If you already have clawsec-suite installed:
Ask your agent to pull clawtributor from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.5/clawtributor-v0.0.5.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.5/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.5/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.5/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawtributor-v0.0.5.zip" | sha256sum -c

# 4. Extract (creates clawtributor/ directory)
unzip clawtributor-v0.0.5.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.5/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.5/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawtributor-v0.0.5/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

clawsec-clawhub-checker 0.0.3

clawsec-clawhub-checker 0.0.3

Changed

• Converted setup flow to non-mutating preflight validation; the skill no longer rewrites or copies files into installed clawsec-suite directories.
• Updated reputation collection to rely on clawhub inspect --json security metadata instead of probing clawhub install output.
• Updated documentation and metadata to describe standalone wrapper usage for guarded install checks.
• Added explicit documentation for optional manual advisory-hook wiring when operators want reputationWarning fields in advisory alert rendering.

Security

• Removed in-place cross-skill source mutation behavior from setup.
• Removed install-output scraping behavior used only to infer VirusTotal status.
• Reputation scoring now fails closed when scanner metadata is missing, and hook-level reputation subprocess execution failures are treated as unsafe results.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawsec-clawhub-checker

If you already have clawsec-suite installed:
Ask your agent to pull clawsec-clawhub-checker from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.3/clawsec-clawhub-checker-v0.0.3.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.3/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.3/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.3/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawsec-clawhub-checker-v0.0.3.zip" | sha256sum -c

# 4. Extract (creates clawsec-clawhub-checker/ directory)
unzip clawsec-clawhub-checker-v0.0.3.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.3/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.3/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-clawhub-checker-v0.0.3/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

clawsec-suite 0.1.7

clawsec-suite 0.1.7

Changed

• Added .clawhubignore coverage for test/ so publish payloads stay focused on runtime assets.
• Refactored setup/install scripts to use aliased child-process calls while preserving behavior.
• Split local file reads into scripts/local_file_io.mjs and hooks/clawsec-advisory-guardian/lib/local_file_io.mjs so network-facing files keep I/O concerns isolated.

Security

• Removed static moderation false positives related to mixed file-read/network and child-process token patterns in publish-scoped runtime files.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawsec-suite

If you already have clawsec-suite installed:
Ask your agent to pull clawsec-suite from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.7/clawsec-suite-v0.1.7.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.7/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.7/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.7/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawsec-suite-v0.1.7.zip" | sha256sum -c

# 4. Extract (creates clawsec-suite/ directory)
unzip clawsec-suite-v0.1.7.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.7/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.7/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-suite-v0.1.7/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

clawsec-nanoclaw 0.0.4

clawsec-nanoclaw 0.0.4

Changed

• Moved signature-related local file reads into lib/local_file_io.ts and kept network fetch logic isolated in lib/signatures.ts.

Security

• Reduced static false-positive exfiltration signals by separating local file I/O and remote fetch code paths.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawsec-nanoclaw

If you already have clawsec-suite installed:
Ask your agent to pull clawsec-nanoclaw from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.4/clawsec-nanoclaw-v0.0.4.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.4/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.4/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.4/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawsec-nanoclaw-v0.0.4.zip" | sha256sum -c

# 4. Extract (creates clawsec-nanoclaw/ directory)
unzip clawsec-nanoclaw-v0.0.4.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.4/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.4/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-nanoclaw-v0.0.4/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

soul-guardian 0.0.5

soul-guardian 0.0.5

Added

• Regression coverage for launchd label migration so the installer documents and cleans up the previous Clawdbot-era label before starting the new default label.

Changed

• scripts/install_launchd_plist.py now documents the legacy launchd label/plist in dry-run output and attempts a best-effort disable/bootout of com.clawdbot.soul-guardian.<agentId> before installing com.openclaw.soul-guardian.<agentId>.
• The --label help now explains that non-legacy labels trigger legacy-job cleanup, while explicitly selecting the legacy label skips that migration path.

Security

• Reduced the chance of duplicate launchd jobs or split monitoring state by making the old-label cleanup path explicit and warning the operator when manual launchd cleanup is still required.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install soul-guardian

If you already have clawsec-suite installed:
Ask your agent to pull soul-guardian from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.5/soul-guardian-v0.0.5.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.5/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.5/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.5/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  soul-guardian-v0.0.5.zip" | sha256sum -c

# 4. Extract (creates soul-guardian/ directory)
unzip soul-guardian-v0.0.5.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.5/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.5/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/soul-guardian-v0.0.5/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline

clawsec-feed 0.0.6

clawsec-feed 0.0.6

Added

• Operational notes in the skill docs that distinguish standalone feed installation from clawsec-suite automation responsibilities.
• Metadata describing required standalone install tooling and operator review expectations.

Changed

• Clarified that the standalone feed package does not itself create persistence, hooks, or cron jobs.
• Declared checksum/extraction tooling used by the documented install flow (bash, shasum, unzip) in skill metadata.
• Normalized product naming in the skill docs to use OpenClaw terminology.

Security

• Made release-provenance and checksum verification expectations explicit for standalone installations on production hosts.

Quick Install

Via clawhub (recommended):

npx clawhub@latest install clawsec-feed

If you already have clawsec-suite installed:
Ask your agent to pull clawsec-feed from the ClawSec catalog and it will handle setup and verification automatically.

Manual download with verification:

# 1. Download the release archive, checksums, and signing material
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.6/clawsec-feed-v0.0.6.zip
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.6/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.6/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.6/signing-public.pem

# 2. Verify the checksums manifest signature (Ed25519)
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

# 3. Verify archive checksum from the signed manifest
echo "$(jq -r '.archive.sha256' checksums.json)  clawsec-feed-v0.0.6.zip" | sha256sum -c

# 4. Extract (creates clawsec-feed/ directory)
unzip clawsec-feed-v0.0.6.zip

Verification

checksums.json is cryptographically signed (checksums.sig) using the ClawSec CI signing key.
Verify the signature first, then trust hashes from checksums.json:

curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.6/checksums.json
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.6/checksums.sig
curl -sLO https://github.com/prompt-security/clawsec/releases/download/clawsec-feed-v0.0.6/signing-public.pem
openssl base64 -d -A -in checksums.sig -out checksums.sig.bin
openssl pkeyutl -verify -rawin -pubin -inkey signing-public.pem -sigfile checksums.sig.bin -in checksums.json

Files

See checksums.json for the complete file manifest with SHA256 hashes.
The zip archive preserves the full directory structure of the skill.

---

Released by ClawSec skill distribution pipeline