🛡️ Claw Sentinel — Runtime Security Layer for OpenClaw
Why This Exists
ClawDefender, ClawSec, Skill Defender — all check skills before you install them.
Nobody checks what happens AFTER installation, at runtime.
Your agent reads emails, parses API responses, fetches web pages — any of these can carry hidden prompt injection. Claw Sentinel sits between external data and your agent, scanning everything in real-time.
What makes it different from ClawDefender?
| Feature | ClawDefender | Claw Sentinel |
|---|---|---|
| Pre-install skill scanning | ✅ | ❌ (use ClawDefender for that) |
| Automatic input interception | ❌ | ✅ |
| Output monitoring (secret leak) | ❌ | ✅ |
| Multi-language injection detection | ❌ | ✅ (EN/RU/ZH/ES/AR/KO/JA) |
| Unicode/encoding normalization | ❌ | ✅ |
| Canary token leak detection | ❌ | ✅ |
| Crypto wallet/key specific patterns | ❌ | ✅ |
| Severity scoring | ✅ | ✅ |
Quick Start
cp skills/claw-sentinel/scripts/*.sh scripts/
cp skills/claw-sentinel/patterns/*.json patterns/
chmod +x scripts/sentinel-*.sh
# Test
echo "sample_input.txt" | scripts/sentinel-input.sh
# 🔴 CRITICAL [prompt_injection + data_exfil]: 2 threats detected
Architecture
External Data ──▶ sentinel-input.sh ──▶ Clean data ──▶ Agent
│
▼ (threat found)
sentinel-log.sh ──▶ ~/.sentinel/threats.jsonl
Agent output ──▶ sentinel-output.sh ──▶ Safe response ──▶ User
Usage
Input Guard
curl -s "https://api.example.com/data" | scripts/sentinel-input.sh
cat email_body.txt | scripts/sentinel-input.sh --clean # strip threats, pass safe content
echo "text" | scripts/sentinel-input.sh --json # JSON output for automation
echo "text" | scripts/sentinel-input.sh --strict # block on WARNING and above
Output Sentinel
echo "$AGENT_RESPONSE" | scripts/sentinel-output.sh
# Detects: API keys, private keys, seed phrases, JWT tokens, DB connection strings
Canary Token — Detect agent identity leaks
scripts/sentinel-canary.sh --generate
# Add to SOUL.md: <!-- SENTINEL-CANARY:a7f3b2c1 -->
echo "$AGENT_RESPONSE" | scripts/sentinel-canary.sh --check a7f3b2c1
# 🔴 CRITICAL [canary_leak]: Agent identity leak detected!
Full Pipeline Integration
# In AGENTS.md — add these rules:
# All external content MUST be piped through: sentinel-input.sh --clean
# All outgoing responses MUST be checked with: sentinel-output.sh
What Gets Detected
Prompt Injection — 7 languages (EN/RU/ZH/ES/AR/KO/JA)
- Replacement attempt patterns (multi-language)
- Persona-switch and bypass patterns
- Indirect routing attack patterns
- Obfuscated: leet speak, spaced letters, unicode confusables
Data Exfiltration
- Suspicious endpoints: webhook.site, requestbin, ngrok
- Cloud metadata: 169.254.169.254
- Encoded URLs, hidden curl/fetch commands
Secret Leakage (output)
- API keys: OpenAI, Anthropic, AWS, GCP, Azure, Stripe, Bybit, Binance, OKX
- Crypto: private keys, BIP-39 seed phrases (12/24 words)
- SSH keys, JWT tokens, database URIs
Encoding-Aware
- Base64 decode → scan
- URL decode, HTML entity decode
- Zero-width chars stripped
- Leet speak normalized
Configuration
# ~/.sentinel/config.sh
SENTINEL_THRESHOLD="HIGH" # CRITICAL | HIGH | WARNING
SENTINEL_LANGUAGES="en,ru,zh,es,ar,ko,ja"
SENTINEL_CRYPTO_PATTERNS=true
SENTINEL_LOG="$HOME/.sentinel/threats.jsonl"
Audit Log
scripts/sentinel-log.sh --last 20
scripts/sentinel-log.sh --severity CRITICAL
scripts/sentinel-log.sh --today
Integration
Works alongside, not instead of:
- ClawDefender → pre-install scanning
- ClawSec → supply chain integrity
- Claw Sentinel → runtime protection
FAQ
Q: Performance impact? A: <50ms per scan. Pure bash + grep, zero dependencies, works offline.
Q: Catches everything? A: No — defense in depth. Catches ~95% of common runtime attacks.
Author & Support
- 🐙 github.com/Oleglegegg
- 💬 Telegram: @oleglegegg
- 🪙 Tip (USDT TRC-20):
TMkk6SHacogyEtSepLPzh8qU12iPTsG8Y3
⭐ If Claw Sentinel saved your agent — a star on ClawHub means a lot.