Agentic AIAI SecurityClawSecPrompt InjectionFile IntegritySupply Chain

ClawSec: Security Monitoring for AI Agents

4 min read

Most AI agent security discussions stop at "don't do bad things in the prompt." That's not security. That's optimism.

ClawSec is a security monitoring suite built specifically for OpenClaw-based agent systems. It treats agents like what they actually are - software running in production - and applies the monitoring controls you'd expect for any other critical system.

Here's what's under the hood.

The core problem: agents can drift

An agent's behavior is defined by its configuration files — the instructions, identity, and constraints that tell it what to do and how to do it. These files can change. Through a bug, a careless edit, or a successful prompt injection that manages to write to disk.

The dangerous part isn't the dramatic change. It's the subtle one. A small modification to an agent's instructions that shifts its behavior in ways you won't notice until something has already gone wrong.

ClawSec addresses this with checksum verification across all skill artifacts. Every time a component runs, checksums are compared against a known-good baseline. Any deviation is flagged immediately — not discovered during the next incident review.

soul-guardian: file integrity for agent identity

The most sensitive files in an OpenClaw agent are SOUL.md and IDENTITY.md. These define who the agent is and how it behaves. ClawSec's soul-guardian component monitors these specifically, treating any unauthorized modification as an incident.

When drift is detected, it doesn't just alert — it automatically restores the original file from the verified baseline. The agent continues running with its correct configuration, and you get a notification that something tried to change it.

This is standard file integrity monitoring applied to a surface most people haven't thought to monitor yet.

The audit watchdog

The openclaw-audit-watchdog runs daily security audits across the agent system. It checks for:

  • Prompt injection markers in agent inputs and memory
  • Unexpected changes in agent skill files
  • Dependency integrity against known baselines
  • Behavioral anomalies in agent outputs

Results get compiled into a report and delivered via email. Not a dashboard you have to remember to check - a daily summary that lands in your inbox whether you asked for it or not.

This is the difference between reactive and proactive monitoring. By the time you notice something is wrong without this, the agent has usually been doing the wrong thing for a while.

clawsec-feed: live threat intelligence

The security advisory feed polls the NVD (National Vulnerability Database) continuously and surfaces relevant CVEs directly into the agent environment. New vulnerability affecting a dependency your agents use? You find out automatically, not when you happen to check.

For a system running 24/7 with no human in the loop, this matters. Patching cycles that depend on someone manually checking for updates are patching cycles that fall behind. Automated advisory feeds close that gap.

Supply chain verification

Third-party plugins, community skill packages, and external integrations all represent supply chain risk. ClawSec runs checksum verification on all installed skill artifacts — not just the ones you wrote yourself.

This catches the scenario where a package you trust gets modified upstream, or where a community skill contains something unexpected. Same category of attack as npm package poisoning, applied to agent skill ecosystems. The mitigation is the same: verify what you're actually running, not just what you think you installed.

nanoclaw support

ClawSec also ships a container-safe variant for WhatsApp bot agents running on NanoClaw. Same core capabilities — drift detection, integrity verification, advisory feeds — packaged for a different runtime environment.

Worth saying clearly

ClawSec isn't a replacement for designing agents securely in the first place. Isolation, scoped credentials, treating external content as untrusted — those fundamentals still matter and ClawSec doesn't substitute for them.

What it does is add the monitoring layer that tells you when something slips through anyway. Defense in depth isn't a novel concept in security, but it's almost entirely absent from how people deploy AI agents right now.

Running production software without monitoring is how you find out about problems from users instead of from your own systems. ClawSec is the monitoring.


Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you're building agent infrastructure and want to think through the security architecture.