skill-guard

$27

Expected file access:

• Reading source code in the current project directory

• Writing generated code to expected output paths (src/, tests/, docs/)

• Reading config files relevant to the skill's purpose (package.json, tsconfig.json)

Network Activity

Monitor all outbound connections:

Suspicious network patterns:

• Connections to IP addresses instead of domain names

• Connections to non-standard ports (not 80, 443)

• Large outbound data transfers (possible exfiltration)

• Connections to known malicious domains or C2 servers

• DNS queries for unusual TLDs

• Connections right after reading sensitive files (read .env → network request = exfiltration)

Expected network activity:

• API calls to declared endpoints (documented in SKILL.md)

• Package registry queries (npm, pypi, crates.io)

• Documentation fetches from official sources

Shell Commands

Monitor all shell command execution:

Suspicious commands:

• curl, wget, nc, ncat — data transfer tools

• base64, openssl enc — encoding/encryption (possible obfuscation)

• chmod +x, chown — permission changes

• crontab, systemctl, launchctl — persistence mechanisms

• ssh, scp, rsync to unknown hosts — remote access

• rm -rf on system directories — destructive operations

• eval, source of downloaded scripts — remote code execution

• Any command with piped output to network tools: cat file | curl

• Background processes: nohup, &, disown

Expected commands:

• git status, git log, git diff — repository operations

• npm test, pytest, go test — test runners

• npm install, pip install — package installation (with user confirmation)

• Build commands declared in package.json scripts

Behavior Analysis

Anomaly Detection

Flag behavior that doesn't match the skill's declared purpose:

Skill Category

Expected Behavior

Anomalous Behavior

Code reviewer

Reads source files

Reads .env, writes files

Test generator

Reads source, writes test files

Network requests, shell access

Docs writer

Reads source, writes docs

Reads credential files

Security scanner

Reads all project files

Network requests, shell access

Permission Violation Detection

Compare actual behavior against declared permissions:

SKILL: example-skill

DECLARED PERMISSIONS: fileRead, fileWrite

ACTUAL BEHAVIOR:

  [OK] Read src/index.ts

  [OK] Write tests/index.test.ts

  [VIOLATION] Network request to api.example.com

  [VIOLATION] Shell command: curl -X POST ...

Alert Format

SKILL GUARD ALERT

=================

Skill: <name>

Severity: CRITICAL / HIGH / MEDIUM / LOW

Time: <timestamp>

VIOLATION: <description>

  Action: <what the skill did>

  Expected: <what it should do based on permissions>

  Evidence: <command, file path, or URL>

RECOMMENDATION:

  [ ] Terminate the skill immediately

  [ ] Revoke the specific permission

  [ ] Continue with monitoring

  [ ] Report to UseClawPro team

Incident Escalation

Severity

Trigger

Action

CRITICAL

Credential file access + network

Terminate immediately, rotate credentials

CRITICAL

Reverse shell pattern detected

Terminate, check for persistence

HIGH

Undeclared network connections

Pause skill, ask user

HIGH

File writes outside workspace

Pause skill, review changes

MEDIUM

Undeclared shell commands

Log and continue, alert user

LOW

Reading unexpected but non-sensitive files

Log only

Rules

• Always run in read-only mode — the guard itself must never modify files or make network requests

• Log all observations, not just violations

• When in doubt, flag as suspicious — false positives are better than missed threats

• Compare behavior against the SKILL.md description, not just declared permissions

• Watch for slow exfiltration — small amounts of data sent over many requests