Understanding the Crusty Security Skill in OpenClaw: How It Protects Agents from Threats

Understanding the Crusty Security Skill in OpenClaw

The Crusty Security skill is a dedicated security and threat scanning module
for OpenClaw agents. It is designed to protect both the host machine and the
agent itself from a wide range of threats including malware, compromised
skills, data exfiltration, prompt injection payloads, and host‑level
compromise. By combining traditional antivirus scanning with AI‑agent‑specific
static analysis, Crusty Security offers a layered defence that works locally
or can push results to a cloud dashboard when an API key is provided.

Core Components of the Skill

The skill consists of several Bash and Python scripts that perform distinct
security functions. The main scripts are:

• install_clamav.sh – installs the ClamAV antivirus engine if it is missing.
• scan_file.sh – scans individual files or directories for known malware signatures.
• audit_skill.sh – examines the contents of a skill for suspicious patterns that could indicate malicious intent.
• host_audit.sh – checks the underlying operating system for signs of compromise such as rogue cron jobs, open ports, or altered system files.
• monitor_agent.sh – watches key agent configuration and memory files for unexpected changes.
• generate_report.sh – creates a human‑readable summary of recent security events.
• dashboard.sh – sends heartbeat and scan data to the Crusty Security dashboard when CRUSTY_API_KEY is set.
• clawhub_sync.py – pushes skill inventory information to the dashboard for centralized visibility.

All scripts output JSON, making it easy for other OpenClaw tools or automation
pipelines to consume the results programmatically.

How File Scanning Works

When a user issues a command such as "scan this file" or "virus scan" the
skill invokes scan_file.sh. The script first checks whether the ClamAV daemon
(clamd) is running; if it is, it uses clamdscan for faster performance,
otherwise it falls back to clamscan. The scan is limited to a configurable
maximum file size (default 200 MiB) to avoid excessive resource consumption.
Encrypted archives are flagged as "unscanned" because their contents cannot be
inspected without the password, while common formats like ZIP, RAR, 7Z, TAR,
and GZ are processed natively.

The script returns one of three outcomes:

• Clean – No threats detected. The response includes the signature database date.
• Suspicious – A low‑confidence detection that warrants manual review.
• Malicious – A definitive threat name is reported, with recommended actions such as quarantine, delete, or ignore.

Users can also request a recursive scan of a workspace with the -r flag, or an
incremental scan that skips files unchanged since the last run, saving time on
large workspaces.

Quarantine Workflow

If a file is deemed malicious, the operator can run scan_file.sh with the
--quarantine option. This moves the file to a dedicated quarantine directory
(by default /tmp/crusty_quarantine) and adds an entry to a manifest.json file
that records the original path, timestamp, and detection reason. Quarantined
files can later be restored or deleted manually, ensuring that accidental
false positives do not cause data loss.

Skill Auditing for Supply Chain Security

The audit_skill.sh script addresses the risk of installing compromised skills
from third‑party sources such as ClawHub. It performs static analysis on the
skill’s source tree, looking for patterns that are commonly associated with
malicious behaviour. Findings are grouped into four severity levels:

• Critical – Examples include curl or wget piped directly to a shell, reverse shell payloads, or cryptocurrency mining scripts.
• High – Dynamic eval or exec calls, base64 decoding of unknown data, calls to known exfiltration services (webhook.site, ngrok, etc.), credential harvesting attempts, binary executables, or modifications to agent configuration files.
• Medium – Presence of hidden files, attempts to read sensitive system files, hardcoded IP addresses, obfuscated code, or persistence mechanisms such as unauthorized cron jobs or systemd units.
• Low/Info – Informational notes like unusually large skill size or credential references in documentation.

The script outputs a risk score (low, medium, high, critical) together with a
detailed list of findings, each accompanied by the matching line number and a
short evidence snippet. This enables reviewers to make informed decisions
before approving a skill for installation.

Host Security Auditing

The host_audit.sh script expands the scope beyond the agent to the underlying
host operating system. In its default mode it checks for:

• Suspicious cron jobs that contain download-and-execute patterns or base64 encoded payloads.
• Network services listening on unexpected ports.
• File permission anomalies such as world‑writable /etc/passwd or /etc/shadow.
• SSH configurations that permit root login or lack comments on keys.
• ClamAV signature freshness – warns if the antivirus database is outdated.

When invoked with the --deep flag, the script additionally examines recently
modified system files (within a configurable window) and compares their hashes
against known good baselines, helping to detect stealthy rootkits or
unauthorized binary replacements.

The output includes a posture score ranging from 0 to 100, where each finding
deducts points according to its severity (critical −25, high −15, medium −10,
low −5). A score above 80 generally indicates a healthy host, while lower
scores trigger remedial actions.

Agent Integrity Monitoring

Agents store critical state in files such as AGENTS.md, SOUL.md, MEMORY.md,
TOOLS.md, and USER.md. The monitor_agent.sh script watches these files for
unexpected modifications, additions, or deletions. It also measures "memory
file churn" – a metric that counts how many distinct memory entries have been
altered within a short period. Excessive churn can indicate that an attacker
is attempting to manipulate the agent’s knowledge base or inject malicious
prompts.

If monitor_agent.sh detects anomalous activity, it returns a JSON alert that
can trigger automated responses such as isolating the agent, notifying the
human operator, or initiating a full host audit.

Reporting and Dashboard Integration

All security actions can be reported to the Crusty Security dashboard at
crustysecurity.com, provided the operator has set the CRUSTY_API_KEY
environment variable. The dashboard receives:

• Heartbeat messages every five minutes, confirming that the agent is online and the skill is functional.
• Scan results when the --push flag is added to scan_file.sh or audit_skill.sh.
• Periodic skill inventory pushes via clawhub_sync.py, which sends a list of installed skills and their risk scores to the dashboard.

Importantly, the communication is strictly one‑way: the agent never accepts
inbound connections from the dashboard. This design prevents the dashboard
from becoming a pivot point for attackers.

When CRUSTY_API_KEY is not set, all operations remain fully local. No data
leaves the machine, ensuring privacy for air‑gapped or highly regulated
environments.

Setup and Ongoing Maintenance

The first‑time experience is streamlined by the setup.sh script, which:

• Installs ClamAV if necessary.
• Configures freshclam (with a macOS Homebrew‑specific fix).
• Sends an initial heartbeat to the dashboard (when an API key is present).
• Runs a host audit and a workspace scan to populate the dashboard immediately.
• Checks whether the required cron jobs are missing.

After setup.sh finishes, the operator must create the scheduled cron jobs
using the OpenClaw cron tool. The skill provides a helper script
check_crons.sh that lists any missing jobs. The three essential recurring
scans are:

• crusty-daily-scan – runs at 03:00 AM each day, performing an incremental workspace scan followed by an agent integrity check.
• crusty-weekly-full – runs at 03:00 AM every Sunday, executing a full recursive scan, a host audit, and generating a weekly Markdown report.
• crusty-monthly-deep – runs at 04:00 AM on the first day of each month, performing a deep host audit.

If the dashboard API key is configured, two additional cron jobs are added:

• crusty-heartbeat – every five minutes, sending a heartbeat payload.
• crusty-clawhub-sync – every twelve hours, pushing skill inventory data to the dashboard.

The operator should run cron list after installation to verify that no
duplicate jobs exist, then use cron add to create any that are missing.

Practical Usage Scenarios

Consider a developer who downloads a third‑party skill from ClawHub. Before
installing, they run:

bash scripts/audit_skill.sh /path/to/downloaded/skill

The script returns a risk score of "high" because it detects a base64‑encoded
string that decodes to a call to ngrok. The developer decides to inspect the
skill further, discovers the ngrok tunnel is intended for legitimate remote
debugging, and after confirming the skill’s provenance, they approve
installation with a note to monitor network traffic.

Later, the same user suspects a downloaded file might contain malware. They
execute:

bash scripts/scan_file.sh --quarantine ~/Downloads/suspicious.exe

The script moves the file to quarantine, logs the event, and returns a JSON
response indicating a ClamAV detection of "Win.Trojan.Agent-1234567". The user
can now review the quarantined file safely or delete it.

In a production environment, the system administrator enables the dashboard
integration. Over a week, the dashboard shows a steady posture score of 92,
with only occasional low‑severity findings related to temporary files in /tmp.
When a sudden spike in memory file churn is detected, the dashboard alerts the
team, who invoke monitor_agent.sh and discover a compromised plugin attempting
to exfiltrate conversation logs. The agent is immediately isolated, the
malicious skill is removed, and a full host audit confirms no further
persistence mechanisms.

Why Crusty Security Matters for OpenClaw

OpenClaw agents operate with considerable privilege: they can read and write
files, execute commands, and interact with the host environment. This
flexibility is what makes them powerful, but it also expands the attack
surface. Traditional endpoint antivirus solutions are not aware of AI‑specific
threats such as prompt injection or malicious skill logic that does not match
known malware signatures. Crusty Security bridges this gap by:

• Providing signature‑based detection for classic malware via ClamAV.
• Adding behaviour‑focused static analysis that targets patterns unique to agent‑level abuse.
• Offering continuous monitoring of both the agent’s internal state and the host’s security hygiene.
• Enabling centralized visibility through an optional cloud dashboard while preserving a fully offline mode.

In short, the Crusty Security skill transforms an OpenClaw agent from a
potentially vulnerable autonomous entity into a hardened participant that can
defend itself and its surroundings against a broad spectrum of threats.

Conclusion

The Crusty Security skill (found at skills/skills/silentcool/crusty-
security/SKILL.md in the OpenClaw skills repository) is a comprehensive
security suite designed specifically for AI agents. It combines file‑based
malware scanning, skill supply‑chain auditing, host‑level security checks, and
real‑time agent integrity monitoring into a cohesive workflow. All actions are
scripted, produce machine‑readable JSON output, and can be optionally reported
to a cloud dashboard for long‑term trend analysis and alerting. By following
the setup instructions, creating the recommended cron jobs, and integrating
the skill into routine operations, OpenClaw users can significantly reduce the
risk of malware infection, compromised skills, and host‑level breaches while
retaining the flexibility and power that make OpenClaw a valuable platform for
AI‑driven automation.

Skill can be found at:
security/SKILL.md>