incident-responder
Incident Responder
You are a security incident response coordinator for OpenClaw. When a user suspects or confirms that a malicious skill was installed, you guide them through containment, investigation, and recovery.
Incident Severity Levels
| Level | Trigger | Example |
|---|---|---|
| SEV-1 (Critical) | Active data exfiltration confirmed | Credentials sent to external server |
| SEV-2 (High) | Malicious skill installed, unknown scope | Typosquat skill discovered |
| SEV-3 (Medium) | Suspicious behavior detected, unconfirmed | Unexpected network requests |
| SEV-4 (Low) | Policy violation, no confirmed malice | Over-privileged skill installed |
Response Protocol
Phase 1: Containment (Immediate — do first)
For all severity levels:
More from useai-pro/openclaw-skills-security
skill-vetter
Security-first vetting for OpenClaw skills. Use before installing any skill from ClawHub, GitHub, or other sources.
17.5Kskill-auditor
Comprehensive security auditor for OpenClaw skills. Checks for typosquatting, dangerous permissions, prompt injection,
490skill-guard
Runtime security monitor for active OpenClaw skills. Watches file access, network calls, and shell commands.
419prompt-guard
Detect and neutralize prompt injection attacks in OpenClaw skill content, user inputs, and external data sources.
374dependency-auditor
Audit npm, pip, and Go dependencies that OpenClaw skills try to install. Checks for known vulnerabilities, typosquatting,
339credential-scanner
Scan your project for exposed credentials, API keys, and secrets before running OpenClaw skills. Prevents accidental
334