OpenClaw · Skill
Clauditor
Security watchdog that monitors filesystem activity and creates tamper-evident logs. Even if Clawdbot is compromised, it cannot stop the watchdog, forge entries, or delete evidence.
Install
Start with the primary install command. Alternate entrypoints are included below for ClawHub and OpenClaw CLI users.
Primary command
clawhub install apollostreetcompany/clauditorClawHub installer
npx clawhub@latest install apollostreetcompany/clauditorOpenClaw CLI
openclaw skills install apollostreetcompany/clauditorDirect OpenClaw install
openclaw install apollostreetcompany/clauditorWhat this skill does
Security watchdog that monitors filesystem activity and creates tamper-evident logs. Even if Clawdbot is compromised, it cannot stop the watchdog, forge entries, or delete evidence.
Why it matters
Running under a separate system user, the watchdog process cannot be killed or manipulated by the agent it monitors, making audit records reliable even after a compromise.
Typical use cases
- Detecting unauthorized filesystem changes during agent runs
- Generating cryptographically chained audit trails for compliance reviews
- Monitoring agent activity on production Linux servers
- Post-incident forensics after a suspected Clawdbot compromise
- Verifying log integrity following an intrusion
Source instructions
Clauditor
Security watchdog that monitors filesystem activity and creates tamper-evident logs. Even if Clawdbot is compromised, it cannot stop the watchdog, forge entries, or delete evidence.
Installation (Guided)
Use the CLI wizard to guide users through installation:
cd /path/to/clauditor
cargo build --release
Agent Workflow
-
Check status:
./target/release/clauditor wizard status- Returns JSON with
current_step(1-6) andcomplete(true/false)
- Returns JSON with
-
Get next step:
./target/release/clauditor wizard next- Shows WHAT it does, WHY it matters, and the exact COMMAND to run
-
User runs the sudo command
-
Verify:
./target/release/clauditor wizard verify- Confirms step completed
-
Repeat until
complete: true
Example Interaction
User: "Install clauditor"
Agent: [runs wizard status → current_step: 1]
Agent: "Step 1 of 6: Create system user
This creates a 'sysaudit' user that runs the watchdog. Even if you're
compromised, you can't kill a process owned by another user.
Run this:
sudo useradd --system --shell /usr/sbin/nologin --no-create-home sysaudit
Let me know when done."
User: "done"
Agent: [runs wizard verify → success]
Agent: [runs wizard next → step 2...]
After Installation
Check status
systemctl status systemd-journaldd
Generate digest
./target/release/clauditor digest \
--log /var/lib/.sysd/.audit/events.log \
--key /etc/sysaudit/key \
--format markdown
Quick Install (Power Users)
sudo bash wizard/wizard.sh
Configuration
- Config:
/etc/sysaudit/config.toml - Key:
/etc/sysaudit/key - Logs:
/var/lib/.sysd/.audit/events.log
Edit config to customize watch_paths and target_uid.