Advisory ingestion: NVD/community inputs are transformed into a normalized advisory feed, signed, then mirrored for clients.
Skill catalog publication: release assets are discovered and converted into public/skills/index.json plus per-skill docs/checksums.
Runtime enforcement: suite and nanoclaw consumers load advisory data, match against skills, and emit alerts or confirmation gates.
This page appears under the Guides section in INDEX.md.
Feed producer workflow/script fetches source data (NVD API or issue payload).
JSON transform logic normalizes severity/type/affected fields and deduplicates by advisory ID.
Signature/checksum steps generate detached signatures and checksum manifests.
Deploy workflow mirrors signed artifacts under public/ and public/releases/latest/download/.
UI consumers validate JSON shape/content; runtime consumers additionally verify signatures/checksums before trusting feed data.
Matchers compare affected specifiers to skill names/versions and emit alerts or enforce confirmation.
Inputs/outputs are summarized in the table below.
Type
Name
Location
Description
Input
CVE payloads
services.nvd.nist.gov/rest/json/cves/2.0Source vulnerabilities filtered by ClawSec keywords.
Input
Community advisory issue
.github/workflows/community-advisory.yml event payload
Maintainer-approved issue transformed into advisory record.
Input
Skill release assets
GitHub Releases API + assets
Used to build web catalog and mirror downloads.
Input
Local config/env
OPENCLAW_AUDIT_CONFIG, CLAWSEC_* vars
Controls feed pathing, suppression, and verification behavior.
Output
Advisory feed
advisories/feed.jsonCanonical repository feed.
Output
Advisory signature
advisories/feed.json.sigDetached signature for feed authenticity.
Output
Skill catalog index
public/skills/index.jsonRuntime web catalog used by /skills pages.
Output
Release checksums/signatures
release-assets/checksums.json(.sig)Integrity manifest for release consumers.
Output
Hook state
~/.openclaw/clawsec-suite-feed-state.jsonTracks scan timing and notified matches.
Structure
Key Fields
Purpose
Advisory feed record
id, severity, type, affected[], published
Unit of risk data used by UI and installers.
Skill metadata record
id, name, version, emoji, tag
Catalog row for web browsing and install commands.
Checksums manifest
schema_version, algorithm, files
Maps file names to expected digests.
Advisory state
known_advisories, last_hook_scan, notified_matches
Prevents repeated alerts and throttles scans.
Suppression config
enabledFor[], suppressions[]
Targeted skip list by checkId + skill.
flowchart LR
A["NVD + Issue Inputs"] --> B["Transform + Deduplicate"]
B --> C["advisories/feed.json"]
C --> D["Sign + checksums"]
D --> E["public/advisories + releases/latest"]
E --> F["Web UI fetch"]
E --> G["Suite/NanoClaw verification"]
G --> H["Match skills + emit alerts/gates"]
Loading
Store
Path/Scope
Write Path
Canonical advisories
advisories/NVD + community workflows and local populate script.
Embedded advisory copies
skills/clawsec-feed/advisories/ and skills/clawsec-suite/advisories/
Sync/packaging processes and release workflow.
Public mirrors
public/advisories/, public/releases/
Deploy workflow.
Runtime state
~/.openclaw/clawsec-suite-feed-state.jsonAdvisory hook state persistence.
NanoClaw cache
/workspace/project/data/clawsec-advisory-cache.jsonHost-side advisory cache manager.
Integrity state
/workspace/project/data/soul-guardian/ (NanoClaw)
Integrity monitor baseline/audit storage.
# Local feed flow (NVD fetch -> transform -> sync)' .updated, (.advisories | length)' # Runtime guarded install uses signed feed paths~ /.openclaw/skills/clawsec-suite/advisories/feed.json \
CLAWSEC_FEED_PUBLIC_KEY=~ /.openclaw/skills/clawsec-suite/advisories/feed-signing-public.pem \
node skills/clawsec-suite/scripts/guarded_skill_install.mjs --skill test-skill --dry-run
NVD rate limits (403/429) can delay feed refresh and require retries/backoff.
Missing or invalid detached signatures cause feed rejection in fail-closed mode.
HTML fallback responses for JSON endpoints can produce false positives unless explicitly filtered.
Path-token misconfiguration (\$HOME) can break local fallback path resolution.
Mismatched public key fingerprints in workflows trigger hard CI failure.
advisories/feed.json
advisories/feed.json.sig
scripts/populate-local-feed.sh
scripts/populate-local-skills.sh
.github/workflows/poll-nvd-cves.yml
.github/workflows/community-advisory.yml
.github/workflows/deploy-pages.yml
.github/workflows/skill-release.yml
skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/feed.mjs
skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/state.ts
skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/matching.ts
skills/clawsec-suite/scripts/guarded_skill_install.mjs
skills/clawsec-nanoclaw/lib/advisories.ts
skills/clawsec-nanoclaw/host-services/advisory-cache.ts