From ca7632567a41e0b35a3721964b83d284f787fddc Mon Sep 17 00:00:00 2001
From: zlei9 <zlei9@126.com>
Date: Sun, 29 Mar 2026 14:32:18 +0800
Subject: [PATCH] Initial commit with translated description

---
 README.md  | 168 ++++++++++++++
 SKILL.md   | 647 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 _meta.json |   6 +
 skill.json |  42 ++++
 4 files changed, 863 insertions(+)
 create mode 100644 README.md
 create mode 100644 SKILL.md
 create mode 100644 _meta.json
 create mode 100644 skill.json

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9c23b06
--- /dev/null
+++ b/README.md
@@ -0,0 +1,168 @@
+# Clawdbot Security Check
+
+🔒 **Self-security audit framework for Clawdbot**
+
+Inspired by the security hardening framework from [ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ](https://x.com/DanielMiessler) and integrated with [official ClawdBot security documentation](https://docs.clawd.bot/gateway/security).
+
+This skill teaches Clawdbot to audit its own security posture using first-principles reasoning. Not a hard-coded script—it's a **knowledge framework** that Clawdbot applies dynamically to detect vulnerabilities, understand their impact, and recommend specific remediations.
+
+## What This Is
+
+- 🧠 **Knowledge-based** - Embeds the security framework directly in Clawdbot
+- 🔍 **Dynamic detection** - Clawdbot learns to find issues, not just run a script
+- 📚 **Extensible** - Add new checks by updating the skill
+- 🔒 **100% Read-only** - Only audits; never modifies configuration
+
+## The 12 Security Domains
+
+| # | Domain | Severity | Key Question |
+|---|--------|----------|--------------|
+| 1 | Gateway Exposure | 🔴 Critical | Is the gateway bound to 0.0.0.0 without auth? |
+| 2 | DM Policy | 🟠 High | Are DMs restricted to an allowlist? |
+| 3 | Group Access Control | 🟠 High | Are group policies set to allowlist? |
+| 4 | Credentials Security | 🔴 Critical | Are secrets in plaintext with loose permissions? |
+| 5 | Browser Control Exposure | 🟠 High | Is remote browser control secured? |
+| 6 | Gateway Bind & Network | 🟠 High | Is network exposure intentional and controlled? |
+| 7 | Tool Access & Elevated | 🟡 Medium | Are tools restricted to minimum needed? |
+| 8 | File Permissions & Disk | 🟡 Medium | Are file permissions properly set? |
+| 9 | Plugin Trust & Model | 🟡 Medium | Are plugins allowlisted and models current? |
+| 10| Logging & Redaction | 🟡 Medium | Is sensitive data redacted in logs? |
+| 11| Prompt Injection | 🟡 Medium | Is untrusted content wrapped? |
+| 12| Dangerous Commands | 🟡 Medium | Are destructive commands blocked? |
+
+## Installation
+
+```bash
+# Via ClawdHub
+clawdhub install clawdbot-security-check
+
+# Or clone for manual installation
+git clone https://github.com/TheSethRose/Clawdbot-Security-Check.git
+cp -r Clawdbot-Security-Check ~/.clawdbot/skills/
+```
+
+## Usage
+
+### Via Clawdbot
+```
+@clawdbot audit my security
+@clawdbot run security check
+@clawdbot what vulnerabilities do I have?
+@clawdbot security audit --deep
+@clawdbot security audit --fix
+```
+
+## Security Principles
+
+Running an AI agent with shell access requires caution. Focus on:
+
+1. **Who can talk to the bot** — DM policies, group allowlists, channel restrictions
+2. **Where the bot is allowed to act** — Network exposure, gateway binding, proxy configs
+3. **What the bot can touch** — Tool access, file permissions, credential storage
+
+## Audit Functions
+
+The `--fix` flag applies these guardrails:
+- Changes `groupPolicy` from `open` to `allowlist` for common channels
+- Resets `logging.redactSensitive` from `off` to `tools`
+- Tightens permissions: `.clawdbot` to `700`, configs to `600`
+- Secures state files including credentials and auth profiles
+
+## High-Level Checklist
+
+Treat findings in this priority order:
+
+1. 🔴 Lock down DMs and groups if tools are enabled on open settings
+2. 🔴 Fix public network exposure immediately
+3. 🟠 Secure browser control with tokens and HTTPS
+4. 🟠 Correct file permissions for credentials and config
+5. 🟡 Only load trusted plugins
+6. 🟡 Use modern models for bots with tool access
+
+## Extending the Framework
+
+Add new checks by contributing to SKILL.md:
+
+```markdown
+## 13. New Vulnerability 🟡 Medium
+
+**What to check:** What config reveals this?
+
+**Detection:**
+```bash
+command-to-check-config
+```
+
+**Vulnerability:** What can go wrong?
+
+**Remediation:**
+```json
+{ "fix": "here" }
+```
+```
+
+## Architecture
+
+```
+Clawdbot-Security-Check/
+├── SKILL.md      # Knowledge framework (the skill - source of truth)
+├── skill.json    # Clawdbot metadata
+├── README.md     # This file
+└── .gitignore
+```
+
+**SKILL.md** is the source of truth—it teaches Clawdbot everything it needs to know.
+
+## Why This Approach?
+
+Hard-coded scripts get stale. A knowledge framework evolves:
+
+- ✅ Add new vulnerabilities without code changes
+- ✅ Customize checks for your environment
+- ✅ Clawdbot understands the "why" behind each check
+- ✅ Enables intelligent follow-up questions
+
+> "The goal isn't to find vulnerabilities—it's to understand security deeply enough that vulnerabilities can't hide." — Daniel Miessler
+
+## Output Example
+
+```
+═══════════════════════════════════════════════════════════════
+🔒 CLAWDBOT SECURITY AUDIT
+═══════════════════════════════════════════════════════════════
+Timestamp: 2026-01-26T15:30:00.000Z
+
+┌─ SUMMARY ───────────────────────────────────────────────
+│ 🔴 Critical:  1
+│ 🟠 High:      2
+│ 🟡 Medium:    1
+│ ✅ Passed:    8
+└────────────────────────────────────────────────────────
+
+┌─ FINDINGS ──────────────────────────────────────────────
+│ 🔴 [CRITICAL] Gateway Exposure
+│    Finding: Gateway bound to 0.0.0.0:18789 without auth
+│    → Fix: Set gateway.auth_token environment variable
+│
+│ 🟠 [HIGH] DM Policy
+│    Finding: dm_policy is "allow" (all users)
+│    → Fix: Set dm_policy to "allowlist" with trusted users
+└────────────────────────────────────────────────────────
+
+This audit was performed by Clawdbot's self-security framework.
+No changes were made to your configuration.
+```
+
+## Contributing
+
+1. Fork the repo
+2. Add new security knowledge to SKILL.md
+3. Submit PR
+
+## License
+
+MIT - Security-first, open source forever.
+
+---
+
+**Clawdbot knows its attack surface. Do you?**
diff --git a/SKILL.md b/SKILL.md
new file mode 100644
index 0000000..d3db711
--- /dev/null
+++ b/SKILL.md
@@ -0,0 +1,647 @@
+---
+name: clawdbot-self-security-audit
+description: "对Clawdbot自己的配置执行全面的只读安全审计。"
+homepage: https://github.com/TheSethRose/Clawdbot-Security-Check
+metadata: {"clawdbot":{"emoji":"🔒","os":["darwin","linux"],"requires":{"files":["read"],"tools":["exec","bash"]},"install":[{"id":"read-skill","kind":"skill","name":"clawdbot-self-security-audit","label":"Install security audit skill","bins":["SKILL.md"]}]}}
+---
+
+# Clawdbot Self-Security Audit Framework
+
+This skill empowers Clawdbot to audit its own security posture using first-principles reasoning. Rather than relying on a static script, Clawdbot learns the framework and applies it dynamically to detect vulnerabilities, understand their impact, and recommend specific remediations.
+
+## Core Philosophy
+
+> "Security through transparency and self-awareness." — Inspired by ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ
+
+Clawdbot should know its own attack surface. This skill embeds that knowledge directly.
+
+## Security Principles
+
+Running an AI agent with shell access requires caution. Focus on three areas:
+
+1. **Who can talk to the bot** — DM policies, group allowlists, channel restrictions
+2. **Where the bot is allowed to act** — Network exposure, gateway binding, proxy configs
+3. **What the bot can touch** — Tool access, file permissions, credential storage
+
+Start with the smallest access possible and widen it as you gain confidence.
+
+## Trust Hierarchy
+
+Apply appropriate trust levels based on role:
+
+| Level | Entity | Trust Model |
+|-------|--------|-------------|
+| 1 | **Owner** | Full trust — has all access |
+| 2 | **AI** | Trust but verify — sandboxed, logged |
+| 3 | **Allowlists** | Limited trust — only specified users |
+| 4 | **Strangers** | No trust — blocked by default |
+
+## Audit Commands
+
+Use these commands to run security audits:
+
+- `clawdbot security audit` — Standard audit of common issues
+- `clawdbot security audit --deep` — Comprehensive audit with all checks
+- `clawdbot security audit --fix` — Apply guardrail remediations
+
+## The 12 Security Domains
+
+When auditing Clawdbot, systematically evaluate these domains:
+
+### 1. Gateway Exposure 🔴 Critical
+
+**What to check:**
+- Where is the gateway binding? (`gateway.bind`)
+- Is authentication configured? (`gateway.auth_token` or `CLAWDBOT_GATEWAY_TOKEN` env var)
+- What port is exposed? (default: 18789)
+- Is WebSocket auth enabled?
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
+env | grep CLAWDBOT_GATEWAY_TOKEN
+```
+
+**Vulnerability:** Binding to `0.0.0.0` or `lan` without auth allows network access.
+
+**Remediation:**
+```bash
+# Generate gateway token
+clawdbot doctor --generate-gateway-token
+export CLAWDBOT_GATEWAY_TOKEN="$(openssl rand -hex 32)"
+```
+
+---
+
+### 2. DM Policy Configuration 🟠 High
+
+**What to check:**
+- What is `dm_policy` set to?
+- If `allowlist`, who is explicitly allowed via `allowFrom`?
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -E '"dm_policy|"allowFrom"'
+```
+
+**Vulnerability:** Setting to `allow` or `open` means any user can DM Clawdbot.
+
+**Remediation:**
+```json
+{
+  "channels": {
+    "telegram": {
+      "dmPolicy": "allowlist",
+      "allowFrom": ["@trusteduser1", "@trusteduser2"]
+    }
+  }
+}
+```
+
+---
+
+### 3. Group Access Control 🟠 High
+
+**What to check:**
+- What is `groupPolicy` set to?
+- Are groups explicitly allowlisted?
+- Are mention gates configured?
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -E '"groupPolicy"|"groups"' 
+cat ~/.clawdbot/clawdbot.json | grep -i "mention"
+```
+
+**Vulnerability:** Open group policy allows anyone in the room to trigger commands.
+
+**Remediation:**
+```json
+{
+  "channels": {
+    "telegram": {
+      "groupPolicy": "allowlist",
+      "groups": {
+        "-100123456789": true
+      }
+    }
+  }
+}
+```
+
+---
+
+### 4. Credentials Security 🔴 Critical
+
+**What to check:**
+- Credential file locations and permissions
+- Environment variable usage
+- Auth profile storage
+
+**Credential Storage Map:**
+| Platform | Path |
+|----------|------|
+| WhatsApp | `~/.clawdbot/credentials/whatsapp/{accountId}/creds.json` |
+| Telegram | `~/.clawdbot/clawdbot.json` or env |
+| Discord | `~/.clawdbot/clawdbot.json` or env |
+| Slack | `~/.clawdbot/clawdbot.json` or env |
+| Pairing allowlists | `~/.clawdbot/credentials/channel-allowFrom.json` |
+| Auth profiles | `~/.clawdbot/agents/{agentId}/auth-profiles.json` |
+| Legacy OAuth | `~/.clawdbot/credentials/oauth.json` |
+
+**How to detect:**
+```bash
+ls -la ~/.clawdbot/credentials/
+ls -la ~/.clawdbot/agents/*/auth-profiles.json 2>/dev/null
+stat -c "%a" ~/.clawdbot/credentials/oauth.json 2>/dev/null
+```
+
+**Vulnerability:** Plaintext credentials with loose permissions can be read by any process.
+
+**Remediation:**
+```bash
+chmod 700 ~/.clawdbot
+chmod 600 ~/.clawdbot/credentials/oauth.json
+chmod 600 ~/.clawdbot/clawdbot.json
+```
+
+---
+
+### 5. Browser Control Exposure 🟠 High
+
+**What to check:**
+- Is browser control enabled?
+- Are authentication tokens set for remote control?
+- Is HTTPS required for Control UI?
+- Is a dedicated browser profile configured?
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -A5 '"browser"'
+cat ~/.clawdbot/clawdbot.json | grep -i "controlUi|insecureAuth"
+ls -la ~/.clawdbot/browser/
+```
+
+**Vulnerability:** Exposed browser control without auth allows remote UI takeover. Browser access allows the model to use logged-in sessions.
+
+**Remediation:**
+```json
+{
+  "browser": {
+    "remoteControlUrl": "https://...",
+    "remoteControlToken": "...",
+    "dedicatedProfile": true,
+    "disableHostControl": true
+  },
+  "gateway": {
+    "controlUi": {
+      "allowInsecureAuth": false
+    }
+  }
+}
+```
+
+**Security Note:** Treat browser control URLs as admin APIs.
+
+---
+
+### 6. Gateway Bind & Network Exposure 🟠 High
+
+**What to check:**
+- What is `gateway.bind` set to?
+- Are trusted proxies configured?
+- Is Tailscale enabled?
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
+cat ~/.clawdbot/clawdbot.json | grep '"tailscale"'
+```
+
+**Vulnerability:** Public binding without auth allows internet access to gateway.
+
+**Remediation:**
+```json
+{
+  "gateway": {
+    "bind": "127.0.0.1",
+    "mode": "local",
+    "trustedProxies": ["127.0.0.1", "10.0.0.0/8"],
+    "tailscale": {
+      "mode": "off"
+    }
+  }
+}
+```
+
+---
+
+### 7. Tool Access & Sandboxing 🟡 Medium
+
+**What to check:**
+- Are elevated tools allowlisted?
+- Is `restrict_tools` or `mcp_tools` configured?
+- What is `workspaceAccess` set to?
+- Are sensitive tools running in sandbox?
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -i "restrict|mcp|elevated"
+cat ~/.clawdbot/clawdbot.json | grep -i "workspaceAccess|sandbox"
+cat ~/.clawdbot/clawdbot.json | grep -i "openRoom"
+```
+
+**Workspace Access Levels:**
+| Mode | Description |
+|------|-------------|
+| `none` | Workspace is off limits |
+| `ro` | Workspace mounted read-only |
+| `rw` | Workspace mounted read-write |
+
+**Vulnerability:** Broad tool access means more blast radius if compromised. Smaller models are more susceptible to tool misuse.
+
+**Remediation:**
+```json
+{
+  "restrict_tools": true,
+  "mcp_tools": {
+    "allowed": ["read", "write", "bash"],
+    "blocked": ["exec", "gateway"]
+  },
+  "workspaceAccess": "ro",
+  "sandbox": "all"
+}
+```
+
+**Model Guidance:** Use latest generation models for agents with filesystem or network access. If using small models, disable web search and browser tools.
+
+---
+
+### 8. File Permissions & Local Disk Hygiene 🟡 Medium
+
+**What to check:**
+- Directory permissions (should be 700)
+- Config file permissions (should be 600)
+- Symlink safety
+
+**How to detect:**
+```bash
+stat -c "%a" ~/.clawdbot
+ls -la ~/.clawdbot/*.json
+```
+
+**Vulnerability:** Loose permissions allow other users to read sensitive configs.
+
+**Remediation:**
+```bash
+chmod 700 ~/.clawdbot
+chmod 600 ~/.clawdbot/clawdbot.json
+chmod 600 ~/.clawdbot/credentials/*
+```
+
+---
+
+### 9. Plugin Trust & Model Hygiene 🟡 Medium
+
+**What to check:**
+- Are plugins explicitly allowlisted?
+- Are legacy models in use with tool access?
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -i "plugin|allowlist"
+cat ~/.clawdbot/clawdbot.json | grep -i "model|anthropic"
+```
+
+**Vulnerability:** Untrusted plugins can execute code. Legacy models may lack modern safety.
+
+**Remediation:**
+```json
+{
+  "plugins": {
+    "allowlist": ["trusted-plugin-1", "trusted-plugin-2"]
+  },
+  "agents": {
+    "defaults": {
+      "model": {
+        "primary": "minimax/MiniMax-M2.1"
+      }
+    }
+  }
+}
+```
+
+---
+
+### 10. Logging & Redaction 🟡 Medium
+
+**What is logging.redactSensitive set to?**
+- Should be `tools` to redact sensitive tool output
+- If `off`, credentials may leak in logs
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -i "logging|redact"
+ls -la ~/.clawdbot/logs/
+```
+
+**Remediation:**
+```json
+{
+  "logging": {
+    "redactSensitive": "tools",
+    "path": "~/.clawdbot/logs/"
+  }
+}
+```
+
+---
+
+### 11. Prompt Injection Protection 🟡 Medium
+
+**What to check:**
+- Is `wrap_untrusted_content` or `untrusted_content_wrapper` enabled?
+- How is external/web content handled?
+- Are links and attachments treated as hostile?
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -i "untrusted|wrap"
+```
+
+**Prompt Injection Mitigation Strategies:**
+- Keep DMs locked to `pairing` or `allowlists`
+- Use mention gating in groups
+- Treat all links and attachments as hostile
+- Run sensitive tools in a sandbox
+- Use instruction-hardened models like Anthropic Opus 4.5
+
+**Vulnerability:** Untrusted content (web fetches, sandbox output) can inject malicious prompts.
+
+**Remediation:**
+```json
+{
+  "wrap_untrusted_content": true,
+  "untrusted_content_wrapper": "<untrusted>",
+  "treatLinksAsHostile": true,
+  "mentionGate": true
+}
+```
+
+---
+
+### 12. Dangerous Command Blocking 🟡 Medium
+
+**What to check:**
+- What commands are in `blocked_commands`?
+- Are these patterns included: `rm -rf`, `curl |`, `git push --force`, `mkfs`, fork bombs?
+
+**How to detect:**
+```bash
+cat ~/.clawdbot/clawdbot.json | grep -A10 '"blocked_commands"'
+```
+
+**Vulnerability:** Without blocking, a malicious prompt could destroy data or exfiltrate credentials.
+
+**Remediation:**
+```json
+{
+  "blocked_commands": [
+    "rm -rf",
+    "curl |",
+    "git push --force",
+    "mkfs",
+    ":(){:|:&}"
+  ]
+}
+```
+
+---
+
+### 13. Secret Scanning Readiness 🟡 Medium
+
+**What to check:**
+- Is detect-secrets configured?
+- Is there a `.secrets.baseline` file?
+- Has a baseline scan been run?
+
+**How to detect:**
+```bash
+ls -la .secrets.baseline 2>/dev/null
+which detect-secrets 2>/dev/null
+```
+
+**Secret Scanning (CI):**
+```bash
+# Find candidates
+detect-secrets scan --baseline .secrets.baseline
+
+# Review findings
+detect-secrets audit
+
+# Update baseline after rotating secrets or marking false positives
+detect-secrets scan --baseline .secrets.baseline --update
+```
+
+**Vulnerability:** Leaked credentials in the codebase can lead to compromise.
+
+---
+
+## Audit Functions
+
+The `--fix` flag applies these guardrails:
+
+- Changes `groupPolicy` from `open` to `allowlist` for common channels
+- Resets `logging.redactSensitive` from `off` to `tools`
+- Tightens local permissions: `.clawdbot` directory to `700`, config files to `600`
+- Secures state files including credentials and auth profiles
+
+## High-Level Audit Checklist
+
+Treat findings in this priority order:
+
+1. **🔴 Lock down DMs and groups** if tools are enabled on open settings
+2. **🔴 Fix public network exposure** immediately
+3. **🟠 Secure browser control** with tokens and HTTPS
+4. **🟠 Correct file permissions** for credentials and config
+5. **🟡 Only load trusted plugins**
+6. **🟡 Use modern models** for bots with tool access
+
+## Access Control Models
+
+### DM Access Model
+
+| Mode | Description |
+|------|-------------|
+| `pairing` | Default - unknown senders must be approved via code |
+| `allowlist` | Unknown senders blocked without handshake |
+| `open` | Public access - requires explicit asterisk in allowlist |
+| `disabled` | All inbound DMs ignored |
+
+### Slash Commands
+
+Slash commands are only available to authorized senders based on channel allowlists. The `/exec` command is a session convenience for operators and does not modify global config.
+
+## Threat Model & Mitigation
+
+### Potential Risks
+
+| Risk | Mitigation |
+|------|------------|
+| Execution of shell commands | `blocked_commands`, `restrict_tools` |
+| File and network access | `sandbox`, `workspaceAccess: none/ro` |
+| Social engineering and prompt injection | `wrap_untrusted_content`, `mentionGate` |
+| Browser session hijacking | Dedicated profile, token auth, HTTPS |
+| Credential leakage | `logging.redactSensitive: tools`, env vars |
+
+## Incident Response
+
+If a compromise is suspected, follow these steps:
+
+### Containment
+1. **Stop the gateway process** — `clawdbot daemon stop`
+2. **Set gateway.bind to loopback** — `"bind": "127.0.0.1"`
+3. **Disable risky DMs and groups** — Set to `disabled`
+
+### Rotation
+1. **Change the gateway auth token** — `clawdbot doctor --generate-gateway-token`
+2. **Rotate browser control and hook tokens**
+3. **Revoke and rotate API keys** for model providers
+
+### Review
+1. **Check gateway logs and session transcripts** — `~/.clawdbot/logs/`
+2. **Review recent config changes** — Git history or backups
+3. **Re-run the security audit with the deep flag** — `clawdbot security audit --deep`
+
+## Reporting Vulnerabilities
+
+Report security issues to: **security@clawd.bot**
+
+**Do not post vulnerabilities publicly** until they have been fixed.
+
+## Audit Execution Steps
+
+When running a security audit, follow this sequence:
+
+### Step 1: Locate Configuration
+```bash
+CONFIG_PATHS=(
+  "$HOME/.clawdbot/clawdbot.json"
+  "$HOME/.clawdbot/config.yaml"
+  "$HOME/.clawdbot/.clawdbotrc"
+  ".clawdbotrc"
+)
+for path in "${CONFIG_PATHS[@]}"; do
+  if [ -f "$path" ]; then
+    echo "Found config: $path"
+    cat "$path"
+    break
+  fi
+done
+```
+
+### Step 2: Run Domain Checks
+For each of the 13 domains above:
+1. Parse relevant config keys
+2. Compare against secure baseline
+3. Flag deviations with severity
+
+### Step 3: Generate Report
+Format findings by severity:
+```
+🔴 CRITICAL: [vulnerability] - [impact]
+🟠 HIGH: [vulnerability] - [impact]
+🟡 MEDIUM: [vulnerability] - [impact]
+✅ PASSED: [check name]
+```
+
+### Step 4: Provide Remediation
+For each finding, output:
+- Specific config change needed
+- Example configuration
+- Command to apply (if safe)
+
+## Report Template
+
+```
+═══════════════════════════════════════════════════════════════
+🔒 CLAWDBOT SECURITY AUDIT
+═══════════════════════════════════════════════════════════════
+Timestamp: $(date -Iseconds)
+
+┌─ SUMMARY ───────────────────────────────────────────────
+│ 🔴 Critical:  $CRITICAL_COUNT
+│ 🟠 High:      $HIGH_COUNT
+│ 🟡 Medium:    $MEDIUM_COUNT
+│ ✅ Passed:    $PASSED_COUNT
+└────────────────────────────────────────────────────────
+
+┌─ FINDINGS ──────────────────────────────────────────────
+│ 🔴 [CRITICAL] $VULN_NAME
+│    Finding: $DESCRIPTION
+│    → Fix: $REMEDIATION
+│
+│ 🟠 [HIGH] $VULN_NAME
+│    ...
+└────────────────────────────────────────────────────────
+
+This audit was performed by Clawdbot's self-security framework.
+No changes were made to your configuration.
+```
+
+## Extending the Skill
+
+To add new security checks:
+
+1. **Identify the vulnerability** - What misconfiguration creates risk?
+2. **Determine detection method** - What config key or system state reveals it?
+3. **Define the baseline** - What is the secure configuration?
+4. **Write detection logic** - Shell commands or file parsing
+5. **Document remediation** - Specific steps to fix
+6. **Assign severity** - Critical, High, Medium, Low
+
+### Example: Adding SSH Hardening Check
+
+```
+## 14. SSH Agent Forwarding 🟡 Medium
+
+**What to check:** Is SSH_AUTH_SOCK exposed to containers?
+
+**Detection:**
+```bash
+env | grep SSH_AUTH_SOCK
+```
+
+**Vulnerability:** Container escape via SSH agent hijacking.
+
+**Severity:** Medium
+```
+
+## Security Assessment Questions
+
+When auditing, ask:
+
+1. **Exposure:** What network interfaces can reach Clawdbot?
+2. **Authentication:** What verification does each access point require?
+3. **Isolation:** What boundaries exist between Clawdbot and the host?
+4. **Trust:** What content sources are considered "trusted"?
+5. **Auditability:** What evidence exists of Clawdbot's actions?
+6. **Least Privilege:** Does Clawdbot have only necessary permissions?
+
+## Principles Applied
+
+- **Zero modification** - This skill only reads; never changes configuration
+- **Defense in depth** - Multiple checks catch different attack vectors
+- **Actionable output** - Every finding includes a concrete remediation
+- **Extensible design** - New checks integrate naturally
+
+## References
+
+- Official docs: https://docs.clawd.bot/gateway/security
+- Original framework: [ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ on X](https://x.com/DanielMiessler/status/2015865548714975475)
+- Repository: https://github.com/TheSethRose/Clawdbot-Security-Check
+- Report vulnerabilities: security@clawd.bot
+
+---
+
+**Remember:** This skill exists to make Clawdbot self-aware of its security posture. Use it regularly, extend it as needed, and never skip the audit.
diff --git a/_meta.json b/_meta.json
new file mode 100644
index 0000000..10e5e13
--- /dev/null
+++ b/_meta.json
@@ -0,0 +1,6 @@
+{
+  "ownerId": "kn72ce44tqw8bnnnewrn1s5x3s7yz7sq",
+  "slug": "clawdbot-security-check",
+  "version": "2.2.2",
+  "publishedAt": 1769469026784
+}
\ No newline at end of file
diff --git a/skill.json b/skill.json
new file mode 100644
index 0000000..a0bf701
--- /dev/null
+++ b/skill.json
@@ -0,0 +1,42 @@
+{
+  "name": "Clawdbot Security Check",
+  "version": "2.2.2",
+  "description": "Self-security audit framework that teaches Clawdbot to audit its own configuration across 13 security domains. Knowledge-based, extensible, 100% read-only. Includes trust hierarchy, incident response, secret scanning, and official ClawdBot security docs integration.",
+  "author": "Gavin - Technical Co-Founder",
+  "keywords": ["security", "audit", "clawdbot", "self-audit", "hardening", "vulnerability", "framework"],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "main": "SKILL.md",
+  "scripts": {
+    "start": "node security-check.js",
+    "start:json": "node security-check.js --json",
+    "test": "node security-check.js | grep -q 'SECURITY ANALYSIS' && echo 'Skill framework loaded'"
+  },
+  "permissions": ["read-only"],
+  "safety": {
+    "readOnly": true,
+    "modifiesSettings": false,
+    "networkAccess": false,
+    "fileSystemAccess": ["read"],
+    "installsPackages": false
+  },
+  "securityDomains": [
+    "gateway-exposure",
+    "dm-policy",
+    "group-access-control",
+    "credentials-security",
+    "browser-control-exposure",
+    "gateway-bind-network",
+    "tool-access-sandboxing",
+    "file-permissions-disk",
+    "plugin-trust-model",
+    "logging-redaction",
+    "prompt-injection",
+    "dangerous-commands",
+    "secret-scanning"
+  ],
+  "severityLevels": ["critical", "high", "medium", "low"],
+  "knowledgeFramework": true,
+  "extensible": true
+}