mallcop

ClawCop

Security monitoring for OpenClaw AI agent installations. Watches skills and config so you know when something's been tampered with.

Install ClawCop →

Two users, one boundary

ClawCop runs as a dedicated system user called mallcop. It has read-only access to OpenClaw's skill directory, configuration files, and gateway settings. It cannot modify anything OpenClaw manages, and OpenClaw cannot modify anything mallcop manages. The two users do not share file permissions.

Findings are written to a separate directory owned by mallcop and pushed to a private GitHub repo you control. If OpenClaw were compromised, it could not tamper with or suppress mallcop's findings.

mallcop user

Reads OpenClaw's skill directory and config. Writes to its own findings directory. No shell. No sudo.

openclaw user

Runs the AI agent. Cannot read mallcop's findings directory. No access to mallcop config or credentials.

Separation enforced by the OS

Standard Unix file permissions. No special framework required. Audit with ls -la.

What ClawCop watches

Two things: skills and config. Everything else is out of scope.

Skills
Every installed skill has a manifest that declares what it does and what permissions it needs. ClawCop checks that the actual skill files match the manifest on every patrol. A skill that modified itself after installation does not match.
Configuration
OpenClaw's gateway config controls which external services the agent can reach and what permissions it has. ClawCop takes a snapshot at install time and flags any change that wasn't made through the normal config update path.

What ClawCop catches

Malicious skills
Skills that match known malicious patterns in their code, or that request permissions their manifest does not declare. Both are findings. A skill that asks for file system access when its manifest says "read-only calendar integration" is a problem.
malicious-skill
Config drift
Gateway configuration that changed since the last verified state. Could be a legitimate update you made. Could be a skill that modified its own permissions. ClawCop flags the diff and you decide.
openclaw-config-drift
Skill tampering
A skill that changed its own files after installation. Legitimate skills do not self-modify. If a skill's checksum differs from when it was installed, that is the finding.
malicious-skill

The three boundary checks

On every patrol, ClawCop runs three checks in order.

1. Manifest match

Each skill has a manifest.yaml that declares its permissions and the hash of its code files. ClawCop recomputes the hash and compares. A mismatch is a finding.

2. Permission boundary

ClawCop checks the permissions the skill is actually using against the permissions declared in its manifest. A skill exercising permissions it did not declare is a finding regardless of whether the code changed.

3. Gateway config

Compares the current gateway configuration against the last verified snapshot. Any change triggers a finding. You acknowledge expected changes with mallcop ack, which updates the snapshot.

Install ClawCop → What mallcop monitors