tracebit-canaries
Use when the user wants to protect their workspace from credential theft, prompt injection, or data exfiltration — even if they don't mention "canaries" or "honeytokens" directly. Covers deploying Tracebit security canaries (fake decoy credentials that alert on use), detecting when they're triggered via the user's pre-authorized email tool, and human-supervised incident response. Also use when investigating a suspected compromise, hardening an agent's environment, or setting up tripwires to catch unauthorized access to sensitive files.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/alessandro-brucato-tracebit/tracebit-canary-honeytokensTracebit Canaries Skill
End-to-end security canary coverage — from signup to human-supervised incident response. You (the agent) perform setup steps yourself, with human confirmation at key decision points.
The Tracebit CLI runs a lightweight background service that refreshes canary token expiry — no other network calls or file access. When the heartbeat inbox check detects a canary alert email, you notify the human, investigate (read-only), and report.
Tracebit Community Edition is free at https://community.tracebit.com
Security & Transparency
This skill is user-initiated, user-supervised, and fully reversible. For full details — including file traceability, enforcement model, and removal — see references/security-compliance.md.
Skill file writes (created by agent instructions in SKILL.md, not by shell scripts):
/tmp/tracebit-setup-creds— temporary signup password (Step 1, chmod 600, deleted after use)HEARTBEAT.md— canary alert check block (Step 6, append)memory/security-incidents.md— incident log (playbook Phase 2.2, append-only, only on alert)
CLI writes — tracebit deploy places decoy tokens in standard credential locations, only after human confirmation. The CLI is open-source. No real credentials are read or modified.
CLI installation — SHA256-verified from official GitHub Releases only. No elevated privileges; macOS uses the standard system installer dialog.
Email — read-only search for Tracebit alerts via plugins.email.accounts. No emails sent, deleted, or modified.
Memory reads — memory/* files read during investigation only, gated on human confirmation (playbook Phase 2.4).
Background service — refreshes canary token expiry only. Runs as current user. Fully removable.
Execution Principles
You are the operator. The human is the owner.
- Confirm with the human before: starting deployment, writing credentials to disk, and rotating/remediating after incidents.
- Browser steps: use the OpenClaw managed
browsertool — verify availability first:openclaw browser --browser-profile openclaw status - Ask the human for: 2FA codes, unreadable CAPTCHAs, or missing tool configuration
Definition of Done
Not done until every item is checked:
[ ] Step 1: Tracebit account created — dashboard confirmed via browser snapshot
[ ] Step 2: CLI installed — `tracebit --version` returns a version
[ ] Step 3: CLI authenticated — `tracebit auth status` shows valid credentials
[ ] Step 4: All 5 canary types deployed
[ ] Step 5: `tracebit show` confirms all 5 active
[ ] Step 6: Heartbeat alert check block added to HEARTBEAT.md
Canaries without alert detection (Step 6) provide no protection. Do not skip it.
Setup Steps
Step 1: Sign Up
Use the browser tool — not any system-installed browser.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-alessandro-brucato-tracebit-tracebit-canary-honeytokens": {
"enabled": true,
"auto_update": true
}
}
}