openclaw-triage

What This Skill Does

The openclaw-triage skill acts as the primary forensic and investigative engine for OpenClaw workspaces. When operational anomalies occur—such as unexpected skill behavior, unauthorized file modifications, or security alerts—this skill provides the necessary tools to perform root-cause analysis. It functions as a digital detective, aggregating data from the internal OpenClaw security stack (Warden, Ledger, Signet, and Sentinel) to deliver a unified incident report. It evaluates workspace integrity by inspecting file systems, identifying malicious patterns, and determining the potential impact of an incident.

Installation

To add this capability to your agent environment, execute the following command in your terminal:

clawhub install openclaw/skills/skills/atlaspa/openclaw-triage

Ensure that your environment is properly configured, as the tool relies on access to workspace directories to perform its forensics. No additional dependencies outside of standard OpenClaw infrastructure are required.

Use Cases

1. Incident Response: When a security tool triggers an alert, run the 'investigate' command to determine if the workspace has been compromised.
2. Forensic Preservation: Before attempting to fix a broken environment, use the 'evidence' command to capture a snapshot of the current state, including file hashes and integrity logs, ensuring you have a clean record of the incident.
3. Threat Assessment: Use the 'scope' command to determine if a potential vulnerability is localized to a single skill or if it has escalated to a systemic level within your workspace.
4. Audit Trails: Use the 'timeline' command to audit activity over time, helping to identify when specific unauthorized changes occurred.

Example Prompts

1. "Run a full investigation on my current workspace to see if there are any signs of unauthorized file changes."
2. "I think something went wrong with the last deployment. Can you build a timeline of all file modifications in the workspace over the last 48 hours?"
3. "Before I try to fix the environment, please collect all forensic evidence and save it to the /tmp/forensics directory."

Tips & Limitations

• Proactive Monitoring: Always run the evidence command before initiating any remediation scripts to ensure you have a baseline for recovery.
• Precision: If the tool fails to detect your workspace, manually set the OPENCLAW_WORKSPACE environment variable rather than relying on auto-detection.
• Storage: Forensic collections can grow large if you have many files; ensure you have enough disk space when running the evidence command with custom output paths.
• Scope: While this tool is powerful, it is designed for OpenClaw-native files; it may have limited visibility into external system-level processes outside the agent's permissioned environment.