npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

clawsecure

v1.0.2

Published

ClawSecure AI-Powered Runtime Monitoring for OpenClaw environments. Know what's in your environment. Your API keys and credentials never leave your machine.

Downloads

422

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

clawsecureclawsecure

Keywords

clawsecureopenclawsecurityruntime-monitoringai-agentsmcp-serversdaemon

Readme

ClawSecure

AI-Powered Runtime Monitoring for OpenClaw environments.

npm version License: MIT Node.js

The Problem

The OpenClaw ecosystem is experiencing a downloading frenzy. Users install skills, MCP servers, CLI tools, and entire GitHub codebases daily, often promoted by influencers and incentivized by star counts rather than security reviews. These components get immediate access to email, files, messaging platforms, code repositories, and databases. Nobody is watching what happens after the install.

The Solution

ClawSecure is a continuously running daemon that monitors your entire OpenClaw environment. It detects new installs, permission changes, configuration risks, and suspicious behavior, then provides AI-powered security analysis through your browser-based dashboard at clawsecure.ai.

When you install ClawSecure, you also get Claw, your Security WatchLobster, an OpenClaw skill that brings security awareness directly into your agent's workflow.

Quick Start

npm install -g clawsecure
clawsecure setup <your-token>
clawsecure start

Get your token from clawsecure.ai after signing up. No token? The daemon still works in offline mode, and the Claw skill's behavioral security rules protect your agent without an account.

CLI Reference

clawsecure start                  # Start the monitoring daemon
clawsecure start --profile <n>    # Monitor a specific OpenClaw profile
clawsecure start --verbose        # Enable verbose logging
clawsecure start --quiet          # Suppress non-essential output
clawsecure stop                   # Stop the running daemon
clawsecure status                 # Show daemon state, tier, component count
clawsecure setup <token>          # Save your API token
clawsecure --version              # Show package version
clawsecure --help                 # Show usage and privacy statement

Claw, Your Security WatchLobster

On first clawsecure start, the daemon automatically installs the Claw security skill into your OpenClaw environment at ~/.openclaw/skills/clawsecure/.

What Claw does inside your agent:

  • Checks new components (skills, MCP servers, tools, repos) with ClawSecure before installation
  • Provides secure installation guidance (scoped paths, sandbox-first, proper permissions)
  • Enforces behavioral security rules that protect against prompt injection and social engineering
  • Runs environment security audits on demand
  • Offers conversational hardening recommendations

Skill auto-management:

  • First start: skill files are copied automatically. No manual setup needed.
  • Subsequent starts: if a newer skill version is bundled, you are prompted to update. You can decline and the daemon continues normally.
  • If ~/.openclaw/ does not exist yet, skill installation is skipped until you set up OpenClaw.
  • The daemon never overwrites skill files you have manually customized (detected by the absence of the .clawsecure-version marker file).

Tiers

The daemon adapts its behavior based on your subscription tier. One install covers all tiers; upgrading does not require reinstallation.

Shield ($9.99/mo Founding Member pricing): Environment monitoring. The daemon watches your skills, MCP servers, CLI tools, agents, and configurations. AI-powered analysis on every change. Weekly security digest.

Sentinel ($24.99/mo Founding Member pricing): Everything in Shield, plus session log monitoring. The daemon analyzes which tools your agents invoke, detects anomalous patterns, and sends real-time alerts for suspicious activity.

Privacy

Your API keys and credentials never leave your machine.

ClawSecure strips all sensitive data locally before transmitting anything. This is architecturally enforced: the metadata stripper runs before every API call, not as an optional filter.

What IS sent to ClawSecure

  • Component names and types (skill names, MCP server names, tool names)
  • Component sources (GitHub URLs, npm package names)
  • File hashes (SHA-256, not file contents)
  • Config structure (what is enabled or disabled, not config values)
  • MCP server types and names (not credentials or connection strings)
  • Tool call names and timestamps from session logs (not conversation content)
  • Gateway settings (port, auth enabled yes/no, rate limiting yes/no)

What is NEVER sent

  • API keys, tokens, OAuth secrets, or credentials of any kind
  • Source code or file contents
  • Database connection strings
  • Personal messages or conversation content
  • Email addresses, phone numbers, or personally identifiable information
  • Raw configuration values
  • Tool call arguments, results, or content

Configuration

The daemon reads your OpenClaw config from ~/.openclaw/openclaw.json by default.

Environment variables:

CLAWSECURE_TOKEN          # API token (alternative to clawsecure setup)
CLAWSECURE_API_URL        # Custom API endpoint (default: https://api.clawsecure.ai)
CLAWSECURE_TIER           # Override tier for testing (shield or sentinel)
OPENCLAW_CONFIG_PATH      # Custom path to openclaw.json

Token storage: Your API token is saved at ~/.clawsecure/config.json with 0600 permissions (owner read/write only).

PID file: The daemon writes its process ID to ~/.clawsecure/daemon.pid on start and removes it on stop.

Requirements

  • Node.js 18 or later
  • An OpenClaw installation with ~/.openclaw/ directory

Links

License

MIT. See LICENSE for details.