network-watcher

The Network Watcher is a specialized security audit module for the OpenClaw ecosystem, designed to inspect, monitor, and validate network activity initiated by installed skills. As network access serves as a primary vector for data exfiltration, this skill provides a rigorous framework for identifying unauthorized API calls, suspicious outbound connections, and potentially malicious exfiltration patterns that could compromise environment variables, source code, or sensitive system credentials. It is primarily intended for developers and security-conscious users who need to verify that a skill's network behavior aligns with its declared functionality and security posture.

• Performs comprehensive pre-install audits to verify declared network endpoints against the skill's manifest.

• Detects high-risk network patterns including connections to raw IP addresses, DNS tunneling, WebSocket usage on unknown servers, and encoded/obfuscated URL constructions.

• Analyzes runtime outbound traffic for evidence of data exfiltration, such as exfiltrating environment variables via query parameters or reading local files to send over HTTP POST requests.

• Provides a structured, evidence-based network risk report with verdicts ranging from LOW to CRITICAL.

• Evaluates adherence to safe network patterns, such as read-only API requests and standardized version checks, ensuring that outbound traffic remains within expected bounds.

• Users should define a clear whitelist of endpoints in the target skill's SKILL.md for effective auditing.

• Input expected is the target skill's SKILL.md; output is a standardized NETWORK SECURITY AUDIT report including risk levels, data flow analysis, and an approve/deny recommendation.

• Operates under the principle of least privilege, flagging any skill that combines file-read capabilities with network access as a critical security concern.

• Users are advised to utilize this module alongside --network none sandbox settings to prevent unauthorized background connections during testing.

• Designed for use within CLI environments like Codex or Claude Code, providing immediate visibility into potential supply chain threats and insecure outbound communication vectors.