openclaw-triage-pro
Full incident response suite: investigate compromises, auto-contain threats, guided remediation, evidence export, post-incident hardening, and pre-built response playbooks. Cross-references all OpenClaw security tools for unified analysis. Everything in openclaw-triage (free) plus automated response.
Best use case
openclaw-triage-pro is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Full incident response suite: investigate compromises, auto-contain threats, guided remediation, evidence export, post-incident hardening, and pre-built response playbooks. Cross-references all OpenClaw security tools for unified analysis. Everything in openclaw-triage (free) plus automated response.
Teams using openclaw-triage-pro should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/openclaw-triage-pro/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How openclaw-triage-pro Compares
| Feature / Agent | openclaw-triage-pro | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Full incident response suite: investigate compromises, auto-contain threats, guided remediation, evidence export, post-incident hardening, and pre-built response playbooks. Cross-references all OpenClaw security tools for unified analysis. Everything in openclaw-triage (free) plus automated response.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# OpenClaw Triage Pro
Full incident response suite for agent workspaces. When something goes wrong — a skill behaves unexpectedly, files change without explanation, or another security tool flags an anomaly — triage investigates what happened, contains the threat, remediates the damage, and hardens against recurrence.
Everything in [openclaw-triage](https://github.com/AtlasPA/openclaw-triage) (free) plus automated containment, guided remediation, evidence export, post-incident hardening, and pre-built incident response playbooks.
## Free Commands (included)
### Full Investigation
Run a comprehensive incident investigation. Collects workspace state, checks for signs of compromise (recently modified critical files, new skills, unusual permissions, off-hours modifications, large files, hidden files), cross-references with warden/ledger/signet/sentinel data, builds an event timeline, and calculates an incident severity score (CRITICAL / HIGH / MEDIUM / LOW).
```bash
python3 {baseDir}/scripts/triage.py investigate --workspace /path/to/workspace
```
### Event Timeline
Build a chronological timeline of all file modifications in the workspace. Groups events by hour, highlights suspicious burst activity, shows which directories and skills were affected, and cross-references with ledger entries if available.
```bash
python3 {baseDir}/scripts/triage.py timeline --workspace /path/to/workspace
```
Look back further than the default 24 hours:
```bash
python3 {baseDir}/scripts/triage.py timeline --hours 72 --workspace /path/to/workspace
```
### Blast Radius (Scope)
Assess the blast radius of a potential compromise. Categorizes all files by risk level (critical, memory, skill, config), checks for credential exposure patterns in recently modified files, scans for outbound exfiltration URLs, and estimates scope as CONTAINED, SPREADING, or SYSTEMIC.
```bash
python3 {baseDir}/scripts/triage.py scope --workspace /path/to/workspace
```
### Evidence Collection
Collect and preserve forensic evidence before remediation. Snapshots the full workspace state (file list with SHA-256 hashes, sizes, timestamps), copies all available security tool data, and generates a summary report.
```bash
python3 {baseDir}/scripts/triage.py evidence --workspace /path/to/workspace
```
Save to a custom output directory:
```bash
python3 {baseDir}/scripts/triage.py evidence --output /path/to/evidence/dir --workspace /path/to/workspace
```
### Quick Status
One-line summary of triage state: last investigation timestamp, current threat level, containment and remediation history, and whether evidence has been collected.
```bash
python3 {baseDir}/scripts/triage.py status --workspace /path/to/workspace
```
## Pro Commands
### Automated Containment
Quarantine all skills flagged in the investigation, lock down critical files (read-only backups), and disable any suspicious hooks. Skills are moved to `.triage/quarantine/` and can be restored during remediation.
```bash
python3 {baseDir}/scripts/triage.py contain --workspace /path/to/workspace
```
### Guided Remediation
Restore critical files from warden snapshots (if available), re-sign skills with signet, re-record with ledger, and rebuild baselines. Integrates with all available OpenClaw security tools automatically.
```bash
python3 {baseDir}/scripts/triage.py remediate --workspace /path/to/workspace
```
### Incident Report Export
Export a full incident report for external review. Includes timeline, scope, evidence, and all actions taken. JSON for machine processing, text for human reading.
```bash
python3 {baseDir}/scripts/triage.py export --format text --workspace /path/to/workspace
python3 {baseDir}/scripts/triage.py export --format json --output report.json --workspace /path/to/workspace
```
### Post-Incident Hardening
Check which security tools are installed and suggest missing ones, recommend policy changes, and suggest hook configurations. Outputs actionable steps sorted by priority.
```bash
python3 {baseDir}/scripts/triage.py harden --workspace /path/to/workspace
```
### Incident Response Playbooks
Pre-built step-by-step incident response playbooks for common scenarios:
```bash
# List available playbooks
python3 {baseDir}/scripts/triage.py playbook --workspace /path/to/workspace
# Run a specific playbook
python3 {baseDir}/scripts/triage.py playbook --scenario skill-compromise --workspace /path/to/workspace
python3 {baseDir}/scripts/triage.py playbook --scenario injection-attack --workspace /path/to/workspace
python3 {baseDir}/scripts/triage.py playbook --scenario credential-leak --workspace /path/to/workspace
python3 {baseDir}/scripts/triage.py playbook --scenario chain-break --workspace /path/to/workspace
```
### Full Automated Sweep (Protect)
Full automated protection sweep: investigate, contain critical threats, collect evidence, and generate a report. Recommended for session startup.
```bash
python3 {baseDir}/scripts/triage.py protect --workspace /path/to/workspace
```
## Workspace Auto-Detection
If `--workspace` is omitted, the script tries:
1. `OPENCLAW_WORKSPACE` environment variable
2. Current directory (if AGENTS.md exists)
3. `~/.openclaw/workspace` (default)
## Cross-Reference Sources
| Tool | Data Path | What Triage Checks |
|------|-----------|-------------------|
| **Warden** | `.integrity/manifest.json` | Baseline deviations — files modified since last known-good state |
| **Ledger** | `.ledger/chain.jsonl` | Chain breaks, unparseable entries, suspicious log entries |
| **Signet** | `.signet/manifest.json` | Tampered skill signatures — skills modified after signing |
| **Sentinel** | `.sentinel/threats.json` | Known threats and high-severity findings |
## Incident Severity Levels
| Level | Meaning | Trigger |
|-------|---------|---------|
| **CRITICAL** | Immediate response required | Any critical finding, or 3+ high findings |
| **HIGH** | Investigation warranted | High-severity findings from any source |
| **MEDIUM** | Review recommended | Multiple medium findings or volume threshold |
| **LOW** | No immediate action | Informational findings only |
## Exit Codes
- `0` — Clean, no actionable findings
- `1` — Findings detected (investigation recommended)
- `2` — Critical findings (immediate action needed)
## No External Dependencies
Python standard library only. No pip install. No network calls. Everything runs locally.
## Cross-Platform
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.Related Skills
OpenClaw-Finnhub
OpenClaw skill for real-time stock quote, and financials via Finnhub API.
openclaw-nextcloud
Manage Notes, Tasks, Calendar, Files, and Contacts in your Nextcloud instance via CalDAV, WebDAV, and Notes API. Use for creating notes, managing todos and calendar events, uploading/downloading files, and managing contacts.
openclaw-safety-coach
Safety coach for OpenClaw users. Refuses harmful, illegal, or unsafe requests and provides practical guidance to reduce ecosystem risk (malicious skills, tool abuse, secret exfiltration, prompt injection).
openclaw
openclaw
openclaw-spacesuit
**A framework scaffold for OpenClaw workspaces.**
nutrient-openclaw
Document processing for OpenClaw — convert, extract, OCR, redact, sign, and watermark PDFs and Office documents using the Nutrient DWS API. Use when asked to convert documents (DOCX/XLSX/PPTX to PDF, PDF to images or Office formats), extract text or tables from PDFs, apply OCR to scanned documents, redact sensitive information or PII, add watermarks, or digitally sign documents. Triggers on "convert to PDF", "extract text", "OCR this", "redact PII", "watermark", "sign document", or any document processing request.
openclaw-setup
Set up a complete OpenClaw personal AI assistant from scratch using Claude Code. Walks through AWS provisioning, OpenClaw installation, Telegram bot creation, API configuration, Google Workspace integration, security hardening, and all power features. Give this to Claude Code and it handles the rest.
OpenClaw Optimizer Skill
## Overview
openclaw-backup
Enhanced backup and restore for openclaw configuration, skills, commands, and settings. Sync across devices, version control with git, automate backups, and migrate to new machines with advanced compression.
openclaw-trakt
Track and recommend TV shows and movies using Trakt.tv. Use when the user asks for show/movie recommendations, wants to track what they're watching, check their watchlist, or get personalized suggestions based on their viewing history. Requires Trakt.tv account with Pro subscription for full functionality.
OpenClaw Claude Code Skill
## Description
OpenClaw Async Task
## Description