arc-sentinel

Review·Scanned 2/17/2026

Arc Sentinel is a security monitoring toolkit that runs SSL, GitHub, breach, credential-rotation, secret-scanning and permission audits. It invokes local scripts (bash sentinel.sh, scripts/*.sh), reads sensitive files (~/.aws/credentials, ~/.docker/config.json, ~/.npmrc) and calls https://haveibeenpwned.com/api/v3/breachedaccount/... and GitHub APIs.

from clawhub.ai·v736f4e8·68.0 KB·0 installs
Scanned from 1.0.0 at 736f4e8 · Transparency log ↗
$ vett add clawhub.ai/arc-claw-bot/arc-sentinelReview findings below

Arc Sentinel

Security monitoring toolkit for OpenClaw agents. Runs automated checks against your infrastructure and reports issues.

Configuration

Before first use, create sentinel.conf in the skill directory:

cp sentinel.conf.example sentinel.conf

Edit sentinel.conf with your values:

  • DOMAINS — Space-separated list of domains to check SSL certificates
  • GITHUB_USER — GitHub username for repo audits
  • KNOWN_REPOS — Space-separated list of expected repo names (unexpected repos trigger warnings)
  • MONITOR_EMAIL — Email address for HaveIBeenPwned breach checks
  • HIBP_API_KEY — Optional; HIBP v3 API key ($3.50/mo) for automated breach lookups

Also customize credential-tracker.json with your own credentials and rotation policies. A template is provided.

Quick Start

Full scan

cd <skill-dir>
bash sentinel.sh

Output

  • Formatted report to stdout with color-coded severity
  • JSON report saved to reports/YYYY-MM-DD.json
  • Exit codes: 0 = all clear, 1 = warnings, 2 = critical

Checks

1. SSL Certificate Expiry

Check certificate expiry for configured domains. Warns at <30 days, critical at <14 days.

2. GitHub Security

  • List repos and check Dependabot/vulnerability alert status
  • Review recent account activity for anomalies
  • Flag unexpected repositories

3. Breach Monitoring (HaveIBeenPwned)

  • Query HIBP API for breached accounts (requires API key)
  • Falls back to manual check URL if no key is set

4. Credential Rotation Tracking

Read credential-tracker.json and flag credentials that are overdue, approaching expiry, or never rotated. Supports policies: quarterly (90d), 6_months (180d), annual (365d), auto.

Additional Scripts

ScriptPurpose
scripts/secret-scanner.shScan repos/files for leaked secrets and API keys
scripts/git-hygiene.shAudit git history for security issues
scripts/token-watchdog.shMonitor token validity and expiry
scripts/permission-auditor.shAudit file and access permissions
scripts/skill-auditor.shAudit installed skills for security
scripts/full-audit.shRun all scripts in sequence

Agent Usage

During heartbeats or on request:

  1. Run bash sentinel.sh from the skill directory
  2. Review output for WARN or CRITICAL items
  3. Report findings to the human if anything needs attention
  4. Update credential-tracker.json when credentials are rotated

Cron Setup

# Weekly Monday 9am
0 9 * * 1 cd /path/to/arc-sentinel && bash sentinel.sh >> reports/cron.log 2>&1

Requirements

  • openssl (SSL checks)
  • gh CLI authenticated (GitHub checks)
  • curl (HIBP)
  • python3 (JSON processing)