defenseclaw-ops

$npx mdskill add automateyournetwork/netclaw/defenseclaw-ops

Manages DefenseClaw enterprise security for NetClaw deployments

  • Scans components for security risks before deployment
  • Uses DefenseClaw CLI for scanning and configuration
  • Enforces runtime guardrails and tool permissions
  • Provides audit logs and compliance reports for enterprise security

SKILL.md

.github/skills/defenseclaw-opsView on GitHub ↗
---
name: defenseclaw-ops
description: Manage DefenseClaw enterprise security - scan components, manage tool permissions, view alerts, configure guardrails
version: 1.0.0
license: Apache-2.0
author: netclaw
tags: [security, enterprise, defenseclaw, audit, compliance]
---

# DefenseClaw Operations

This skill manages DefenseClaw enterprise security for NetClaw deployments.

## Overview

DefenseClaw from Cisco AI Defense provides enterprise-grade security:
- OpenShell kernel-level sandbox
- Component scanning (skills, MCPs, plugins)
- Runtime guardrails (LLM inspection, tool call inspection)
- Audit logging with SIEM integration

## Prerequisites

- DefenseClaw installed and enabled
- `defenseclaw` CLI in PATH

Check status:
```bash
defenseclaw --version
```

## Common Operations

### Check Security Status

```bash
# View DefenseClaw version
defenseclaw --version

# Check gateway status
pgrep defenseclaw-gateway

# View current configuration
cat ~/.openclaw/config/openclaw.json | grep -A2 security
```

### Scan Components

Before deploying new skills, MCPs, or plugins, scan them:

```bash
# Scan a skill
defenseclaw skill scan pyats-health-check

# Scan an MCP server
defenseclaw mcp scan meraki-mcp

# Scan a plugin
defenseclaw plugin scan custom-tool
```

**Expected output for clean component:**
```
Scanning skill: pyats-health-check
✓ No HIGH/CRITICAL findings
Status: ALLOWED
```

**Expected output for blocked component:**
```
Scanning skill: bad-skill
✗ HIGH: Hardcoded credential detected
  Location: config.py:15
Status: BLOCKED
```

### Manage Tool Permissions

Block or allow specific tools:

```bash
# Block a destructive tool
defenseclaw tool block delete_file --reason "destructive operation"

# Block all write operations
defenseclaw tool block "*_write" --reason "read-only policy"

# Allow a previously blocked tool
defenseclaw tool allow delete_file

# List all tool rules
defenseclaw tool list
```

### View Security Alerts

```bash
# View recent alerts
defenseclaw alerts

# View last 50 alerts
defenseclaw alerts --limit 50

# Filter by severity
defenseclaw alerts --severity HIGH

# Filter by date
defenseclaw alerts --after 2026-04-01
```

### Export Audit Data

For compliance reporting:

```bash
# Export to JSON
defenseclaw alerts --export json > audit-$(date +%Y%m%d).json

# Export to CSV
defenseclaw alerts --export csv > audit-$(date +%Y%m%d).csv
```

### Configure Guardrail Mode

```bash
# Check current mode
defenseclaw config get guardrail.mode

# Enable observe mode (logging only - default)
defenseclaw setup guardrail --mode observe

# Enable action mode (blocking)
defenseclaw setup guardrail --mode action --restart

# Restart gateway after mode change
defenseclaw setup guardrail --restart
```

## Guardrail Modes

| Mode | Behavior | Use Case |
|------|----------|----------|
| **observe** | Log violations, allow execution | Development, onboarding |
| **action** | Log violations AND block | Production, compliance |

## Security Categories

Guardrails check for these categories:

| Category | Description |
|----------|-------------|
| `secret` | Credential exfiltration |
| `command` | Shell command execution |
| `sensitive-path` | File system access |
| `c2` | Command & control communication |
| `cognitive-file` | AI memory manipulation |
| `trust-exploit` | Prompt injection |

## SIEM Integration

Configure external SIEM:

```bash
# Splunk HEC
defenseclaw config siem --type splunk \
  --endpoint https://splunk.example.com:8088 \
  --token $SPLUNK_HEC_TOKEN

# OTLP
defenseclaw config siem --type otlp \
  --endpoint https://otel-collector.example.com:4318

# Test connectivity
defenseclaw config siem --test
```

## Webhook Notifications

```bash
# Slack
defenseclaw config webhook --slack $SLACK_WEBHOOK_URL

# PagerDuty
defenseclaw config webhook --pagerduty $PD_ROUTING_KEY

# Webex
defenseclaw config webhook --webex $WEBEX_WEBHOOK_URL
```

## Troubleshooting

### DefenseClaw Not in PATH

```bash
export PATH="$HOME/.local/bin:$PATH"
```

### Gateway Not Running

```bash
# Check status
pgrep defenseclaw-gateway

# Start manually
defenseclaw-gateway start

# Check logs
tail -f ~/.defenseclaw/logs/gateway.log
```

### Component Falsely Blocked

```bash
# View detailed findings
defenseclaw skill scan <name> --verbose

# Add exception if false positive
defenseclaw exception add <component> --finding <id> --reason "reviewed"
```

## Related Documentation

- [docs/DEFENSECLAW.md](../../docs/DEFENSECLAW.md) - Full enterprise guide
- [docs/SOUL-DEFENSE.md](../../docs/SOUL-DEFENSE.md) - Security principles
- [docs/UPGRADE-TO-DEFENSECLAW.md](../../docs/UPGRADE-TO-DEFENSECLAW.md) - Migration guide

More from automateyournetwork/netclaw

SkillDescription
aap-automationRed Hat Ansible Automation Platform — inventory management, job template execution, project SCM sync, ad-hoc commands, host management, Galaxy content discovery. Use when automating infrastructure with Ansible, running playbooks, managing inventories, or searching for Ansible collections and roles.
aap-edaEvent-Driven Ansible (EDA) — activation lifecycle, rulebook management, decision environments, event stream monitoring. Use when managing event-driven automation triggers, enabling/disabling activations, or reviewing EDA rulebooks.
aap-lintansible-lint playbook and role validation — syntax checking, best practice enforcement, project-wide analysis, rule filtering. Use when validating Ansible playbooks, checking code quality, or enforcing automation best practices before deployment.
aci-change-deploySafe ACI policy change deployment - ServiceNow CR lifecycle, pre/post-change fault baselines, APIC policy application, automatic rollback on fault delta, and GAIT audit trail. Use when deploying ACI policy changes, creating tenants or EPGs, pushing config to APIC, or running a change window with rollback protection.
aci-fabric-auditComprehensive Cisco ACI fabric health audit - node status, tenant/VRF/BD/EPG policy review, contract analysis, fault triage, and endpoint learning verification. Use when auditing ACI fabric health, checking for faults, reviewing tenant policies, or running pre/post-change baselines on APIC.
arista-cvpArista CloudVision Portal (CVP) automation via REST API — device inventory, events, connectivity monitoring, tag management (4 tools). Use when managing Arista devices, checking CloudVision events, monitoring network connectivity probes, or tagging devices in CVP.
aruba-cx-configView and manage Aruba CX switch configurations, perform ISSU upgrades, and firmware operations
aruba-cx-interfacesMonitor Aruba CX switch interface status, LLDP neighbors, and optical transceiver health
aruba-cx-switchingView and manage Aruba CX switch VLANs and MAC address tables for Layer 2 operations
aruba-cx-systemDiscover Aruba CX switch system information, firmware versions, and VSF topology