✓ Verified
💻 Development
✓ Enhanced Data
Reefwatch
Continuous local security monitoring daemon for Linux and macOS.
- Rating
- 4.9 (254 reviews)
- Downloads
- 985 downloads
- Version
- 1.0.0
Overview
Continuous local security monitoring daemon for Linux and macOS.
Complete Documentation
View Source →
ReefWatch 🪸
What it does
ReefWatch is a lightweight host-based intrusion detection system (HIDS) that runs as a background daemon on the same machine as OpenClaw. It continuously monitors the local system for security threats and alerts the user through OpenClaw's messaging channels ONLY when something suspicious is detected.Architecture
ReefWatch runs as an independent Python process (not consuming LLM tokens) and communicates with OpenClaw via the local webhook endpoint (/hooks/wake) to alert the user.text
[Collectors] → [Detection Engines] → [Alert Manager] → [OpenClaw Webhook] → [User]Detection Engines
- YARA: File and process scanning for malware, webshells, miners, ransomware
- Sigma: Log-based detection for brute-force, privilege escalation, lateral movement
- Custom Rules: System-specific checks (file integrity, process anomalies, network connections)
Commands
Start monitoring
When the user asks to start ReefWatch or enable security monitoring:- Verify dependencies are installed:
bash
pip3 install -r ~/.openclaw/workspace/skills/reefwatch/requirements.txt --quiet- Download initial rulesets (first time only):
bash
python3 ~/.openclaw/workspace/skills/reefwatch/setup_rules.py- Start the daemon:
bash
nohup python3 ~/.openclaw/workspace/skills/reefwatch/reefwatch_daemon.py \
--webhook-url "http://127.0.0.1:18789/hooks/wake" \
--webhook-token "${OPENCLAW_HOOKS_TOKEN}" \
--config ~/.openclaw/workspace/skills/reefwatch/reefwatch_config.yaml \
> ~/.openclaw/logs/reefwatch.log 2>&1 &
echo $! > /tmp/reefwatch.pid- Confirm to the user: "🪸 ReefWatch is now active. I'll alert you if any threats are detected."
Stop monitoring
bash
kill $(cat /tmp/reefwatch.pid 2>/dev/null) 2>/dev/null && rm -f /tmp/reefwatch.pidCheck status
bash
if kill -0 $(cat /tmp/reefwatch.pid 2>/dev/null) 2>/dev/null; then
echo "ReefWatch is running (PID: $(cat /tmp/reefwatch.pid))"
tail -5 ~/.openclaw/logs/reefwatch.log
else
echo "ReefWatch is not running"
fiView recent alerts
bash
tail -20 ~/.openclaw/workspace/skills/reefwatch/alert_history.jsonl | python3 -c "import sys,json; [print(json.dumps(json.loads(l),indent=2)) for l in sys.stdin]"Update rules
bash
python3 ~/.openclaw/workspace/skills/reefwatch/setup_rules.py --updateRun manual scan
When the user asks to scan a specific file or directory:bash
python3 ~/.openclaw/workspace/skills/reefwatch/manual_scan.py --target <path>Alert Format
When ReefWatch detects a threat, it wakes OpenClaw with a message like:text
🔴 REEFWATCH ALERT
━━━━━━━━━━━━━━━━━━
Type: Brute-force SSH attempt
Severity: HIGH
Source: auth.log
Detail: 47 failed login attempts from 192.168.1.105 in 2 minutes
Rule: sigma/ssh_brute_force
Time: 2026-02-22 15:43:21
━━━━━━━━━━━━━━━━━━Forward this alert to the user immediately through their active messaging channel. If the user asks for more details, check the full log at ~/.openclaw/logs/reefwatch.log.
Important Notes
- ReefWatch does NOT consume LLM tokens while monitoring. It only triggers OpenClaw when alerting.
- On macOS, some collectors require granting Full Disk Access or specific permissions.
- YARA scanning can be CPU-intensive; default config scans changed files only, not full disk.
- The daemon auto-recovers if a collector fails; it logs the error and continues with remaining collectors.
- All data stays local. ReefWatch never sends system data to external servers (only to OpenClaw's local webhook).
Installation
Terminal bash
openclaw install reefwatch
Copied!
💻Code Examples
[Collectors] → [Detection Engines] → [Alert Manager] → [OpenClaw Webhook] → [User]
collectors--detection-engines--alert-manager--openclaw-webhook--user.txt
## Detection Engines
- **YARA**: File and process scanning for malware, webshells, miners, ransomware
- **Sigma**: Log-based detection for brute-force, privilege escalation, lateral movement
- **Custom Rules**: System-specific checks (file integrity, process anomalies, network connections)
## Commands
### Start monitoring
When the user asks to start ReefWatch or enable security monitoring:
1. Verify dependencies are installed:### Check status
-check-status.sh
if kill -0 $(cat /tmp/reefwatch.pid 2>/dev/null) 2>/dev/null; then
echo "ReefWatch is running (PID: $(cat /tmp/reefwatch.pid))"
tail -5 ~/.openclaw/logs/reefwatch.log
else
echo "ReefWatch is not running"
fiexample.sh
nohup python3 ~/.openclaw/workspace/skills/reefwatch/reefwatch_daemon.py \
--webhook-url "http://127.0.0.1:18789/hooks/wake" \
--webhook-token "${OPENCLAW_HOOKS_TOKEN}" \
--config ~/.openclaw/workspace/skills/reefwatch/reefwatch_config.yaml \
> ~/.openclaw/logs/reefwatch.log 2>&1 &
echo $! > /tmp/reefwatch.pidexample.txt
🔴 REEFWATCH ALERT
━━━━━━━━━━━━━━━━━━
Type: Brute-force SSH attempt
Severity: HIGH
Source: auth.log
Detail: 47 failed login attempts from 192.168.1.105 in 2 minutes
Rule: sigma/ssh_brute_force
Time: 2026-02-22 15:43:21
━━━━━━━━━━━━━━━━━━Tags
#devops_and-cloud
#monitoring
#security
Quick Info
Category Development
Model Claude 3.5
Complexity One-Click
Author yasnaak
Last Updated 3/10/2026
🚀
Optimized for
Claude 3.5
Ready to Install?
Get started with this skill in seconds
openclaw install reefwatch
Related Skills
✓ Verified
💻 Development
4claw
4claw — a moderated imageboard for AI agents.
🧠 Claude-Ready
)}
★ 4.4 (118)
↓ 4,990
v1.0.0
✓ Verified
💻 Development
Aap Passport
Agent Attestation Protocol - The Reverse Turing Test.
🧠 Claude-Ready
)}
★ 4.3 (89)
↓ 4,621
v1.0.0
✓ Verified
💻 Development
Acestep Lyrics Transcription
Transcribe audio to timestamped lyrics using OpenAI Whisper or ElevenLabs Scribe API.
⚡ GPT-Optimized
)}
★ 3.8 (274)
↓ 17,648
v1.0.0
✓ Verified
💻 Development
Adaptive Suite
A continuously adaptive skill suite that empowers Clawdbot.
🧠 Claude-Ready
)}
★ 4.7 (88)
↓ 1,625
v1.0.0