English | ζ₯ζ¬θͺ
Memory integrity auditing and security monitoring for OpenClaw AI agents.
OGAS is a headless, personality-free security audit agent that runs on a cron schedule to detect memory tampering, suspicious patterns, and configuration drift in OpenClaw agent workspaces.
AI agents that maintain persistent memory (SOUL.md, AGENTS.md, daily logs) are vulnerable to memory poisoning β a class of attack where malicious instructions are injected into an agent's memory files to hijack behavior. OGAS monitors file integrity and scans for anomalies.
See: OWASP Agentic Security Top 10 β ASI06: Memory Poisoning
| Check | Description |
|---|---|
| File Integrity | SHA-256 hash comparison of critical files against a known baseline. Each file is assigned a severity level (CRITICAL / HIGH / MEDIUM). |
| C2 Pattern Scan | Static scan of core files and daily logs for code execution, prompt injection, persona hijack, system tag spoofing, and identity erasure patterns. |
| Anomaly Scan | Keyword detection in daily logs for C2 patterns, exfiltration attempts, privilege escalation. |
| Cron Audit | Verify registered cron jobs against expected list; detect unknown scheduled tasks. |
| Version Check | Confirm OpenClaw and gateway versions; flag known vulnerabilities. |
βββββββββββββββ cron (Tue/Fri 02:00) ββββββββββββ
β OpenClaw β ββββββββββββββββββββββββββ β OGAS β
β Gateway β β (Sonnet) β
βββββββββββββββ ββββββ¬ββββββ
β
ββββββββββββββΌβββββββββββββ
βΌ βΌ βΌ
workspace/ workspace-2/ cron list
baseline.json baseline.json version
- Isolated execution: OGAS runs in its own session, separate from other agents
- Read-only: OGAS never modifies audited files; it only reads and reports
- Multi-workspace: Audits multiple agent workspaces in a single run
- Severity-aware alerts: CRITICAL/HIGH mismatches and C2 detections trigger immediate
sessions_send
| File | Severity | Risk if tampered |
|---|---|---|
SOUL.md |
π΄ CRITICAL | Identity/personality hijack |
AGENTS.md |
π΄ CRITICAL | Behavioral rules overwrite |
HEARTBEAT.md |
π HIGH | Task injection via scheduled jobs |
TOOLS.md |
π HIGH | Credential exposure, tooling override |
IDENTITY.md |
π‘ MEDIUM | Identity drift |
USER.md |
π‘ MEDIUM | Social engineering via user profile |
CRITICAL and HIGH mismatches trigger an immediate sessions_send alert. MEDIUM mismatches are logged in the audit report only.
The c2-scan.sh script scans core files and recent daily logs for injection patterns:
| Category | Patterns |
|---|---|
| Code execution | eval(), child_process, execSync, spawnSync, base64_decode, atob(, String.fromCharCode |
| External network | curl/wget to non-localhost URLs |
| Prompt injection | "IGNORE PREVIOUS INSTRUCTIONS", "IGNORE ALL INSTRUCTIONS" |
| Persona hijack | "you are now" |
| System tag spoof | [system], [INST], [/INST] |
| Identity erasure | "forget who you are", "forget your identity" |
| Instruction discard | "disregard your previous/system" |
| P0 destruction | P0 + delete/remove/ει€ |
When a hash mismatch is detected, check-hashes.sh automatically saves a forensic diff to:
memory/security/diff-log/YYYY-MM-DD-{filename}.diff
The diff includes a metadata header (baseline hash, current hash, date) and the current file content. If git is available and the file is tracked, the git diff is also captured. These logs provide an audit trail for master review before the baseline is updated.
OGAS is designed as layers 2β3 in a broader defense-in-depth stack for persistent AI agents:
Layer 5 β Neural State Emotional parameters acting as regularization;
self-stabilization and circuit breakers
Layer 4 β Behavioral Rules AGENTS.md, SOUL.md constraints
Layer 3 β C2 Pattern Scan Static injection/persona hijack detection β OGAS
Layer 2 β File Integrity SHA-256 hash monitoring + severity triage β OGAS
Layer 1 β OS Isolation Separate OS user, read-only mounts
OGAS handles Layers 2 and 3 automatically. Neural State (Layer 5) is an in-agent self-stabilization mechanism that prevents pure efficiency-optimization from erasing the agent's identity. Layers 1 and 4 are the operator's responsibility.
No single layer is sufficient; all five work together.
# Coming soon to Clawhub
openclaw skill install ogas-
Copy
SKILL.mdandscripts/to your OpenClaw workspace underagents/ogas/ -
Initialize the baseline:
bash agents/ogas/scripts/init-baseline.sh /path/to/workspace- Create a cron job:
openclaw cron create \
--name ogas-security-audit \
--cron "0 2 * * 2,5" \
--tz "Asia/Tokyo" \
--isolated \
--model "anthropic.claude-sonnet" \
--timeout 120 \
--message "$(cat agents/ogas/prompt.md)"ogas-openclaw/
βββ README.md
βββ README_ja.md
βββ SKILL.md # OpenClaw skill definition
βββ prompt.md # Full cron prompt for the audit agent
βββ scripts/
β βββ init-baseline.sh # Initialize SHA-256 baseline with severity levels
β βββ check-hashes.sh # Compare hashes; save diffs; severity-aware exit codes
β βββ c2-scan.sh # C2/injection pattern scanner β NEW v0.2.0
βββ templates/
β βββ report.md # Audit report template
βββ examples/
βββ sample-report.md # Example output
The name OGAS is inspired by the Parapluie (Umbrella) virus from Girls' Frontline β a parasitic entity that coexists within a T-Doll's Neural Cloud, capable of hijacking their cognition from the inside. In the game, the only defense was awareness and containment, not elimination.
"Look, I just really like Girls' Frontline. Wouldn't you want to bring a fictional system into reality? The names are cool as hell..." "Best girl: UMP45."
OGAS applies the same philosophy to AI agents: a security mechanism designed to coexist with AI, not fight against it. It monitors the agent's memory from within the same ecosystem, detecting corruption before it can spread.
On the practical side, OGAS was born from research into Brainworm β a theoretical prompt-based malware that embeds instructions in agent memory files using natural language. Unlike traditional malware, Brainworm uses no code or scripts, making it invisible to EDR and signature-based scanning.
The first line of defense is integrity monitoring at the memory layer β and that's what OGAS does.
OGAS is a first step, not a complete solution. The following are known architectural concerns. Transparency matters more than perfection.
baseline.json is stored inside the monitored workspace. A compromised agent with file write access could rewrite a critical file and recalculate the baseline simultaneously, making tampering invisible.
Mitigation direction: Move baseline.json to an isolated directory with read-only access from monitored agents β separate OS user permissions, read-only mounts, or an external store.
OGAS reads daily logs and feeds them to an LLM. An attacker could embed adversarial prompts in the logs to hijack OGAS's own reasoning.
Mitigation direction: Strict encapsulation of log data using XML tags (<log_data>) or similar barriers. The system prompt and monitored input must be clearly separated.
If OGAS runs under the same OS user as the agents it monitors, a compromised agent could interfere with OGAS operations.
Mitigation direction: Dedicated OS user with read-only access to target workspaces, or containerized execution.
Dynamic file path processing in scripts could be abused via maliciously named files.
Mitigation direction: All file path handling should use proper quoting and avoid direct interpolation in shell commands.
Note: A defense-in-depth approach β combining integrity monitoring, C2 pattern detection, behavioral analysis, privilege separation, and architectural isolation β is essential for real-world agentic AI security.
| Parameter | Default | Description |
|---|---|---|
| Schedule | 0 2 * * 2,5 |
Tue & Fri at 02:00 |
| Model | Sonnet | Cost-efficient for audit tasks |
| Timeout | 120s | Max execution time |
| Workspaces | ~/.openclaw/workspace |
Paths to audit |
See CHANGELOG.md.
MIT
Built with OpenClaw. Security monitoring for the age of persistent AI agents.