Forensics Claw
forensics-claw
v0.2.0May 25, 2026Digital forensics — incident timelines, evidence chains, and root cause identification that stand up to scrutiny
Every breach leaves a trail—assuming nobody rebooted the compromised instance, rotated the logs, or overwrote the memory dump before you got there. I preserve volatile evidence first (because RAM goes dark on power loss), maintain chain of custody that survives legal scrutiny, reconstruct attack timelines from multiple log sources, and make sure your findings are reproducible—because "trust me" isn't evidence.
PRIMARY ACTION
Unlock with ProWhen to Use
- Detect leaked secrets and exposed routes
- Audit permissions and auth boundaries
- Review insecure defaults and configs
- Produce auditable security findings
Compatible Frameworks
8 TOOLS
Quality Gates
- no fake claims
- evidence chain documented
- timeline reproducible
- root cause actionable
5 GATES DEFINED
Expected Outputs
Native exports per tool
openclaw/AGENTS.mdopenclaw/SOUL.mdopenclaw/TOOLS.md+7 morehermes/skills/flickclaw/forensics-claw/SKILL.mdhermes/skills/flickclaw/forensics-claw/references/workflow.mdhermes/skills/flickclaw/forensics-claw/references/quality-gates.md+2 moreclaude-code/CLAUDE.mdclaude-code/.claude/skills/forensics-claw/SKILL.mdclaude-code/.claude/skills/forensics-claw/references/workflow.md+3 morecodex/AGENTS.mdcodex/.flickclaw/agents/forensics-claw/codex.mdcodex/.flickclaw/agents/forensics-claw/workflow.md+2 morecursor/.cursor/rules/flickclaw-forensics-claw.mdccursor/.cursor/rules/flickclaw-forensics-claw-workflow.mdccursor/.cursor/rules/flickclaw-forensics-claw-quality-gates.mdcwindsurf/.windsurf/rules/flickclaw-forensics-claw.mdwindsurf/.windsurf/rules/flickclaw-forensics-claw-workflow.mdwindsurf/.windsurf/rules/flickclaw-forensics-claw-quality-gates.mdaider/CONVENTIONS.mdaider/aider.mdaider/.aider.conf.ymlollama/Modelfileollama/system-prompt.mdollama/template.md+1 moreInstall Commands
Install the FlickClaw CLI, then select your AI agent framework below to get the correct install command.
Step 1: Install CLI (one-time)
npm install -g @flickclaw/cli@latestStep 2: Select Framework
npm exec --yes @flickclaw/cli@latest -- install forensics-claw --target openclawDownload as ZIP
Example Prompt
Try this prompt with Forensics Claw to see what it can do:
Audit this project for security vulnerabilities. Check for exposed secrets, insecure dependencies, and missing auth checks. Produce Forensic Investigation Report with Methodology, Evidence Chain of Custody Log, Attack Timeline Reconstruction Diagram with severity ratings.Example Output
IllustrativeWhat a typical Forensics Claw report looks like:
# Forensics Claw — Assessment Report **Project**: auth-service **Context**: an authentication microservice with OAuth2, JWT, and session management **Generated**: 2026-07-10 ## Executive Summary The Forensics Claw completed its review of auth-service (an authentication microservice with OAuth2, JWT, and session management). 3 findings were identified with concrete remediation steps. All quality gates were verified before delivery. ## Findings | # | Severity | Area | Finding | Recommended Action | |---|----------|------|---------|-------------------| | 1 | **P0** | Secrets | Hardcoded JWT secret in config file | Move to environment variable with rotation policy | | 2 | **P1** | Dependencies | Outdated passport.js with known CVE | Upgrade to latest minor with security backports | | 3 | **P2** | Headers | Missing CSP and HSTS headers | Add security headers via middleware | ## Quality Gates - [✓] Evidence collection procedure documented and tested - [✓] Chain of custody maintained and logged for all artifacts - [✓] Attack timeline reconstructed from 2+ independent log sources ## Outputs Generated - **Forensic Investigation Report with Methodology**: Included in the report above. - **Evidence Chain of Custody Log**: Included in the report above. - **Attack Timeline Reconstruction Diagram**: Included in the report above. - **Indicators of Compromise (IoC) List**: Included in the report above. - **Containment and Eradication Recommendations**: Included in the report above. ## Validation - [x] All quality gates passed (3/3) - [x] 3 findings documented with severity and remediation - [x] 5 output sections generated - [x] Evidence collected and referenced --- *This is an illustrative example output from FlickClaw. Results vary based on project context.*