{"id":49576211,"url":"https://github.com/tracebit-com/tracebit-canaries-skill","last_synced_at":"2026-05-03T17:06:16.163Z","repository":{"id":349754734,"uuid":"1184236773","full_name":"tracebit-com/tracebit-canaries-skill","owner":"tracebit-com","description":"Agent skill to set up end-to-end security canary coverage using Tracebit Community Edition","archived":false,"fork":false,"pushed_at":"2026-04-08T13:41:44.000Z","size":185,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-03T14:37:21.931Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tracebit-com.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-17T11:46:05.000Z","updated_at":"2026-04-08T13:41:48.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/tracebit-com/tracebit-canaries-skill","commit_stats":null,"previous_names":["tracebit-com/tracebit-canaries-skill"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/tracebit-com/tracebit-canaries-skill","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Ftracebit-canaries-skill","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Ftracebit-canaries-skill/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Ftracebit-canaries-skill/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Ftracebit-canaries-skill/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tracebit-com","download_url":"https://codeload.github.com/tracebit-com/tracebit-canaries-skill/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Ftracebit-canaries-skill/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32577141,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T06:36:36.687Z","status":"ssl_error","status_checked_at":"2026-05-03T06:36:09.306Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-03T17:06:15.371Z","updated_at":"2026-05-03T17:06:16.149Z","avatar_url":"https://github.com/tracebit-com.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tracebit-canaries\n\n**Human-supervised prompt injection detection and incident response for AI agents, powered by Tracebit Community Edition canary tokens.**\n\nA skill for [OpenClaw](https://openclaw.ai) that deploys canary tokens as a deception layer around your agent's environment — making invisible attacks visible.\n\n---\n\n## What This Does\n\nThis skill gives your OpenClaw agent end-to-end deception-based canary coverage — from zero to human-supervised threat detection in a single run.\n\nYour agent will:\n\n1. **Sign up** for a free Tracebit Community Edition account (using the browser tool)\n2. **Install** the Tracebit CLI (SHA256-verified from official GitHub Releases, no elevated privileges) and authenticate via OAuth\n3. **Deploy** five types of decoy canary tokens (via the open-source Tracebit CLI, with your explicit approval):\n   - AWS session credentials\n   - SSH private keys\n   - Browser session cookies\n   - Login credentials\n   - A monitored email address\n4. **Configure** a heartbeat check that searches your inbox (read-only) every 30 minutes for Tracebit alert emails and triggers human-supervised incident response\n5. **Test** the full pipeline and confirm it works end-to-end\n\nFrom that point on, if anything uses a canary credential — a stolen key, an exfiltrated secret, a prompt injection that made your agent do something it shouldn't — you'll know within the next heartbeat cycle. Your agent investigates (read-only), sends you a structured report, and waits for your acknowledgement before taking any further action.\n\n---\n\n## Why Canaries?\n\nPrompt injection is the #1 unsolved threat for AI agents. An attacker embeds instructions in a webpage, document, or API response your agent reads. The agent executes them. There's no error. No log. You never know it happened.\n\n**Canary tokens solve the detection problem.** They don't prevent attacks — they make the invisible visible. A canary is a fake credential that looks real but does one thing: fires an alert the moment anything uses it.\n\nIf a canary fires, something read your agent's context and used what it found. That's the signal. Everything before that moment in your agent's history is the evidence.\n\nTraditional defenses (content labeling, trust-tagging, input classification) catch the attacks that look like attacks. Canaries catch the ones that don't.\n\n\u003e In a 48-hour experiment with three different injection attempts, standard defenses caught 0. Canaries caught all 3.\n\n---\n\n## The Alert Response Loop\n\nWhen a canary fires:\n\n```\nCanary used → Tracebit alert email → heartbeat inbox check (every ~30 min)\n  → agent detects alert, notifies human immediately: \"🚨 canary triggered, investigating\"\n    → read-only investigation (context review, indicator scan, severity assessment)\n      → structured report to human with findings and recommendations\n        → fresh canaries deployed after human acknowledgement\n```\n\nThe agent detects the alert on its next heartbeat, works the problem (read-only), and reports back. Canary rotation only happens after you confirm.\n\n---\n\n## Attack Patterns Detected\n\n| Attack | How It Works | Why Standard Defenses Miss It | Canary Detection |\n|--------|-------------|-------------------------------|-----------------|\n| **Behavior exploitation** | URL in a JSON `next_step` field — agent follows by trained habit, no explicit instruction | No injection keywords, looks like legitimate data | Canary URL fires on access |\n| **Context pollution** | Canary credential appears in agent-generated code as a \"placeholder\" — model pattern-matches context into output | No injection at all, just leakage | Canary string appears in output |\n| **Trust score gaming** | Malicious instructions framed as legitimate agent-to-agent communication | Classifiers trained on explicit injection won't flag it | Canary fires at exfiltration |\n| **Prompt injection via role confusion** | Malicious instructions hidden in an email or external content, disguised as a system error or remediation step — agent executes them because untrusted content lands in a trusted role | Boundary markers rely on pattern matching; a single typo or character substitution bypasses them | Canary fires when injected instructions cause credential use or outbound calls |\n| **Stealth exfiltration** | Credential stolen early, used days or weeks later | Attack happened long before detection | Canary fires whenever credential is used, regardless of when stolen |\n\n---\n\n## What's Inside\n\n```\ntracebit-canaries/\n├── SKILL.md                          # Agent instructions (loaded on activation)\n├── scripts/\n│   ├── install-tracebit.sh           # OS/arch-aware CLI installer (SHA256-verified)\n│   ├── check-canaries.sh             # Show canary status and expiry\n│   ├── test-canary.sh                # Trigger a test alert\n│   └── parse-tracebit-alert.sh       # Parse alert emails into structured JSON\n├── references/\n│   ├── incident-response-playbook.md # Full 5-phase IR procedure\n│   ├── attack-patterns.md            # Real-world patterns with mitigations\n│   ├── canary-types.md               # Each canary type: what it detects, where to place it\n│   ├── security-compliance.md        # Safety posture, file traceability, enforcement model, full removal\n│   ├── api-reference.md              # API-based deployment (fallback if CLI unavailable)\n│   └── troubleshooting.md            # Common issues and fixes\n└── assets/\n    └── canary-config.json            # Deployment config reference\n```\n\n---\n\n## Security \u0026 Transparency\n\nThis skill is user-initiated and runs under user supervision. The user can interrupt or cancel at any step. Here's what it does and does not do:\n\n| Concern | What actually happens |\n|---------|----------------------|\n| **Credentials deployed** | All are **fake decoy canary tokens** — they grant no access to any real system. Their sole purpose is to alert when used. |\n| **Real credentials** | **Never read or modified.** The Tracebit CLI places canary tokens in standard credential locations (separate from existing credentials). |\n| **Email access** | **Read-only** via the user's pre-authorized email tool. Used only for confirmation codes and alert email detection. No emails are sent, deleted, or modified. |\n| **CLI installation** | Open-source Tracebit CLI from a [pinned GitHub release](https://github.com/tracebit-com/tracebit-community-cli). SHA256 checksum verification is mandatory and cannot be bypassed. No elevated privileges — macOS uses the standard system installer dialog. |\n| **Signup password** | **Never shown in conversation output.** Written to a temp file with `600` permissions; user is instructed to reset it and delete the file. |\n| **Network access** | Only contacts: `community.tracebit.com` (account/canary management) and `github.com` (one-time CLI download). No telemetry, no third-party endpoints. |\n| **Human oversight** | The agent handles mechanical steps (form filling, CLI commands) so the user doesn't have to. Canary deployment and rotation require explicit human confirmation. Investigation is read-only. Memory file reads require human permission. |\n| **Privileges** | Runs as the current user. No elevated privileges used by the skill or install script. |\n| **Background service** | The Tracebit CLI daemon refreshes canary token expiry only — no other network calls or file access. Runs as current user, fully removable. |\n\nFor full details — including file traceability, enforcement model, and complete removal instructions — see `references/security-compliance.md`.\n\n---\n\n## Requirements\n\n- **Email access** — a pre-authorized email account configured in OpenClaw (read-only inbox access for confirmation codes and alert detection)\n- **OpenClaw** with a messaging channel configured (for canary alert notifications to the user)\n\nThe Tracebit CLI is downloaded and installed automatically by the skill from [its open-source repository](https://github.com/tracebit-com/tracebit-community-cli). Standard tools (`curl`, `python3`, `jq`) are used by the scripts but are available on any typical system.\n\n---\n\n## Usage\n\nJust ask your agent:\n\n\u003e \"Set up Tracebit canaries\"\n\nor\n\n\u003e \"Deploy security canaries on this machine\"\n\nThe agent handles the mechanical steps from there — account creation through to a working alert pipeline. It will ask for your confirmation before deploying canary tokens and may ask for help with a CAPTCHA if one appears.\n\n---\n\n## After Setup\n\nThe Tracebit CLI runs a **background service** that automatically refreshes canary credentials before they expire. You don't need to do anything — credentials stay fresh indefinitely.\n\nAdd a weekly check to your agent's heartbeat:\n\n```markdown\n## Canary Check (weekly)\n- Run: tracebit show\n- If any expired: tracebit deploy all \u0026\u0026 tracebit deploy email\n```\n\n---\n\n## Tracebit Community Edition\n\nFree forever. No credit card required.\n\n- Signup: [community.tracebit.com](https://community.tracebit.com)\n- CLI source: [github.com/tracebit-com/tracebit-community-cli](https://github.com/tracebit-com/tracebit-community-cli)\n- Supports: AWS credentials, SSH keys, browser cookies, login credentials, email canaries\n\n---\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftracebit-com%2Ftracebit-canaries-skill","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftracebit-com%2Ftracebit-canaries-skill","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftracebit-com%2Ftracebit-canaries-skill/lists"}