Skip to content

Add OpenClaw & MCP #2

Open
Franzferdinan51 wants to merge 32 commits into
cloudweaver:mainfrom
Franzferdinan51:main
Open

Add OpenClaw & MCP #2
Franzferdinan51 wants to merge 32 commits into
cloudweaver:mainfrom
Franzferdinan51:main

Conversation

@Franzferdinan51

Copy link
Copy Markdown

added a way for openclaw to use this and report on demand as well as a MCP for lm studio this should help people work thru thoughts about situations on the fly thats what i have been using it for so far i used my openclaw to help build this its running (MiniMax M2.5) so i hope this helps someone out their

Franz and others added 30 commits March 1, 2026 22:32
…AI provider support, WebUI with Leaflet map, persistent settings
- src/regions.ts: 44 regions (was 7), all 6 continents, sub-regional granularity
- src/sources/rss.ts: NEW RSS/Atom feed parser + 30-feed registry
- src/sources/intel.ts: NEW USGS earthquakes, GDACS disasters, NWS weather, Open-Meteo
- src/http.ts: rewired to use new modules, added /osint /snapshot /earthquakes /gdacs /weather endpoints
- README.md: full v2.0 documentation with all endpoints
- .env.example: OPENSKY_API_KEY added

Replaces broken HTML scraping (Reuters, AP, Al Jazeera) with stable RSS feeds.
Google News RSS used as proxy for sources whose RSS is geo-blocked or dead.
All endpoints verified working: 28/30 feeds live, 21917 flights tracked, 15 M4.5+ quakes, 100 GDACS events.
- src/sources/intel.ts: fetchDefconLevel() — parses defconlevel.com current level
- src/http.ts: new GET /defcon endpoint, DEFCON woven into /osint summary and /snapshot
- README.md: v2.1 banner, document /defcon endpoint
- v2.1.0-lobster

Fixes the gap where the OpenClaw evening brief and topic configs (osint-news.md,
ww3-sitrep.md, HEARTBEAT.md) all list defconlevel.com as a source but no actual
fetcher was wired up. 15-minute cache. Current level = DEFCON 3.
…elegram

9 new endpoints ported from github.com/simplifaisoul/osiris into ClawdWatch
Lobster Edition's Node.js / API-only style. All endpoints tested end-to-end
via scripts/test-endpoints.js (24/24 pass).

New endpoints:
  GET /sanctions?q=<name>     OFAC SDN + OpenSanctions person/org/vessel (needs API key)
  GET /crypto/btc/:address    BTC wallet trace via blockstream.info (no key)
  GET /crypto/eth/:address    ETH wallet trace via Blockscout (no key)
  GET /fires?hours=24&region  NASA FIRMS active fire hotspots (needs API key)
  GET /cve/:id                NVD CVE detail lookup (no key)
  GET /cve/recent?days=7      recently modified CVEs (no key)
  GET /whois/:domain          RDAP lookup (no key)
  GET /dns/:domain            A/AAAA/MX/TXT/NS/CNAME via Google DoH (no key)
  GET /telegram/:channel      public Telegram channel recent messages (no key)

Plus:
  - .env.example updated with OPENSANCTIONS_API_KEY + FIRMS_MAP_KEY hints
  - scripts/test-endpoints.js covers all 24 endpoints, fails fast on regression
  - / endpoint version bumped to 2.2.0-lobster, endpoint list expanded

No existing functionality changed. All 15 v2.1 endpoints still pass.
…er-threats, geo, air-quality)

New endpoints (all free, no API keys required):
- /space-weather        NOAA SWPC Kp index + solar flares + geomagnetic alerts
- /sentinel             Sentinel-1/2 satellite imagery search via Element84 STAC
- /satellites           Celestrak TLE catalog (stations, weather, starlink, etc.)
- /cyber-threats        CISA Known Exploited Vulnerabilities (recent KEV)
- /geo                  IP geolocation (3-provider cascade: ipapi.co → freeipapi.com → ipwho.is)
- /air-quality          Open-Meteo current AQI for 22 major global cities

Fixes:
- /sentinel: removed bad sortby field (Element84 STAC doesn't sort on 'datetime')
- /geo: fixed ASAS → AS prefix in ASN formatting
- /air-quality: switched from retired OpenAQ v2 to working Open-Meteo API

All 31 endpoints registered. Test harness passes 30/30 (2 endpoints need API keys, return 404).
…AC auto-flag, opt-in port scanner

New endpoints:
- /ssl/:host          SSL/TLS certificate inspector (Node tls module, free, no key)
                       Returns full cert chain: subject, issuer, validity dates, SHA-256,
                       SHA-1 fingerprints, SANs, self-signed detection, expiry warnings
- /news/live          Live broadcast network catalog (15 global 24/7 news streams)
                       Static feed list with embeddable/external split, lat/lng for mapping
- /ofac/check?q=      Single-value OFAC SDN cross-check (returns null without API key)
- POST /ofac/refresh  Reload OFAC cache from OpenSanctions (needs OPENSANCTIONS_API_KEY)
- /scan?host=&ports=  TCP port scanner with SSRF guards (default OFF)

OFAC auto-flag integration:
- /whois/:domain      Each registrant entity now has 'ofac_sanctioned' boolean
- /geo?ip=            Response includes 'ofac_sanctioned' for the queried IP
- /crypto/btc/:addr   Response includes 'ofac_sanctioned' for the wallet address
- /crypto/eth/:addr   Response includes 'ofac_sanctioned' for the wallet address
Without OPENSANCTIONS_API_KEY, all auto-flags degrade to null (graceful)

Port scanner safety:
- Default OFF via PORT_SCAN_ENABLED=false
- SSRF guards block private IPs (10.x, 192.168.x, 172.16-31.x, 127.x, 169.254.x,
  IPv6 ::1, fc00::/7, fe80::/10, 224.x) unless PORT_SCAN_ALLOW_PRIVATE=true
- 31-port default scan + banner grabbing for service fingerprinting
- 3s timeout per port, parallel probes

Test results: 34/34 endpoints pass (was 22/24 before). Includes /scan disabled-state.
…fix 'ME-focused' misnomer

ClawdWatch Lobster Edition is GLOBAL (44 regions, 6 continents), not ME-focused.
Old README incorrectly stated 'ME-focused' and lacked:

- Provenance section crediting cloudweaver/clawdwatch (upstream) + OSIRIS (inspiration)
- 15 OSIRIS-derived endpoints (was undocumented)
- RECON Toolkit (SSL, live news, OFAC auto-flag, port scanner)
- Feature toggle documentation (SANCTIONS_ENABLED, FIRES_ENABLED, PORT_SCAN_ENABLED)
- OFAC auto-flag behavior (null vs false, graceful degradation)
- Port scanner SSRF guard behavior
- Live broadcast network catalog
- Consumption pattern (how the agent actually uses it)
- v2.2 → v2.4 changelog

Kept the lobster voice: ASCII art banner, 'all-seeing OSINT agent' tagline,
'in the fog of war, be the one who sees clearly' closer, all 🦀 emoji.

Updated:
- Version banner: v2.1 → v2.4
- Project structure: includes osiris.ts, mcp-clawdwatch/ path fixed, test harness noted
- Scripts: added test-endpoints.js
- News table: 30 feeds labeled as global (was ambiguously sorted)
- Added explicit credits section
Was hardcoded '2.1.0-lobster' in /status and /snapshot, '2.2.0-lobster' in
/. The server-log banner was already v2.4. Align everything.
The MCP server only knew about 6 hardcoded tools (status, flights, news,
osint, conflict, regions). The other 31 endpoints we shipped in v2.2-v2.4
(DNS, WHOIS, SSL, CVE, crypto, sanctions, fires, telegram, OFAC, scan,
sentinel, satellites, cyber-threats, geo, air-quality, space-weather, live
news, etc.) were unreachable through MCP.

Rewrote mcp-clawdwatch/index.mjs:
- Fetches GET / on startup and parses the live endpoint catalog
- Auto-generates one MCP tool per HTTP endpoint (clawdwatch_<key>)
- Auto-extracts path params (':domain', ':address') into inputSchema.required
- Auto-extracts query params ('?host=&ports=') into inputSchema.properties
- Auto-detects type (number for days/hours/limit/etc., string otherwise)
- Supports POST endpoints (e.g. /ofac/refresh) with correct method
- Override backend URL via CLAWDWATCH_URL env var
- Uses native Node fetch (drops node-fetch dependency)

Verified end-to-end with JSON-RPC stdio test:
- initialize → server reports clawdwatch v2.4.0-lobster
- tools/list → 37 tools (was 6)
- clawdwatch_whois github.com → 200, real RDAP data
- clawdwatch_sslInspect github.com → TLSv1.3, 41 days to expiry
- clawdwatch_scan host=github.com → blocked with clear reason

Other:
- mcp-clawdwatch/package.json: install missing @modelcontextprotocol/sdk,
  fix main/start to point at index.mjs (was index.js)
- mcp-clawdwatch/.gitignore: exclude node_modules/
- README.md: updated MCP section to note auto-sync + 37 tools
- regions.ts: +18 country-level regions
  * Africa: sudan, nigeria, ethiopia, drc, kenya, tanzania, south_africa
  * Europe: poland, greece, spain
  * Asia: vietnam, indonesia, philippines, myanmar
  * Americas: venezuela, colombia, cuba
  * Oceania: papua_new_guinea
- cli.ts: full rewrite (797 lines of dead code referencing
  RegionName/getRegionDefinition/listRegionDefinitions/resolveRegionInputs →
  290 lines that use the live HTTP API). Old version failed
  'npx tsc --noEmit' with 5 errors. New version supports:
  * npm run regions [--group <g>] [--json]
  * npm run snapshot [--region X] [--json] [--base http://...]
  * npm run status
- src/http.ts: bump version to 2.5.0-lobster (3 places)
- README.md: update region counts everywhere (44→62), add
  comprehensive OpenSanctions setup section (hosted API key
  5-min path + on-prem Docker yente path), add v2.5 changelog
- .env.example: expanded OpenSanctions docs with the on-prem
  Docker yente setup recipe, optional OPENSANCTIONS_BASE_URL
  for self-hosted
- package.json: bump version to 2.5.0-lobster
- delete src/cli.ts.bak (dead backup)

All 18 new regions tested live via /regions and CLI.
npx tsc --noEmit is clean. MCP catalog still auto-syncs 37 tools.
EOF
DuckHive added 2 commits June 29, 2026 15:30
…t, and clawdwatch-threat-brief skill

- src/alerts/defcon.ts: new DefconAlertHandler class with Telegram/Slack
  dispatch, cooldown/escalation state machine, env-var factory
- src/sources/intel.ts: add DEFCON_SCORE_1-5 constants, defconScore(),
  full DEFCON 4 & 5 descriptions, threatScore field in DefconStatus
- src/http.ts: enrich GET /defcon with threatLevel + thresholds table,
  add GET /defcon/score for lightweight numeric response
- skills/clawdwatch-threat-brief/: new skill (v0.2.0)
  - SKILL.md: threat brief procedure and verification
  - references/defcon-alert-flow.txt: state machine + channel rules
  - references/threat-score-ref.txt: interface, endpoints, scoring map
  - scripts/clawdwatch-brief.sh: one-shot brief runner
…ript

- SKILL.md: Procedure Step 4 now specifies the EXACT output format
  (ASCII bars, DEFCON table, Breaking, Ceasefire, Risk Drivers, Bottom line)
  as a mandatory constraint — no deviations, live data always required
- clawdwatch-brief.sh: updated to attempt live HTML parse from
  defconlevel.com when HTTP server is offline, with proper exit codes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant