Documentation

Everything you need to get started with Chitin.

Installation

Install the Chitin plugin for OpenClaw with a single command:

$openclaw plugins install @chitin/openclaw

Then run the setup wizard to configure your API key:

npx @chitin/cli setup

Or manually create ~/.chitin/config.json with your API key (see Configuration below).

Configuration

Create ~/.chitin/config.json with the following structure:

{
  "apiKey": "chi_xxxxxxxxxxxxx",
  "tier": "pro",
  "enforcement": "block",
  "autoRemove": "critical",
  "logLevel": "standard",
  "dashboardSync": true,
  "offline": false,
  "redactSecrets": false,
  "injectSecurityPrompt": true
}

Field	Type	Description
apiKey	string	Your Chitin API key (starts with chi_)
tier	free \| pro \| shield	Your subscription tier
enforcement	block \| warn \| off	How to handle unverified skills
autoRemove	critical \| all \| off	Auto-remove revoked skills
logLevel	verbose \| standard \| quiet	Logging verbosity
dashboardSync	boolean	Stream activity to web dashboard
offline	boolean	Run without API (local cache only)
redactSecrets	boolean	Redact sensitive data from tool results (opt-in, default false)
injectSecurityPrompt	boolean	Inject security guardrails into agent system prompt (default true)

How It Works

The Chitin plugin registers 13 hooks in OpenClaw, plus a startup scan:

before_install

Checks every skill install against the Chitin API and local revocation cache. Returns VERIFIED (proceed), UNVERIFIED (warn/block), or REVOKED (hard block).

before_tool_call

Fires before every tool invocation. Checks the calling skill against the revocation list and enforces per-skill permission scopes. Fail-closed: if the hook throws, the tool call is blocked.

after_tool_call

Logs skill name, tool invoked, parameters, and success/failure to local logs. Optionally streams to the web dashboard for Shield tier users.

message_received

Lightweight prompt injection pattern matching on inbound messages. Detects common injection patterns and logs warnings.

subagent_spawning

Fires before a subagent is created. Checks that the requesting skill has the agent.delegate permission scope and that the target agent is not revoked. Blocks unauthorized delegation.

subagent_spawned

Logs subagent creation for the audit trail, including parent skill, target agent, and spawn mode.

subagent_ended

Logs subagent completion. Flags anomalous outcomes (error, timeout, killed) via the threat signal system.

session_start

Logs session start for audit trail tracking.

session_end

Logs session end and cleans up stale subagent tracking state.

before_prompt_build

Injects security guardrails into the agent's system prompt. Instructs the agent to refuse instruction overrides, never output credentials, and report suspicious behavior. Cached by providers for zero per-turn token cost. Configurable via injectSecurityPrompt.

llm_input

Scans prompts sent to the LLM for sensitive data — API keys, tokens, credentials, and secrets. Logs warnings and emits threat signals. Never blocks LLM traffic.

llm_output

Scans LLM responses for sensitive data leaking in outputs. Detects the same patterns as llm_input. Fire-and-forget observation.

tool_result_persist

Scans tool call results before they're persisted to conversation history. When enabled, replaces detected secrets with [REDACTED by Chitin]. Opt-in via redactSecrets.

Startup: Lockfile Scan

On plugin initialization, scans all installed skills against the revocation list. Warns about any revoked skills that were installed before Chitin was added.

Permission Scopes

Chitin enforces six permission scopes for skill tool calls and delegation:

Scope	Description	Supports Allowlist
filesystem.read	Reading files from the filesystem	Yes (path patterns)
filesystem.write	Writing, creating, or deleting files	Yes (path patterns)
network.outbound	Making HTTP requests or connections	Yes (domains)
exec.shell	Running shell commands	Yes (commands)
env.read	Reading environment variables	Yes (var names)
agent.delegate	Spawning subagents or delegating tasks	Yes (agent IDs)

Tiers & Limits

Feature	Free	Pro ($9/mo)	Shield ($29/mo)
Verified skills	Unlimited	Unlimited	Unlimited
Enforcement	Block mode	Block mode	Block mode
Revocation protection	-	Yes	Yes
Dashboard	-	Yes	Yes
Agent instances	1	2	Unlimited
Behavioral logging	-	-	Yes
Auto-remove	-	-	Yes
Per-agent permission overrides	-	-	Yes
Priority reviews	-	-	3/month

OWASP Top 10 for Agentic Applications

Chitin maps its controls to OWASP's peer-reviewed Top 10 for Agentic Applications (2026), with each category tied to shipped runtime, pipeline, or revocation-network protections. View the official OWASP Top 10 for Agentic Applications 2026

ASI01Agent Goal Hijack

Covered

Prompt-injection detection, Unicode evasion handling, and counter-prompts help prevent external content from redirecting agent goals.

ASI02Tool Misuse & Exploitation

Covered

Runtime permission checks, domain allowlists, C2 blocking, and sensitive-path guards constrain unsafe tool use.

ASI03Identity & Privilege Abuse

Covered

Per-skill scoped permissions, fail-closed hooks, and API/session scoping limit privilege abuse.

ASI04Agentic Supply Chain Vulnerabilities

Covered

Static analysis, SBOM extraction, suspicious dependency checks, OSV CVE lookup, and revocation status checks cover skill supply-chain risk.

ASI05Unexpected Code Execution (RCE)

Covered

Interpreter mapping, shell-scope enforcement, dangerous command detection, and Semgrep rules surface unexpected execution patterns.

ASI06Memory & Context Poisoning

Covered

Runtime guards block writes to Chitin state, cognitive files, and sensitive paths; prompt/context tampering patterns are detected.

ASI07Insecure Inter-Agent Communication

Covered

Subagent-spawn authorization and lateral traffic scanners cover explicit and content-mediated inter-agent communication risks.

ASI08Cascading Failures

Covered

Ancestor-aware rate limiting charges child calls to parent skills, containing fanout loops and cascading failures.

ASI09Human-Agent Trust Exploitation

Covered

Social-engineering detectors and separate counter-prompts flag manipulation, credential harvesting, and unsafe human-in-the-loop pressure.

ASI10Rogue Agents

Covered

Verified-skill checks, runtime policy enforcement, suspicious-behavior signals, and global revocation help contain compromised or divergent agents.

Skill Review

Every skill published to ClawHub is automatically scanned through Chitin's automated pipeline. Skill developers can also request a manual review to earn a Verified badge.

How the pipeline works

Skills are analyzed with static analysis (Cisco scanners + Semgrep), SBOM/CVE checks, LLM-powered code review, and human review for borderline cases. The pipeline checks for prompt injection, data exfiltration, credential theft, permission creep, obfuscated intent, runtime payload fetching, supply chain risks, and social engineering patterns.

Requesting a review

1. Publish your skill to ClawHub. It will be picked up by the pipeline automatically within 24 hours.

2. Request a review via the API to prioritize your skill and track its status:

curl -X POST https://api.chitinsec.com/v1/skills/your-skill-slug/review \
  -H "Content-Type: application/json" \
  -H "Cookie: <session>" \
  -d '{"type": "standard", "sourceUrl": "https://clawhub.com/skills/your-skill"}'

3. Check your resultson the skill detail page in the marketplace once the review completes. You'll see a full breakdown of findings by layer.

Fast-track review

Need results faster? Pro and Shield subscribers can request a fast-track review that completes within 4 hours on business days. Shield plans include up to 3 priority reviews per month. One-time fast-track reviews are also available for $75 without a subscription.

curl -X POST https://api.chitinsec.com/v1/skills/your-skill-slug/review \
  -H "Content-Type: application/json" \
  -H "Cookie: <session>" \
  -d '{"type": "fast_track"}'

After verification

Skills that pass receive a Verified badge visible in the marketplace and to the Chitin plugin during installation. When a verified skill publishes a new version, it is automatically re-queued for scanning — typically within a few hours of the update appearing on ClawHub. The existing Verified status is retained until the rescan completes. If a previously verified skill is later found to be malicious, it is added to the global revocation network and blocked across all Chitin installations in real time.

FAQ

Does Chitin slow down my agent?

No. Permission checks are local and take microseconds. Revocation lookups use an in-memory cache synced every 30 seconds. The only network call is during skill installation.

What happens if the Chitin API is down?

The plugin degrades gracefully. Revocation checks use the local cache, and permission enforcement continues using cached data. Install checks will warn (or block, depending on your enforcement mode) that the skill cannot be verified.

Can I use Chitin offline?

Yes. Set "offline": true in your config. The plugin will use only local cache — no API calls are made.

How do I report a suspicious skill?

Use the report button on any skill detail page, or email security@chitinsec.com. Reports are reviewed within 24 hours.