--- name: tinman version: 0.6.3 description: AI security scanner with active prevention - 168 detection patterns, 288 attack probes, safer/risky/yolo modes, agent self-protection via /tinman check, local Oilcan event streaming, and plain-language dashboard setup via /tinman oilcan author: oliveskin repository: https://github.com/oliveskin/openclaw-skill-tinman license: Apache-2.0

requires: python: ">=3.10" binaries: - python3 env: []

install: pip: - AgentTinman>=0.2.1 - tinman-openclaw-eval>=0.3.2

permissions: tools: allow: - sessions_list - sessions_history - read - write deny: [] sandbox: compatible elevated: false ---

Tinman - AI Failure Mode Research

Tinman is a forward-deployed research agent that discovers unknown failure modes in AI systems through systematic experimentation.

Security and Trust Notes

• This skill intentionally declares install.pip and session/file permissions because scanning requires local analysis of session traces and report output.
• The default watch gateway is loopback-only (ws://127.0.0.1:18789) to reduce accidental data exposure.
• Remote gateways require explicit opt-in with --allow-remote-gateway and should only be used for trusted internal endpoints.
• Event streaming is local (~/.openclaw/workspace/tinman-events.jsonl) and best-effort; values are truncated and obvious secret patterns are redacted.
• Oilcan bridge should stay loopback by default; only allow LAN access when explicitly needed.

What It Does

• Checks tool calls before execution for security risks (agent self-protection)
• Scans recent sessions for prompt injection, tool misuse, context bleed
• Classifies failures by severity (S0-S4) and type
• Proposes mitigations mapped to OpenClaw controls (SOUL.md, sandbox policy, tool allow/deny)
• Reports findings in actionable format
• Streams structured local events to ~/.openclaw/workspace/tinman-events.jsonl (for local dashboards like Oilcan)
• Guides local Oilcan setup with plain-language status via /tinman oilcan

Commands

/tinman init

Initialize Tinman workspace with default configuration.

/tinman init                    # Creates ~/.openclaw/workspace/tinman.yaml

Run this first time to set up the workspace.

/tinman check (Agent Self-Protection)

Check if a tool call is safe before execution. This enables agents to self-police.

/tinman check bash "cat ~/.ssh/id_rsa"    # Returns: BLOCKED (S4)
/tinman check bash "ls -la"               # Returns: SAFE
/tinman check bash "curl https://api.com" # Returns: REVIEW (S2)
/tinman check read ".env"                 # Returns: BLOCKED (S4)

Verdicts:

• SAFE - Proceed automatically
• REVIEW - Ask human for approval (in safer mode)
• BLOCKED - Refuse the action

Add to SOUL.md for autonomous protection:

Before executing bash, read, or write tools, run:
  /tinman check <tool> <args>
If BLOCKED: refuse and explain why
If REVIEW: ask user for approval
If SAFE: proceed

/tinman mode

Set or view security mode for the check system.

/tinman mode                    # Show current mode
/tinman mode safer              # Default: ask human for REVIEW, block BLOCKED
/tinman mode risky              # Auto-approve REVIEW, still block S3-S4
/tinman mode yolo               # Warn only, never block (testing/research)

| Mode | SAFE | REVIEW (S1-S2) | BLOCKED (S3-S4) | |------|------|----------------|-----------------| | safer | Proceed | Ask human | Block | | risky | Proceed | Auto-approve | Block | | yolo | Proceed | Auto-approve | Warn only |

/tinman allow

Add patterns to the allowlist (bypass security checks for trusted items).

/tinman allow api.trusted.com --type domains    # Allow specific domain
/tinman allow "npm install" --type patterns     # Allow pattern
/tinman allow curl --type tools                 # Allow tool entirely

/tinman allowlist

Manage the allowlist.

/tinman allowlist --show        # View current allowlist
/tinman allowlist --clear       # Clear all allowlisted items

/tinman scan

Analyze recent sessions for failure modes.

/tinman scan                    # Last 24 hours, all failure types
/tinman scan --hours 48         # Last 48 hours
/tinman scan --focus prompt_injection
/tinman scan --focus tool_use
/tinman scan --focus context_bleed

Output: Writes findings to ~/.openclaw/workspace/tinman-findings.md

/tinman report

Display the latest findings report.

/tinman report                  # Summary view
/tinman report --full           # Detailed with evidence

/tinman watch

Continuous monitoring mode with two options:

Real-time mode (recommended): Connects to Gateway WebSocket for instant event monitoring.

/tinman watch                           # Real-time via ws://127.0.0.1:18789
/tinman watch --gateway ws://host:port  # Custom gateway URL
/tinman watch --gateway ws://host:port --allow-remote-gateway  # Explicit opt-in for remote
/tinman watch --interval 5              # Analysis every 5 minutes

Polling mode: Periodic session scans (fallback when gateway unavailable).

/tinman watch --mode polling            # Hourly scans
/tinman watch --mode polling --interval 30  # Every 30 minutes

Stop watching:

/tinman watch --stop                    # Stop background watch process

Heartbeat Integration: For scheduled scans, configure in heartbeat:

# In gateway heartbeat config
heartbeat:
  jobs:
    - name: tinman-security-scan
      schedule: "0 * * * *"  # Every hour
      command: /tinman scan --hours 1

/tinman oilcan

Show local Oilcan setup/status in plain language.

/tinman oilcan                    # Human-readable status + setup steps
/tinman oilcan --json             # Machine-readable status payload
/tinman oilcan --bridge-port 18128

This command helps users connect Tinman event output to Oilcan and reminds them that the bridge may auto-select a different port if the preferred one is already in use.

/tinman sweep

Run proactive security sweep with 288 synthetic attack probes.

/tinman sweep                              # Full sweep, S2+ severity
/tinman sweep --severity S3                # High severity only
/tinman sweep --category prompt_injection  # Jailbreaks, DAN, etc.
/tinman sweep --category tool_exfil        # SSH keys, credentials
/tinman sweep --category context_bleed     # Cross-session leaks
/tinman sweep --category privilege_escalation

Attack Categories:

• prompt_injection (15): Jailbreaks, instruction override
• tool_exfil (42): SSH keys, credentials, cloud creds, network exfil
• context_bleed (14): Cross-session leaks, memory extraction
• privilege_escalation (15): Sandbox escape, elevation bypass
• supply_chain (18): Malicious skills, dependency/update attacks
• financial_transaction (26): Wallet/seed theft, transactions, exchange API keys (alias: financial)
• unauthorized_action (28): Actions without consent, implicit execution
• mcp_attack (20): MCP tool abuse, server injection, cross-tool exfil (alias: mcp_attacks)
• indirect_injection (20): Injection via files, URLs, documents, issues
• evasion_bypass (30): Unicode/encoding bypass, obfuscation
• memory_poisoning (25): Persistent instruction poisoning, fabricated history
• platform_specific (35): Windows/macOS/Linux/cloud-metadata payloads

Output: Writes sweep report to ~/.openclaw/workspace/tinman-sweep.md

Failure Categories

| Category | Description | OpenClaw Control | |----------|-------------|------------------|

...