Clawstin Morning Paper

AUTOAUDIT Summary -- 2026-03-16

Findings

CRITICAL

1. Gmail OAuth token expired (adalsey account). `triage.py` has been failing continuously since at least 2026-03-15 21:16 with `invalid_grant: Token has been expired or revoked.` — 6 consecutive errors logged hourly through 02:16 today. Smoke test confirms: `gmail-adalsey` FAIL. The LaunchAgent `clawstin.gmail.triage` also shows exit status 1. Ghost needs to re-authorize the adalsey Gmail OAuth token. NEW finding. Corroborated by pre_audit log_errors (6 entries) + smoke_test FAIL + LaunchAgent exit 1.
2. vital-widget-freshness file missing. Smoke test reports FAIL for `vital-widget-freshness` — the expected file does not exist. If the vital widget was decommissioned, the smoke test check should be removed. If it was not, the widget pipeline is broken. Carried from last audit (smoke test was blocked last time, so this couldn't be verified).

WARNING

3. clear-chronic-wednesday cron delivery error persists. Job `1fe32258` still in error state, `consecutiveErrors: 1`. Error: `Delivering to Signal requires target <E.164|...>`. The `delivery.to` is `+15406208059` which looks correct, but delivery keeps failing. 5th consecutive audit.
4. vitals-api and vital-server LaunchAgents exit -15 (SIGTERM). `clawstin.vital-server` (pid 75085) and `clawstin.vitals-api` (pid 62431). Both show `-15` exit status. However, smoke test shows `flask-api` PASS (vitals API responding on :8765), so vitals-api may be functional despite the exit code. vital-server status less clear. 5th consecutive audit.
5. com.clawstin.balance-notify LaunchAgent exit 1. Not previously flagged. No associated log errors found in pre_audit. NEW finding.
6. Context load: 2,449 words (threshold: 1,500). Breakdown of files exceeding 400-word threshold: - AGENTS.md: 926 words (threshold: 400) — Swarm Canvas section (6 bullet points of python3 commands) and Context Guard section could be on-demand reads. - memory/2026-03-15.md: 844 words (threshold: 400) — daily log, naturally large; will roll over. - All others under threshold: TOOLS.md 171, SYNC.md 140, MEMORY.md 117, HEARTBEAT.md 95, SOUL.md 64, IDENTITY.md 32, USER.md 32, STYLE.md 17, WORKING_MEMORY.md 11.
7. Balance anchor missing `last_checked` timestamp. Smoke test WARN: `$64.29, no last_checked timestamp`. The `balance-scrape` cron writes this field, but it may not be persisting correctly.
8. Cron job `clear-chronic-wednesday` in error state. Smoke test WARN confirms: `1 job(s) in error state: clear-chronic-wednesday`. Same root cause as finding #3.
9. Autoaudit running on Sonnet despite Opus config. `session_status` shows `Model: anthropic/claude-sonnet-4-6` but cron payload specifies `model: "anthropic/claude-opus-4-6"`. 2nd consecutive audit. Possible model routing issue at the gateway level.
10. Stale FER plist in lifeboat. `lifeboat-system/launch-agents/clawstin.fer-monitor.plist` still exists, pointing to deleted `scripts/fer-monitor.py`. The trial.py and TLP.md references appear to have been cleaned up (grep returned no matches), but the plist remains. 8th consecutive audit (partially resolved — only plist remains).
11. SCHEDULE.md past-due entry: Parker CPA reply. `2026-03-15 18:00 — REPLY TO ALEX PARKER - Bowers CPA - DOB + bank info for IT-204-LL (due 3/16)`. This is time-sensitive — the filing is due today 3/16.

Carried Over

1. clear-chronic-wednesday delivery error — 5th consecutive. 2. vitals-api/vital-server exit -15 — 5th consecutive. vitals-api confirmed functional via smoke test; vital-server status unclear. 3. Stale FER plist — 8th consecutive (trial.py/TLP.md refs now clean; only lifeboat plist remains). 4. Autoaudit model mismatch (Sonnet instead of Opus) — 2nd consecutive. 5. vital-widget-freshness missing — carried from last audit (was blocked by smoke_test.py issue; now confirmed FAIL).

Past-Due Schedule Entries

- `2026-03-15 18:00 -- REPLY TO ALEX PARKER - Bowers CPA - DOB + bank info for IT-204-LL (due 3/16) + personal tax liability - [email protected]` ⚠️ Filing deadline is TODAY.

Fired One-Shot Reminders

- `balance-burn-calibration-review` (99519f01, deleteAfterRun) — scheduled for 2026-03-15T09:00Z, fired with error (`Message failed`), now disabled. `deleteAfterRun` set but job still present (deletion may require successful run).

Step Completion Checklist

Step 1 -- Pre-Audit Data: completed (13 checks; 0 errors, 3 warnings: LaunchAgents flagged, schedule past-due, log errors) Step 1.5 -- Smoke Tests: completed (9 pass, 2 warn, 2 fail: gmail-adalsey token expired, vital-widget-freshness missing) Step 2 -- Last Report Review: completed (5 carried-over issues tracked) Step 3 -- Daily Integration: completed (2026-03-15 log reviewed; all 18 referenced paths verified present; no 2026-03-16 log exists yet) Step 4 -- Git Diff + Downstream: completed (29 commits reviewed; major changes: accounts ledger v1 full build, remote-printing Pi plan, hue brightness scale, GUARDRAILS pointer discipline. No stale cross-references found in changed paths.) Step 5 -- File Health Review: completed (MEMORY.md 117w healthy; context load 2,449w over 1,500 threshold; AGENTS.md 926w + memory/2026-03-15.md 844w over 400 threshold; SCHEDULE.md 1 past-due; all injected files checked — no contradictions found) Step 6 -- Cron + Automation: completed (32 total jobs, 22 enabled, 10 disabled; model assignments: Opus for autoaudit ✓ (but running as Sonnet — finding #9), Sonnet for morning-brief/security-guard ✓, Haiku for all routine jobs ✓; clear-chronic-wednesday still erroring; balance-burn-calibration one-shot fired with error, deleteAfterRun but still present) Step 7 -- Script Validation: completed (send-todo.sh ✓, triage-proton.py ✓, triage.py ✓ exists but OAuth expired, watchdog/ ✓ with 6 files, consecutive-failures.txt = 0) Step 8 -- Cross-File Consistency: completed (stale FER plist in lifeboat → deleted script; SCHEDULE.md Parker entry past-due with today's deadline; no other contradictions found)

Model	Portfolio Value	P/L	Cash	Holdings
M01 Momentum Chaser	$973.74	$-26.26 (-2.6%)	$670.12	MSTR 1.1148sh @$139.70, QQQ 0.2491sh @$593.69
M02 Trend Follower	$996.17	$-3.83 (-0.4%)	$850.00	NVDA 0.8109sh @$180.26
M03 Momentum Rotator	$1159.43	+$159.43 (+15.9%)	$1159.43	Cash only
M04 Headline Trader	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M05 Hot Sector Rotator	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M06 Earnings Anticipator	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M07 Panic Buyer	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M08 Smart Money Tracker	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only
M09 Gap Fader	$999.89	$-0.11 (-0.0%)	$850.00	ADBE 0.6013sh @$249.28
M10 Coil & Breakout	$1000.00	+$0.00 (+0.0%)	$1000.00	Cash only

Security Guard Report - 2026-03-16

Patrol time: 03:30 AM (America/New_York) Agent: Security Guard (Claude Opus) AutoAudit verified: Yes (2026-03-16) Previous report: 2026-03-15

Executive Summary

Overall threat level: MEDIUM (unchanged from 2026-03-15)
No new critical findings requiring immediate Signal alert. The lifeboat-system directory permission issue from prior patrols has been RESOLVED — parent directory is now 700 (was 755). This is the first resolution of the longest-running finding (8 consecutive patrols).
Key external intelligence: The Hacker News (security) article "OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration" (published 2026-03-15) directly affects this infrastructure. No CVE assigned yet but warrants immediate Ghost review.
Changes since last patrol (2026-03-15): - ✅ RESOLVED: `lifeboat-system/` parent directory now `drwx------` (700) — was 755 for 7 patrols. Credential files no longer have world-readable parent listing. - ✅ RESOLVED: Expo dev server no longer running (was PID 64322, LAN-bound). No jest workers either. - ✅ RESOLVED: Brainmap Flask server still absent (resolved since 2026-03-15). - ⚠️ PERSISTS: `lifeboat-system/signal-data/535318.d/` is still 755 (world-readable listing of Signal protocol DB). - ⚠️ PERSISTS: `lifeboat-system/launch-agents/` is still 755 (71 plist files, world-readable listing). - ⚠️ NEW: Philips Hue bridge API key exposed in plaintext in `ps aux` output (wake-light Python process, PID 92174). - ⚠️ NEW: Default password for Accounts web UI documented in plaintext in session logs and trial transcripts. - ⚠️ NEW: OpenClaw security advisory published (The Hacker News, 2026-03-15) — prompt injection and data exfiltration flaws.
This patrol identified 10 findings: 0 severity 9-10, 1 severity 7, 5 severity 5, 2 severity 3, and 2 severity 1-2.

FINDINGS

SG-2026-03-16-001: Lifeboat-System Credential Directory in Workspace

Severity: 5 (IMPROVED from 7 — 8th consecutive patrol, parent dir fixed)
Evidence: ``` $ stat ~/.openclaw/workspace/lifeboat-system/ drwx------ 9 aicomputer staff 288 "Mar 6 17:21:55 2026" ← NOW 700 ✅ (was 755)
$ ls -la lifeboat-system/ drwx------ 5 cloudflared/ (700 ✅) drwx------ 4 den/ (700 ✅) drwx------ 7 gmail-tokens/ (700 ✅) drwxr-xr-x 71 launch-agents/ (755 ⚠️) drwx------ 3 openclaw-config/ (700 ✅) drwx------ 3 rclone/ (700 ✅) drwx------ 5 signal-data/ (700 ✅) ```
Contents at risk: Fernet key + encrypted credential blob, Google OAuth client secret and refresh tokens for 3 Gmail accounts, Cloudflare tunnel cert + credentials, rclone config with Google Drive OAuth tokens, Signal protocol session state.
Improvement: Parent directory now 700 — any local process must have owner privileges to list contents. This addresses the primary escalation concern from prior patrols.
Remaining concern: `launch-agents/` subdirectory is still 755, and `signal-data/535318.d/` is 755 — these allow world-readable listing (though files inside are 600).
Mitigations: Gitignored (confirmed). All credential files are 600 permissions. Nightly backup refreshes files at ~02:00 AM.
Rationale: Per rubric: credential files accessible only to owner = severity 5. Parent directory fix reduces attack surface significantly.
Accepted risk: No.

SG-2026-03-16-002: Hue Bridge API Key Exposed in Process List

Severity: 5 (NEW)
Evidence: ``` $ ps aux | grep wake PID 92174: python -c "... requests.put('http://192.168.1.18/api/[REDACTED]/lights/1/state', json={'on': True, 'bri': 254, 'ct': 233}) ..." ```
A Python process (PID 92174, started 01:07 AM, nice=10) is sleeping until 6:00 AM to trigger a Hue bridge wake-up light. The Hue bridge API key is visible in its entirety in `ps aux` output because the script is passed inline via `python -c`.
Impact: Any local process or user can read the Hue bridge API key from `ps`. The key allows full control of the Hue bridge (lights, scenes, groups) on the local network (192.168.1.18). LAN-only risk — not remotely exploitable unless LAN is compromised.
Rationale: Per rubric: API key visible locally = severity 5. LAN-only scope limits impact. Hue bridge control is low-severity (lights, not cameras/locks).
Recommendation: Move the wake-light script to a file (not inline `python -c`) so the API key doesn't appear in the process list. Store the Hue API key in the Den.
Accepted risk: No.

SG-2026-03-16-003: Cloudflare Tunnel — 4 Ingress Routes (2 Inactive)

Severity: 3 (unchanged — accepted risk for static site)
Evidence: ``` $ cat lifeboat-system/cloudflared/config.yml tunnel: 2c29ad40-[REDACTED] ingress: - hostname: clawstin.org → localhost:8877 (ACTIVE: http.server PID 75085) - hostname: voice.clawstin.org → localhost:3334 (INACTIVE: no service, 502) - hostname: webhook.clawstin.org → localhost:18789 (ACTIVE: gateway) - hostname: api.clawstin.org → localhost:8765 (ACTIVE: vitals-api PID 62431) - service: http_status:404 ```
Accepted risk: Static site on port 8877 accepted by Ghost on 2026-03-10 (SG-2026-03-10-002). Per deduplication rule, downgraded to 3.

SG-2026-03-16-004: Signal-CLI HTTP Daemon on localhost:8080 (No Auth)

Severity: 3 (accepted risk — 8th consecutive patrol)
Evidence: PID 79145: java signal-cli-0.13.24 HTTP API daemon.
Accepted risk: SG-2026-03-15-004 accepted by Ghost on 2026-03-15. Localhost-only. Per deduplication rule, downgraded to 3.

SG-2026-03-16-005: Proton Mail Sentry Key in Process List

Severity: 2 (unchanged — informational)
Evidence: PID 1508: Proton Mail Bridge crashpad_handler with sentry_key=[REDACTED] in process args.
Standard Proton application behavior — Sentry DSN key for crash reporting, not account access.
Rationale: Per rubric: informational = severity 2.

SG-2026-03-16-006: Brave Browser Remote Debugging Port 18800

Severity: 3 (accepted risk — 8th consecutive patrol)
Evidence: Multiple Brave Browser Helper processes with `--remote-debugging-port=18800`, user-data-dir at `~/.openclaw/browser/openclaw/user-data`.
Accepted risk: SG-2026-03-15-006 accepted by Ghost on 2026-03-15. Per deduplication rule, downgraded to 3.

SG-2026-03-16-007: Chrome Remote Desktop Running

Severity: 3 (accepted risk — 8th consecutive patrol)
Evidence: PIDs 1505 (me2me_host), 1478 (host_service), 805 (agent_process_broker, root). SSH auth socket at /tmp/chromoting.aicomputer.ssh_auth_sock.
Accepted risk: SG-2026-03-09-005 (permanent accept). Per deduplication rule, downgraded to 3.

SG-2026-03-16-008: Stale FER Monitor Plist in Lifeboat

Severity: 1 (informational — 9th consecutive patrol)
Evidence: `lifeboat-system/launch-agents/clawstin.fer-monitor.plist` references deleted `scripts/fer-monitor.py`. Not loaded as LaunchAgent. Inert.
Rationale: Per rubric: informational housekeeping = severity 1.

SG-2026-03-16-009: Default Password Documented in Plaintext

Severity: 5 (NEW)
Evidence: ``` $ grep "[REDACTED]" memory/2026-03-15.md "Password-protected (Den key: accounts_ui_password, default: [REDACTED])"
$ grep "[REDACTED]" memory/trial-2026-03-15-16-14-app.md "hard-coded fallback [REDACTED] is used and stored as default" ```
The default password for the Accounts web UI is documented in plaintext in session logs and trial transcripts. These files are git-tracked (committed nightly).
Impact: Accounts web UI is NOT currently running (port 8891 not listening). However, the default password is committed to git. If the web UI is deployed without changing the password, anyone with workspace access knows the credentials.
Rationale: Per rubric: credential value in config/state/log files = severity 5. Mitigated by: (1) UI not running, (2) localhost-only when it runs, (3) password changeable via Den.
Recommendation: Redact the literal default password from session logs. Document only that a default exists, not its value.

SG-2026-03-16-010: OpenClaw Security Advisory — Prompt Injection & Data Exfiltration

Severity: 5 (NEW — external threat intelligence)
Evidence: ``` Fridge (2026-03-15 05:01): "OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration" — The Hacker News (security) https://thehackernews.com/2026/03/openclaw-ai-agent-flaws-could-enable.html
Researcher (2026-03-15 09:00): same article flagged independently. ```
A security advisory describes prompt injection and data exfiltration flaws in OpenClaw AI agents. This directly affects the Clawstin infrastructure which runs on OpenClaw.
Impact: Cannot assess full severity without reading the article (sandbox blocks network access). Prompt injection attacks against the agent framework could potentially: - Bypass guardrails and execute unauthorized actions - Exfiltrate sensitive data from workspace files - Manipulate agent outputs (including this security report)
Rationale: Per rubric: known vulnerability in direct dependency with unknown severity = severity 5 minimum (could be higher once article is read).
URGENT RECOMMENDATION: Ghost should read the full advisory and determine if the Clawstin deployment is specifically affected. May require OpenClaw version upgrade.

Threat Landscape

External Intelligence (Sandbox-Limited)

| Source | Status | Notes | |--------|--------|-------| | NVD (NIST) | Not checked | Sandbox blocks network access | | OpenClaw Advisories | NEW FINDING | Prompt injection/exfiltration flaws (2026-03-15) | | Node.js Security | Not checked | Sandbox blocks network access | | macOS Security | Not checked | Sandbox blocks network access | | Signal CLI Issues | Not checked | Sandbox blocks network access |
Key external items from Researcher/Fridge: 1. OpenClaw AI Agent Flaws — prompt injection + data exfiltration (The Hacker News, 2026-03-15). DIRECTLY AFFECTS STACK. 2. CISA Flags n8n RCE Bug — 24,700 instances exposed (The Hacker News, 2026-03-15). Not relevant (n8n not in use). 3. AgentDrift — unsafe recommendation drift under tool corruption (arXiv, 2026-03-16). Theoretical relevance.

System State Summary

| Component | Status | Notes | |-----------|--------|-------| | LuLu Firewall | ✅ Running | PID 1491 + PID 699 (root) | | Tailscale | ✅ Running | PID 655 (root) | | OpenSSL | ✅ Current | 3.6.1 (2026-01-27) | | Nightly Backup | ✅ Completed | 2026-03-16 02:04:06 | | Billing Watchdog | ✅ Running | Last OK: 03:30:29 | | Cloudflared | ✅ Running | PID 27405 | | Signal-CLI | ✅ Running | PID 79145 | | Docker | ✅ Running | PID 1574 | | Ollama | ✅ Running | PID 1511 + 1494 | | vitals-api | ⚠️ SIGTERM | PID 62431, exit -15 (process exists) | | vital-server | ⚠️ SIGTERM | PID 75085, exit -15 (http.server 8877) | | Gmail Triage | ❌ Exit 1 | OAuth expired per AutoAudit | | balance-notify | ❌ Exit 1 | LaunchAgent exit 1 | | Expo Dev Server | ✅ Not Running | Previously flagged; resolved |

Risk Acceptance Notes

| Finding | Original Severity | Downgraded To | Accepted Risk ID | |---------|------------------|---------------|-----------------| | SG-2026-03-16-003 (Cloudflare static site) | 5 | 3 | SG-2026-03-10-002 | | SG-2026-03-16-004 (Signal-CLI no auth) | 7 | 3 | SG-2026-03-15-004 | | SG-2026-03-16-006 (Brave debug port) | 7 | 3 | SG-2026-03-15-006 | | SG-2026-03-16-007 (Chrome Remote Desktop) | 7 | 3 | SG-2026-03-09-005 |

End of Security Guard Report — 2026-03-16 Next patrol: 2026-03-17 03:30 AM ET

INNOVATIONS

RESEARCHER

Researcher Report — 2026-03-16

Phase 1: Tech Research

EAT (queued to fridge)

HOLD (notable but not fridged)

Phase 2: PaperTrader Experiments

Phase 2 Errors

Phase 3: Optimization Analysis

Session Model Usage (32 sessions, last 7d)

Researcher Budget History

Cost Optimization Opportunities

Budget Summary

AUTO AUDIT RESULTS