Skill-Datei

Kingcrab

Name: Kingcrab
Author: KHAEntertainment

Privileged Access Management (PAM) for OpenClaw - Chat-based sudo approval workflows with biometric authentication

KHAEntertainment0 Sterne20.03.2026

Beruf: Informationssicherheitsanalysten
Kategorien: Sicherheit

Skill-Inhalt

KingCrab - Privileged Access Management

Hybrid PAM System for OpenClaw

KingCrab provides secure, chat-based approval workflows for elevated commands. Instead of giving agents sudo access, they submit requests that humans approve via Telegram with biometric authentication.

Architecture

KingCrab uses a hybrid architecture:

Go Daemon - Systemd service running as root for privilege escalation
OpenClaw Plugin - TypeScript plugin that registers tools for agents
PostgreSQL - Database-backed request store with complete audit trail
Telegram Integration - Native OpenClaw Telegram for notifications and approvals

Agent → Plugin Tool → HTTP → Daemon (Go) → Database
                                    ↓
                              OpenClaw Webhook
                                    ↓
                              Telegram Notification
                                    ↓
                         Biometric Approval → Execute

Verwandte Skills

Kingcrab | Skills Pool

# Clone repository
git clone https://github.com/KHAEntertainment/kingcrab.git
cd kingcrab

# Build daemon
go build -o kingcrab ./cmd/kingcrab

# Run installer (requires sudo)
sudo ./installer/install.sh

# Set database password
sudo systemctl edit kingcrab
# Add: [Service]
#      Environment="KINGCRAB_DB_PASSWORD=your_password"

# Start service
sudo systemctl start kingcrab
sudo systemctl enable kingcrab

# Verify
curl http://localhost:8080/api/v1/health

# Create database and user
sudo -u postgres createuser kingcrab
sudo -u postgres createdb -O kingcrab kingcrab

# Set password
sudo -u postgres psql -c "ALTER USER kingcrab PASSWORD 'your_password';"

# Run migrations (daemon does this automatically on first start)
# Or manually:
psql -U kingcrab -d kingcrab -f /usr/local/share/kingcrab/migrations/001_pam_schema.sql

# Copy to OpenClaw extensions
mkdir -p ~/.openclaw/extensions/kingcrab
cp -r plugin/* ~/.openclaw/extensions/kingcrab/

# Install dependencies
cd ~/.openclaw/extensions/kingcrab
npm install

# Build
npm run build

{
  "extensions": {
    "kingcrab": {
      "enabled": true,
      "daemonUrl": "http://localhost:8080"
    }
  }
}

# Via OpenClaw skill
/kc enroll

# Follow prompts in Telegram to authorize device

{
  "command": "apt install golang-go",
  "reason": "Need Go for building CLI tool"
}

{
  "success": true,
  "request": {
    "id": "abc123...",
    "status": "pending",
    "expires_at": "2026-03-19T12:35:00Z"
  },
  "message": "Request created: abc123. Waiting for approval via Telegram..."
}

{
  "status": "pending"
}

{
  "version": "1.0.0",
  "listen": {
    "type": "tcp",
    "port": 8080
  },
  "allowedCommands": [
    "apt install *",
    "apt update",
    "systemctl restart *",
    "systemctl start *",
    "systemctl stop *",
    "systemctl status *"
  ],
  "requireReason": true,
  "openclaw": {
    "webhookUrl": "http://localhost:3000/api/kingcrab/notify",
    "enabled": true
  }
}

{
  "extensions": {
    "kingcrab": {
      "enabled": true,
      "daemonUrl": "http://localhost:8080",
      "timeout": 10000
    }
  }
}

Layer	Protection
Daemon Isolation	Runs as root via systemd, separate from agent
Database Persistence	All requests logged with audit trail
Command Allowlist	Only pre-approved commands can execute
Biometric 2FA	Telegram biometric auth required for approvals
Request Expiration	Pending requests expire after 5 minutes
Privilege Separation	Plugin never has root access, only daemon does

# Check logs
sudo journalctl -u kingcrab -n 50

# Check database connection
psql -U kingcrab -d kingcrab -c "SELECT 1;"

# Verify config
sudo kingcrab --check-config

# Check OpenClaw logs
tail -f ~/.openclaw/openclaw.log

# Verify plugin structure
ls -la ~/.openclaw/extensions/kingcrab/

# Check config
cat ~/.openclaw/openclaw.json | jq '.extensions.kingcrab'

# Check daemon logs for notification errors
sudo journalctl -u kingcrab -f | grep notify

# Verify webhook URL
sudo cat /etc/kingcrab/config.json | jq '.openclaw.webhookUrl'

Kingcrab

KingCrab - Privileged Access Management

Architecture

Kingcrab

KingCrab - Privileged Access Management

Architecture

Prerequisites

Installation

1. Install Daemon

2. Configure Database

3. Install Plugin

4. Configure OpenClaw

5. Enroll Biometric Device

Usage

Agent Tools

kingcrab_request

kingcrab_list

kingcrab_get

Approval Flow

Configuration

Daemon Config: /etc/kingcrab/config.json

Plugin Config: ~/.openclaw/openclaw.json

Security Model

Troubleshooting

Daemon not starting

Plugin not loading

Notifications not arriving

API Reference

Daemon HTTP API

POST /api/v1/request

GET /api/v1/requests

GET /api/v1/request/:id

POST /api/v1/request/:id/approve

POST /api/v1/request/:id/deny

GET /api/v1/health

License

Author

Related

1password

Springboot Security

Security Review

Laravel Security

Security Review

Django Security

`kingcrab_request`

`kingcrab_list`

`kingcrab_get`

Daemon Config: `/etc/kingcrab/config.json`

Plugin Config: `~/.openclaw/openclaw.json`