openclaw
Phishing takedown pipeline (detect → abuse mail → approve → send)
v1.0.1Absorbed into phishprobe v1.3.0+.
The takedown pipeline now ships as the phishprobe takedown subcommand tree.
The on-disk queue layout is unchanged — operators who installed openclaw can keep
$OPENCLAW_HOME set and phishprobe will use it as a fallback for one cycle,
or migrate explicitly:
mv ~/.openclaw ~/.phishprobe/takedown.
Migration: openclaw → phishprobe takedown
# Before (openclaw 1.x)
openclaw draft --target https://phish-site.example.com
openclaw queue
openclaw approve --id <id>
openclaw send --id <id>
# After (phishprobe 1.3.0+)
phishprobe takedown draft --target https://phish-site.example.com
phishprobe takedown queue
phishprobe takedown approve --id <id>
phishprobe takedown send --id <id>
# Optional: keep the existing home dir
export PHISHPROBE_HOME=~/.openclaw/.. # or: mv ~/.openclaw ~/.phishprobe/takedownEvery subcommand also accepts --format terminal|json for pipe-clean output. See the phishprobe page for the full reference.
What it does
openclaw is the takedown half of a phishing-response pipeline: takes a confirmed phishing URL, drafts an abuse-mail addressed to the right contact (registrar, hosting provider, CDN), queues it for human approval, and then sends it via SMTP. Designed to make takedown repeatable for a small consulting practice — same template, same approval flow, every time.
- File-backed queue. Items live at
${OPENCLAW_HOME:-~/.openclaw}/queue/<id>.jsonwith mode 0600. Each carries the URL, drafted body, sender identity, abuse contact, and a state-machine value. Survives reboots; can be reviewed with normal text tools. - State machine prevents human-error replays.
pending → approved → sent | failed. Trying toapprovesomething alreadysentexits 3 with a clear message instead of double-sending. Wrapped in atransition()helper that validates BEFORE writing. - Embedded abuse-mail template. The cli.johlem.net Security Consulting
template is included via
include_str!— a takedown that consistently cites the relevant CFAA / national-law clauses and points to a phishprobe report. Operators can override per-item from the CLI. - Config-driven sender identity.
config.tomlwith[signal](notification phone numbers + Signal-CLI REST URL) and[sender](from-address, organisation name, signing block) sections. - Operator PII in queue items is chmod 600. Reusable pattern:
OpenOptions::mode(0o600)set on the file BEFORE the library writes to it, so the file never has umask-default 0644 even briefly.
Subcommands
| Command | Status | What it does |
|---|---|---|
draft --url <URL> | working | Create a queued item with stubbed abuse contact + filled-in template |
queue list | working | Show all items, filterable by state |
approve <id> | working | Transition pending → approved. Idempotent: re-approval is a no-op |
send <id> | stub | SMTP send via the lettre crate — wired when signed-release infrastructure lands |
detect | stub | Shell out (or library-call) urlrecon + phishprobe to classify a URL before drafting |
daemon | stub | notify-crate-backed watcher on a "drop URLs in here" directory |
On-disk layout
~/.openclaw/queue/<id>.json # one item per file, chmod 600
~/.openclaw/config.toml # sender + signal config, chmod 600
~/.openclaw/sent.log # append-only sent recordThe OPENCLAW_HOME env var overrides the default for sandboxed testing.
Authorisation: openclaw drafts and sends abuse-mail on behalf of a real sender identity. Misuse — sending fraudulent reports, or sending to abuse contacts that have not consented to receive such reports — has legal consequences. The Signal-CLI approval step exists precisely so that a human reviews every drafted message before it leaves the sender's host.