add OpenClaw ecosystem detection and agent infra domain tracking

- Add AGENT_INFRA_DOMAINS list for skill registries, observability,
  and tool connectivity services (ClawHub, Smithery, Glama, Langfuse,
  Helicone, Composio, Moltyverse)
- Expand openclaw framework signature with clawhub.json discovery,
  additional user agents (clawdbot, moltbot, clawhub), and headers
- Add /.well-known/clawhub.json and /SOUL.md to endpoint prober
  metadata paths
- Update DNS monitor to check agent infra domains alongside LLM APIs

Author: symbibot

agentsniff/config.py

@@ -130,6 +130,28 @@
     "127.0.0.1:4000",
 ]
 
+# ── Agent infrastructure domains ─────────────────────────────────────────
+# Not LLM API providers, but domains that indicate AI agent activity
+# (skill registries, agent observability, tool connectivity, etc.)
+AGENT_INFRA_DOMAINS = [
+    # OpenClaw ecosystem
+    "clawhub.ai",
+    "clawhub.com",
+    "onlycrabs.ai",
+    "api.moltyverse.email",
+    "moltyverse.app",
+    # MCP registries
+    "smithery.ai",
+    "glama.ai",
+    # Agent observability
+    "api.langfuse.com",
+    "api.smith.langchain.com",
+    "api.helicone.ai",
+    # Tool connectivity
+    "api.composio.dev",
+    "app.composio.dev",
+]
+
 LLM_API_DOMAIN_SUFFIXES = [
     ".openai.azure.com",
     ".aiplatform.googleapis.com",
@@ -324,8 +346,14 @@
         "user_agents": ["julep"],
     },
     "openclaw": {
-        "endpoints": ["/api/agents", "/api/tasks"],
-        "user_agents": ["openclaw"],
+        # OpenClaw (formerly Clawdbot/Moltbot) - AI agent framework
+        "endpoints": [
+            "/api/agents",
+            "/api/skills",
+            "/.well-known/clawhub.json",
+        ],
+        "headers": {"x-openclaw-*"},
+        "user_agents": ["openclaw", "clawdbot", "moltbot", "clawhub"],
     },
     # ── Observability / proxy ────────────────────────────────────────
     "langfuse": {
@@ -543,6 +571,10 @@ class ScanConfig:
     def all_llm_domains(self) -> list[str]:
         return LLM_API_DOMAINS + self.custom_llm_domains
 
+    @property
+    def all_agent_infra_domains(self) -> list[str]:
+        return AGENT_INFRA_DOMAINS
+
     @property
     def all_agent_ports(self) -> dict[int, str]:
         ports = dict(AGENT_PORTS)

agentsniff/detectors/dns_monitor.py

@@ -13,7 +13,7 @@
 import struct
 from datetime import datetime, timezone
 
-from agentsniff.config import LLM_API_DOMAIN_SUFFIXES, ScanConfig
+from agentsniff.config import AGENT_INFRA_DOMAINS, LLM_API_DOMAIN_SUFFIXES, ScanConfig
 from agentsniff.detectors.base import BaseDetector, DetectorRegistry
 from agentsniff.models import Confidence, DetectionSignal, DetectorType
 
@@ -267,12 +267,15 @@ async def _analyze_data_source(self, targets: list[str]) -> list[DetectionSignal
         return signals
 
     def _is_llm_domain(self, domain: str) -> bool:
-        """Check if a domain matches known LLM API providers."""
+        """Check if a domain matches known LLM API providers or agent infra."""
         domain = domain.rstrip(".").lower()
 
         if domain in self.config.all_llm_domains:
             return True
 
+        if domain in self.config.all_agent_infra_domains:
+            return True
+
         for suffix in LLM_API_DOMAIN_SUFFIXES:
             if domain.endswith(suffix):
                 return True

agentsniff/detectors/endpoint_prober.py

@@ -28,8 +28,10 @@
 AGENT_METADATA_PATHS = [
     "/.well-known/agents.json",
     "/.well-known/ai-plugin.json",
+    "/.well-known/clawhub.json",
     "/AGENTS.md",
     "/SKILL.md",
+    "/SOUL.md",
 ]
 
 # Paths that indicate OpenAPI/Swagger specs (common in agent API frameworks)

docs/detectors.md

@@ -23,6 +23,8 @@ Passively captures DNS queries on the network and matches against 60+ known LLM
 
 Also matches domain suffixes for Azure OpenAI (`*.openai.azure.com`), AWS Bedrock (`*.bedrock-runtime.amazonaws.com`), GCP Vertex (`*.aiplatform.googleapis.com`), and others.
 
+Additionally tracks agent infrastructure domains — skill registries (ClawHub, Smithery, Glama), agent observability platforms (Langfuse, LangSmith, Helicone), and tool connectivity services (Composio, Moltyverse).
+
 **Fallback**: When raw sockets are unavailable, resolves the top 20 LLM API domains and cross-references their IPs against active connections in `/proc/net/tcp`.
 
 ## Port Scanner