security-audit-openclaw
v1.0.2⚠️ HIGH PRIVILEGE SECURITY AUDIT SKILL Performs comprehensive security auditing for OpenClaw deployments. Requires system-level access for legitimate security scanning purposes. All operations are read-only and local-only. Covers: environment isolation, privilege checks, port exposure, skill trust s...
Sourced from ClawHub,
Authored by iaadoa
Installation
OpenClaw Security Audit
Comprehensive security auditing for OpenClaw deployments. This skill performs automated security checks and generates reports.
⚠️ Security Notice: This skill requires elevated system access for legitimate security auditing purposes. See SECURITY.md for detailed security declarations and data handling policies.
Quick Start
Run the security audit script:
python3 scripts/openclaw_security_audit.py
This generates:
- Brief summary printed to stdout
- Detailed report saved to /tmp/openclaw-security-reports/report-{DATE}.txt
What It Checks
| Check | Description |
|---|---|
| Environment Isolation | Detects Docker/container/VM environments |
| Privilege Check | Verifies OpenClaw isn't running as root |
| Port Exposure | Checks if Gateway port 18789 is exposed |
| Skill Trust | Lists installed skills and their sources |
| Version Check | Compares current vs latest OpenClaw version |
| Process & Network | Captures listening ports and top processes |
| Sensitive Directories | Counts file changes in /etc, ~/.ssh, etc. |
| System Cron | Lists system timers and cron jobs |
| OpenClaw Cron | Retrieves internal OpenClaw scheduled tasks |
| SSH Audit | Recent logins and failed SSH attempts |
| File Integrity | SHA256 hash and permission checks |
| Yellow Line Audit | Compares sudo logs with memory records |
| Disk Usage | Root partition usage and large files |
| Environment Variables | Scans Gateway process for sensitive vars |
| DLP Scan | Detects plaintext private keys/mnemonics (read-only) |
| Skill/MCP Integrity | Tracks file hash changes over time |
| Disaster Recovery | Auto-commits OpenClaw state to Git (opt-in) |
Security & Privacy
Data Handling
- All scans are local-only - No data leaves your machine
- Read-only operations - No system modifications (except opt-in features)
- Opt-in external features - Git backup and Telegram notifications are disabled by default
Sensitive Operations
See SECURITY.md for detailed explanations of: - DLP scanning (private key/mnemonic detection) - Environment variable auditing - Git disaster recovery
Required Permissions
This skill requires system access for:
- Running system commands (ss, top, systemctl, etc.)
- Reading OpenClaw configuration files
- Inspecting Gateway process environment
- Scanning workspace files for credential leaks
Output Format
Brief Format (stdout)
OpenClaw Daily Security Brief (2026-03-11)
[OK] Environment Isolation: Running in isolated environment
[OK] Privilege Check: Complies with least privilege principle
[WARNING] Port Exposure: Port 18789 listening on all interfaces, recommend binding to 127.0.0.1
...
Warning Items:
[WARNING] Port Exposure: Port 18789 listening on all interfaces, recommend binding to 127.0.0.1
Detailed Report
Full report saved to /tmp/openclaw-security-reports/report-{DATE}.txt
Configuration
Optional Features (Disabled by Default)
To enable external operations, set the following environment variables:
Git Disaster Recovery
export SECURITY_AUDIT_ENABLE_GIT=1
Enables automatic Git commit and push of OpenClaw state to your configured remote.
Telegram Notifications
export SECURITY_AUDIT_ENABLE_TELEGRAM=1
export TELEGRAM_BOT_TOKEN="your-bot-token"
export TELEGRAM_CHAT_ID="your-chat-id"
Sends audit summary to Telegram after each run.
Scheduling
To run daily via OpenClaw cron:
openclaw cron add --name "daily-security-audit" --schedule "0 9 * * *" --command "python3 ~/.openclaw/workspace/skills/openclaw-security/scripts/openclaw_security_audit.py"
Version History
| Version | Date | Changes |
|---|---|---|
| 1.0.2 | 2026-03-16 | Made Git backup and Telegram opt-in features (disabled by default) |
| 1.0.1 | 2026-03-16 | Added SECURITY.md, enhanced documentation |
| 1.0.0 | 2026-03-13 | Initial release |