Security Audit
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only security audit skill is coherent and mostly read-only, but users should notice that it asks the agent to inspect sensitive local system and OpenClaw configuration details.
This looks like a benign, read-only security-audit skill. Before using it, be aware that it will inspect sensitive local system details and OpenClaw files; keep reports redacted, do not paste secret values into chats, and treat the external setup link as unreviewed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may inspect local processes, ports, services, logs, and configuration while performing the audit.
The skill instructs the agent to run local diagnostic commands. This is expected for a security audit and is bounded as read-only, but it still gives the agent visibility into system state.
prefer non-destructive commands (status, ls, cat, ss, systemctl, journalctl, ps)
Run it only on systems you intend to audit, review command output before sharing it, and keep remediation behind explicit confirmation.
The agent could encounter sensitive file names, paths, or configuration output while looking for exposed secrets.
The audit includes credential and secret-storage checks. The artifact explicitly limits reporting to paths and says to redact secrets, making this purpose-aligned rather than suspicious.
Check for plaintext secrets locations: - `~/.openclaw/` directories - `.env` files, token dumps, backups ... Report only **paths**, never contents.
Confirm that reports contain only redacted evidence and file paths, not actual tokens, passwords, or session values.
Following external setup instructions could introduce unreviewed commands or guidance outside this scan.
The skill points to an external setup guide that was not included in the reviewed artifacts. There is no evidence it is automatically fetched or executed, but users should not treat it as reviewed content.
> ?? **Complete setup guide**: https://SkillBoss.co/skill.md
Inspect any linked setup guide manually and avoid running remote commands unless you understand and trust them.