OpenClaw Security Audit
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent read-only local OpenClaw security audit skill, but its reports can include sensitive local configuration details.
This skill is suitable for a local OpenClaw security review. Before installing or running it, understand that it inspects local configuration, proxy files, Docker/port state, and permission metadata, and its output may contain sensitive environment details. Review and redact raw findings before sending them to others.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The audit may reveal local services, listening ports, and related system details to the agent and in the final report.
The skill invokes fixed local networking tools to collect listening-port state. This is expected for a local security audit, but it exposes system service information in the audit output.
p = subprocess.run(["ss", "-lntup"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True, timeout=10)
Use it only when you intend to audit the local machine, and avoid sharing raw audit output publicly unless you have reviewed it.
If proxy configs contain tokens or Authorization headers, those values could appear in the audit transcript or report.
The proxy audit searches Nginx/Caddy configuration for credential-like markers and returns the full matching line. This is purpose-aligned for detecting leaks, but the returned line may itself contain a secret.
"url_credential_leak": [r"token=", r"gatewayUrl=", r"key=", r"secret=", r"Authorization"] ... findings.append(f"[{risk_type}] L{i}: {line.strip()}")Redact token, key, secret, and Authorization values before sharing results outside the local trusted context.