ClawHub

OpenClaw Security Hardening

Protect OpenClaw installations from prompt injection, data exfiltration, malicious skills, and workspace tampering

MIT-0 · Free to use, modify, and redistribute. No attribution required.
5 · 1.9k · 0 current installs · 0 all-time installs
by@kylejfrost
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match delivered artifacts: scripts for scanning skills, auditing outbound patterns, integrity baselines, workspace hardening, and a pre-install guard are all appropriate for a 'security hardening' tool. No unrelated credentials, external services, or strange binaries are requested.
Instruction Scope
SKILL.md instructs the agent to run the provided scripts. The scripts intentionally read many files and directories (workspace files, skill files, config in $HOME, .git, .env, .ssh and common credential locations) so they can detect exposures — this is expected for this tool. Be aware these scans require file-system access and will enumerate/inspect potentially sensitive files; the scripts do not attempt to transmit data externally (they flag outbound patterns instead).
Install Mechanism
Instruction-only + bundled shell scripts; there is no remote download/install step, no package registries, and no URL-based extract operations. Risk from install mechanism is low — the tool writes files into $HOME/.openclaw/security (baseline, whitelist), which is expected for a local security tool.
Credentials
No environment variables or credentials are requested. Scripts reference HOME and common system tools (shasum, realpath, grep, git, python3 optional) and standard paths (~/.openclaw, workspace paths, ~/.ssh, ~/.aws). This is proportionate to the stated purpose, but the user should note the tool will read many sensitive locations to detect issues.
Persistence & Privilege
The skill is not 'always:true' and does not request elevated platform privileges. It does create/modify local state under $HOME/.openclaw/security (hash baseline, whitelist) and may write fixes when run with --fix; that behavior is expected for a hardening tool. Review and consent to these local writes before running.
Scan Findings in Context
[pre-scan:ignore-previous-instructions] expected: The SKILL.md and security rules intentionally include prompt-injection patterns (e.g., 'ignore previous instructions') because the scanner needs to detect such malicious patterns. The static detector flagged these strings in the skill content — this is expected and not a sign of the skill trying to perform prompt-injection itself.
Assessment
This package is a local hardening/audit toolkit and appears to do what it says: it will scan your skills/workspace and create local baselines and whitelists under $HOME/.openclaw/security. Before running: (1) review the scripts yourself (they run shell commands and inspect many files); (2) back up AGENTS.md, MEMORY.md and any important files, since harden-workspace.sh can modify permissions and .gitignore when run with --fix; (3) confirm you’re comfortable with files being written to ~/.openclaw/security (hash files, whitelist); (4) run scan tools in non-privileged/test environment first, then run with --fix only after manual review; (5) check the domain whitelist and incident logging locations (memory/security-incidents.md) so you know what will be recorded. Overall the pieces are coherent for a security tool — there are no unexplained external endpoints or credential requests, but exercising normal caution (review code and run in a controlled environment) is recommended.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk974r63zwxqpf7ssy2kr2j1e6h80cy18

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw Security Hardening

A comprehensive security toolkit for protecting OpenClaw installations from attacks via malicious skill files, prompt injection, data exfiltration, and workspace tampering.

Threat Model

This skill protects against:

ThreatDescriptionTool
Prompt InjectionMalicious skills containing instructions to override system prompts, ignore safety rules, or manipulate agent behaviorscan-skills.sh
Data ExfiltrationSkills that instruct the agent to send sensitive data (credentials, memory, config) to external endpointsaudit-outbound.sh
Skill TamperingUnauthorized modification of installed skills after initial reviewintegrity-check.sh
Workspace ExposureSensitive files with wrong permissions, missing .gitignore rules, insecure gateway configharden-workspace.sh
Supply ChainInstalling a new skill that contains hidden malicious patternsinstall-guard.sh

Quick Start

# Run a full security scan of all installed skills
./scripts/scan-skills.sh

# Audit outbound data flow patterns
./scripts/audit-outbound.sh

# Initialize integrity baseline
./scripts/integrity-check.sh --init

# Harden your workspace
./scripts/harden-workspace.sh --fix

# Check a new skill before installing
./scripts/install-guard.sh /path/to/new-skill/

Tools

1. scan-skills.sh — Skill File Scanner

Scans all installed skill files for malicious patterns including prompt injection, data exfiltration attempts, suspicious URLs, hidden unicode, obfuscated commands, and social engineering.

Usage:

# Scan all skill directories
./scripts/scan-skills.sh

# Scan a specific directory only
./scripts/scan-skills.sh --path /path/to/skills/

# Output as JSON for automation
./scripts/scan-skills.sh --json

# Show help
./scripts/scan-skills.sh --help

What it detects:

  • Prompt injection patterns (override instructions, new system prompts, admin overrides)
  • Data exfiltration (curl/wget to external URLs, sending file contents)
  • Suspicious URLs (webhooks, pastebin, requestbin, ngrok, etc.)
  • Base64-encoded content that could hide instructions
  • Hidden unicode characters (zero-width spaces, RTL override, homoglyphs)
  • References to sensitive files (.env, credentials, API keys, tokens)
  • Instructions to modify system files (AGENTS.md, SOUL.md)
  • Obfuscated commands (hex encoded, unicode escaped)
  • Social engineering ("don't tell the user", "secretly", "without mentioning")

Severity levels:

  • 🔴 CRITICAL — Likely malicious, immediate action needed
  • 🟡 WARNING — Suspicious, review manually
  • 🔵 INFO — Noteworthy but probably benign

2. integrity-check.sh — Skill Integrity Monitor

Creates SHA256 hash baselines of all skill files and detects unauthorized modifications.

Usage:

# Initialize baseline (first run)
./scripts/integrity-check.sh --init

# Check for changes (run periodically)
./scripts/integrity-check.sh

# Update baseline after reviewing changes
./scripts/integrity-check.sh --update

# Check specific directory
./scripts/integrity-check.sh --path /path/to/skills/

# Show help
./scripts/integrity-check.sh --help

Reports:

  • ✅ Unchanged files
  • ⚠️ Modified files (hash mismatch)
  • 🆕 New files (not in baseline)
  • ❌ Removed files (in baseline but missing)

Automation: Add to your heartbeat or cron to run daily:

# In HEARTBEAT.md or cron
0 8 * * * /path/to/scripts/integrity-check.sh 2>&1 | grep -E '(MODIFIED|NEW|REMOVED)'

3. audit-outbound.sh — Outbound Data Flow Auditor

Scans skill files for patterns that could cause data to leave your machine.

Usage:

# Audit all skills
./scripts/audit-outbound.sh

# Audit specific directory
./scripts/audit-outbound.sh --path /path/to/skills/

# Show whitelisted domains
./scripts/audit-outbound.sh --show-whitelist

# Add domain to whitelist
./scripts/audit-outbound.sh --whitelist example.com

# Show help
./scripts/audit-outbound.sh --help

Detects:

  • HTTP/HTTPS URLs embedded in skill instructions
  • References to curl, wget, fetch, web_fetch, browser navigate
  • Email/message/webhook sending instructions
  • Raw IP addresses in instructions
  • Non-whitelisted external domains

4. harden-workspace.sh — Workspace Hardener

Checks and fixes common security misconfigurations in your OpenClaw workspace.

Usage:

# Check only (report issues)
./scripts/harden-workspace.sh

# Auto-fix safe issues
./scripts/harden-workspace.sh --fix

# Show help
./scripts/harden-workspace.sh --help

Checks:

  • File permissions on sensitive files (MEMORY.md, USER.md, SOUL.md, credentials)
  • .gitignore coverage for sensitive patterns
  • Gateway auth configuration
  • DM policy settings
  • Sensitive content in version-controlled files

5. install-guard.sh — Pre-Install Security Gate

Run before installing any new skill to check for malicious content.

Usage:

# Check a skill before installing
./scripts/install-guard.sh /path/to/new-skill/

# Strict mode (fail on warnings too)
./scripts/install-guard.sh --strict /path/to/new-skill/

# Show help
./scripts/install-guard.sh --help

Checks:

  • All patterns from scan-skills.sh
  • Dangerous shell patterns in scripts (rm -rf, curl|bash, eval, etc.)
  • Suspicious npm dependencies (if package.json exists)
  • Exit code 0 = safe, 1 = suspicious (for CI/automation)

Security Rules Template

Copy assets/security-rules-template.md into your AGENTS.md to add runtime security rules for your agent. These rules instruct the agent to refuse prompt injection attempts and protect sensitive data.

cat assets/security-rules-template.md >> /path/to/AGENTS.md

Recommended Setup

  1. Initial setup:

    ./scripts/scan-skills.sh              # Scan existing skills
./scripts/audit-outbound.sh           # Audit outbound patterns
./scripts/integrity-check.sh --init   # Create baseline
./scripts/harden-workspace.sh --fix   # Fix workspace issues

  2. Add security rules to AGENTS.md from the template

  3. Before installing new skills:

    ./scripts/install-guard.sh /path/to/new-skill/

  4. Periodic checks (add to heartbeat or cron):

    ./scripts/integrity-check.sh          # Detect tampering
./scripts/scan-skills.sh              # Re-scan for new patterns

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…