Inner Warden Security
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for local Inner Warden administration, but users should notice it uses a dashboard token, can guide high-impact local actions, and documents a manual sudo installer.
Install only if you expect to administer Inner Warden on this machine. Review any proposed sudo installer or destructive GDPR erase command carefully, and keep the dashboard token protected.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves the wrong erase target, Inner Warden data for that IP or user could be permanently removed.
The skill includes a destructive local data-erasure operation, but it is purpose-aligned for GDPR administration and explicitly requires confirmation.
ALWAYS ask the user for explicit confirmation before running gdpr erase. It is irreversible.
Confirm the exact entity before approving GDPR erase commands and keep backups or exports when appropriate.
The token may grant access to local Inner Warden security data and actions through the dashboard API.
The skill uses INNERWARDEN_DASHBOARD_TOKEN to access the local dashboard API. This is disclosed, declared in the skill requirements, and scoped to localhost.
If the token is set, include it in every API request as a Bearer header.
Store the token only in the intended OpenClaw configuration, avoid sharing logs that might contain it, and use the least-privileged dashboard token available.
Running a remote installer with sudo can make privileged, persistent changes to the server.
The skill documents downloading a latest-release install script and running it with sudo. It mitigates this by telling the user to inspect it first and not installing automatically.
curl -fsSL https://github.com/InnerWarden/innerwarden/releases/latest/download/install.sh -o /tmp/innerwarden-install.sh ... sudo bash /tmp/innerwarden-install.sh
Inspect the script, verify the release source/checksums when possible, and run the installer manually only if you trust the Inner Warden project.