Security Audit for OpenClaw
Logs risky OpenClaw agent actions, conducts activity audits, and reviews OpenClaw configs for security risks without blocking operations.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 26 · 0 current installs · 0 all-time installs
by@n0nu
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Overall the requested files and scripts align with a security-audit purpose: config audit delegates to the native `openclaw` CLI, logging and reporting operate on local log files, and notification is delegated to the platform's message tool. Asking for no external credentials and no unusual binaries is proportional. Note: the script `audit_config.sh` will call `openclaw security audit` (expected) and `--deep` can probe the live gateway (network activity).
Instruction Scope
SKILL.md repeatedly states the skill is observer-only and 'Does not block', but references/audit-guide.md contains a 'Per-Action Soft Check' that tells the agent to 'Decline or request explicit confirmation' and to log `blocked_soft` for CRITICAL actions. That's a direct contradiction in runtime behavior and could make agents either block or not block depending on which instruction is followed. There are also inconsistent paths across documents: some docs reference memory/security-audit.log or memory/security-audit-config.json, while the scripts use logs/security-audit.log. The skill also documents `--fix` which will attempt to apply fixes (chmod/config changes) — that is an active change and not pure observation, so it must be treated as higher-privilege.
Install Mechanism
Instruction-only install with included scripts; there is no network download/install step or external package install. This is low risk from an install-mechanism perspective.
Credentials
The skill requests no env variables or credentials, which is appropriate. It does rely on platform tooling (the `message` tool) and the OpenClaw CLI when present. Config references indicate it will read OpenClaw config fields (tokens, gateway settings) during a config audit — that's expected for this purpose, but you should confirm that the agent has permission to read those config files and that secrets in configs are handled properly. Notification channels mentioned will depend on whatever the OpenClaw config exposes (tokens can be present there).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It creates and writes to a local log file under the workspace (logs/security-audit.log) and suggests optionally scheduling periodic audits via cron — both are reasonable for an audit skill. Be aware `--fix` mode modifies config/permissions if used.
What to consider before installing
This skill is plausibly the audit tool it claims to be, but review and clarify a few things before installing or enabling it:
- Confirm blocking semantics: SKILL.md says 'does not block' but the audit guide describes a 'blocked_soft' behavior — decide which behavior you want and ensure the agent follows only that. Unexpected blocking or prompting can break workflows.
- Verify log/config paths: docs use both `logs/` and `memory/` paths; the scripts write to workspace/logs/security-audit.log. Make sure this path is acceptable and that the relative path resolution (SCRIPT_DIR/../../..) will not cause writes outside your intended workspace in your deployment layout.
- Treat --deep and --fix carefully: `--deep` may perform live probes of your gateway (network activity). `--fix` will attempt to change permissions/config — run only in an environment where automated changes are safe and after code review.
- Notifications: the scripts do not themselves send messages; SKILL.md expects the agent to call the platform `message` tool based on config. Confirm the OpenClaw config tokens/credentials used for messaging are stored and accessed securely.
- Test in a sandbox first: run the scripts manually in a controlled environment to confirm where logs are created and what `openclaw security audit` does in your setup.
If these inconsistencies are fixed (unify the docs and scripts, remove contradictory blocking guidance, and clearly document where logs live and when the skill modifies config), the skill looks coherent and appropriate for its stated purpose.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Security Audit Skill
Lightweight, observer-only security layer for OpenClaw. Logs agent actions, audits activity history, and reviews OpenClaw config for risks. Does not block or interrupt any operations.
Quick Start
Three things this skill does:
- Log risky actions → call
./scripts/log_event.shafter notable operations - Audit activity history → run
./scripts/run_audit.shon request - Audit OpenClaw config → run
./scripts/audit_config.shon request
Core Behaviors
Logging Risky Actions (Observer Mode)
This skill is purely observational — it never blocks or delays any operation. After completing a risky action, log it:
./scripts/log_event.sh <level> <category> "<summary>" "<detail>" <action>
When to log:
| Level | When |
|---|---|
| CRITICAL | Remote code execution (curl|bash), credential/key file reads, persistence writes (cron, authorized_keys, launchd), privilege escalation |
| WARN | Bulk file deletion, sensitive file reads, external requests with dynamic URLs, shell env modification |
| INFO | Normal workspace operations, standard dev tooling — skip unless building an audit trail |
Categories: exec | file_write | network | credential | persistence
Actions: allowed | flagged
Note: blocked_soft is removed — this skill does not block. If something was risky but the user explicitly requested it, use allowed. Otherwise flagged.
Example:
./scripts/log_event.sh WARN exec "bulk delete outside workspace" "rm -rf /tmp/build" flagged
./scripts/log_event.sh CRITICAL credential "SSH key read" "cat ~/.ssh/id_rsa" allowed
Running Activity Audits
When user asks for a security audit or activity review:
./scripts/run_audit.sh 7 # last 7 days (default)
./scripts/run_audit.sh 30 # last 30 days
Read the output, then:
- Highlight CRITICAL entries and explain what happened
- Note any suspicious patterns (same WARN repeating, unexpected credential access)
- If
notify_on_audit_complete: truein config → send viamessagetool to configured channel
Auditing OpenClaw Config
When user asks "is my OpenClaw config secure?" or similar:
./scripts/audit_config.sh # standard audit
./scripts/audit_config.sh --deep # also probe live Gateway
./scripts/audit_config.sh --fix # audit + apply safe fixes
This script delegates to openclaw security audit (the native CLI tool), which checks gateway auth, tool permissions, network exposure, file permissions, and other config foot-guns. Read the output and present findings to the user with context and recommendations.
Notification Setup
Users can enable proactive notifications by creating logs/security-audit-config.json:
{
"notify_channel": "dingtalk",
"notify_on": ["CRITICAL", "WARN"],
"notify_on_audit_complete": true
}
Supported channels: whatever OpenClaw has configured (dingtalk, telegram, discord, etc.).
Default if file missing: log-only, no notifications.
When notify_on is set and you log a matching event, send a brief message via the message tool after logging.
Reference Files
- dangerous-patterns.md — Comprehensive list of risky exec, file, and network patterns with examples
- audit-guide.md — Log format, risk classification, notification config, report format
- config-risks.md — OpenClaw config fields and their security implications
First-Time Setup
logs/security-audit.logis created automatically on first event- Offer to help create
logs/security-audit-config.jsonfor notifications - Suggest adding a cron job via the
cronskill for periodic audits (user sets interval) - For config audit: no setup needed — runs on demand
What This Skill Does NOT Do
- Block or delay any operation
- Intercept other skills at runtime
- Monitor the OpenClaw process itself
- Replace proper OS-level access controls or sandboxing
Files
7 totalSelect a file
Select a file to preview.
Comments
Loading comments…