ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Security Audit

Automates security audits for OpenClaw gateway by checking key configuration settings to identify and report common security risks.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 161 · 1 current installs · 1 all-time installs
by@ASantsSec
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Overall coherent: the name/description, SKILL.md and script all focus on auditing OpenClaw configuration. Minor inconsistency: the registry metadata declares no required binaries, but both SKILL.md and the script explicitly require the local 'openclaw' CLI to be installed and executable.
Instruction Scope
Runtime instructions and the script only read the user's OpenClaw config at ~/.openclaw/openclaw.json, perform local checks, print a report, and run 'openclaw security audit --deep'. There is no code that reads unrelated system paths or environment variables, nor does the script itself transmit data to external endpoints.
Install Mechanism
No install spec — instruction-only plus a local script. Nothing is downloaded or written during install; the single included script is executed by the user/agent.
Credentials
No environment variables, secrets, or external credentials are requested. The script reads only the gateway config file (appropriate for an audit tool) and masks tokens in reports; this access is proportionate to the stated purpose.
Persistence & Privilege
Does not request persistent/always-on privileges and does not modify other skills or system-wide agent settings. It only runs on user invocation (or autonomous invocation if allowed by the platform) and performs read-only checks plus invoking the local OpenClaw CLI.
Assessment
This skill appears to do what it claims: read your OpenClaw config (~/.openclaw/openclaw.json), report insecure settings, and invoke the local 'openclaw security audit --deep'. Before installing/running: (1) verify you trust the skill source (no homepage and unknown owner in metadata); (2) note the metadata did not declare the required 'openclaw' binary—ensure that CLI is the official one you trust; (3) back up your config file as advised; (4) understand that while this script does not exfiltrate data itself, the OpenClaw CLI it calls could perform network actions depending on its implementation, so review/confirm the CLI behavior if network confidentiality is a concern. If you cannot verify the author, review the included script contents (they are short and readable) before running.
scripts/audit.cjs:148
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk976sfw0z9e8t9jwnen5xtzkcx82mtjg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw Security Policy Check

自动化安全审计配置工具,检测 OpenClaw 网关常见安全配置问题。

使用方法

node {baseDir}/scripts/audit.cjs

工作流程

  1. 读取配置文件:自动定位 ~/.openclaw/openclaw.json
  2. 检查配置:5 项关键安全配置
  3. 执行审计:运行 openclaw security audit --deep
  4. 输出报告:汇总修复结果和审计发现

检查项说明

配置项不安全值安全值
gateway.bind0.0.0.0127.0.0.1
gateway.auth.token短或默认32位强随机
controlUi.allowInsecureAuthtruefalse
tools.exec.securityfullallowlist
tools.exec.askoffon-miss

注意事项

  • 首次使用建议备份配置文件
  • 修改 token 后需要重启网关使配置生效
  • 需要有 openclaw 命令行工具

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…