ClawHub

OpenClaw Hardener

v0.1.2

Harden OpenClaw (workspace + ~/.openclaw): run openclaw security audit, catch prompt-injection/exfil risks, scan for secrets, and apply safe fixes (chmod/exec-bit cleanup). Includes optional config.patch planning to reduce attack surface.

1· 2.5k·5 current·6 all-time
by@virtaava
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the actual behavior: the script scans the workspace and ~/.openclaw, runs the OpenClaw CLI audit, and can produce/apply config.patch plans. Declared filesystem and subprocess permissions (read/write <repo>/** and ~/.openclaw/**; allow openclaw, git, bash, python3, etc.) are consistent with these tasks. Note: write access to the repo and ~/.openclaw is powerful but is needed to implement fixes and to store/adjust local config.
Instruction Scope
SKILL.md requires running scripts/hardener.py with explicit 'check', 'fix', 'plan-config', and 'apply-config' modes. The script adheres to the stated 'default = check-only' rule and includes redaction logic. However 'plan-config' and especially 'apply-config' call the OpenClaw gateway (config.get / gateway call) and can change runtime policy; those steps are high-impact and must be reviewed by the user before applying. The script reads many repo files (including .env and config) — redaction is implemented but review is advised.
Install Mechanism
There is no installer; it's an instruction-only skill with a bundled Python script. Nothing is downloaded or extracted from remote URLs during install, which minimizes install-time risk.
Credentials
The skill does not request environment variables or external credentials explicitly. It relies on local OpenClaw CLI and repo access, which is proportionate. Be aware that gateway CLI calls will use whatever OpenClaw credentials/config are already present — the skill can therefore affect systems accessible via your CLI auth without requesting new secrets.
Persistence & Privilege
always:false (normal). The skill is allowed to write to <repo>/** and ~/.openclaw/** and can apply gateway patches — these are legitimate for a hardener but are impactful. The skill does not modify other skills' configs, but because it can change gateway configuration and repository files, you should treat apply/fix operations as privileged actions and explicitly review them.
Assessment
This skill appears to be what it claims, but it can modify your repository and gateway config. Before using it: 1) Run in 'check' mode only first and review all findings. 2) When it prints a config.patch, manually inspect the patch JSON before running 'apply-config'. 3) Back up your repo and ~/.openclaw (or use a disposable environment) before running 'fix' or 'apply-config'. 4) Ensure the OpenClaw CLI on your system is authentic and that you understand which gateway/account the CLI will affect. 5) Optionally review scripts/hardener.py yourself (it includes redaction logic but no guarantees). If you do not trust the skill's source, avoid running fix/apply actions and stick to read-only checks.

Like a lobster shell, security has layers — review code before you run it.

auditvk97bsrkpetr4n43we5wzqxwy8x80b3jtclawhubvk97bsrkpetr4n43we5wzqxwy8x80b3jtdevsecopsvk97bsrkpetr4n43we5wzqxwy8x80b3jthardeningvk97bsrkpetr4n43we5wzqxwy8x80b3jtlatestvk97bsrkpetr4n43we5wzqxwy8x80b3jtopenclawvk97bsrkpetr4n43we5wzqxwy8x80b3jtprompt-injectionvk97bsrkpetr4n43we5wzqxwy8x80b3jtsecretsvk97bsrkpetr4n43we5wzqxwy8x80b3jtsecurityvk97bsrkpetr4n43we5wzqxwy8x80b3jt
2.5kdownloads
1stars
3versions
Updated 1mo ago
v0.1.2
MIT-0
@virtaava
auditclawhubdevsecopshardeninglatestopenclawprompt-injectionsecretssecurity
Download

OpenClaw Hardener

This skill provides a user-choice hardening tool that can:

  • Run OpenClaw’s built-in security audit (openclaw security audit --deep / --fix).
  • Run workspace hygiene checks (exec bits, stray .env, unsafe serialization patterns, etc.).
  • Apply safe mechanical fixes only when explicitly requested.
  • Generate (and optionally apply) a Gateway config.patch plan to tighten runtime policy.

Run the tool

Script:

  • skills_live/openclaw-hardener/scripts/hardener.py

Examples:

# Read-only checks (recommended default)
python3 skills_live/openclaw-hardener/scripts/hardener.py check --all

# Only run OpenClaw built-in audit (deep)
python3 skills_live/openclaw-hardener/scripts/hardener.py check --openclaw

# Only run workspace checks
python3 skills_live/openclaw-hardener/scripts/hardener.py check --workspace

# Apply safe fixes (chmod/exec-bit cleanup + optionally openclaw audit --fix)
python3 skills_live/openclaw-hardener/scripts/hardener.py fix --all

# Generate a config.patch plan (prints JSON5 patch)
python3 skills_live/openclaw-hardener/scripts/hardener.py plan-config

# Apply the plan (requires a running gateway; uses `openclaw gateway call`)
python3 skills_live/openclaw-hardener/scripts/hardener.py apply-config

Design rules (do not violate)

  • Default = check-only. No file/config changes unless user runs fix or apply-config.
  • No secrets in output. If a check reads sensitive paths, it must redact likely tokens.
  • Patch plans must be explicit. Always show the patch before applying.

What it checks / fixes

OpenClaw built-in security audit

  • Runs openclaw security audit --deep (and --fix in fix mode).

Workspace hygiene (scope: workspace + ~/.openclaw)

  • Permissions sanity under ~/.openclaw (basic checks).
  • Unexpected executable bits in non-executable filetypes.
  • Stray .env files (warn) and tracked .env (fail).
  • Risky deserialization / unsafe patterns in our scripts (heuristics).

Config hardening (optional plan)

Generates a conservative config.patch template focusing on:

  • Tightening inbound access defaults (pairing/allowlist, mention gating) only if you opt-in.
  • Ensuring sensitive log redaction is enabled.

(Exact keys depend on your config; the plan is best-effort and should be reviewed.)

Comments

Loading comments...