OpenClaw Security Hardening
v1.1.0Protect OpenClaw installations from prompt injection, data exfiltration, malicious skills, and workspace tampering
⭐ 5· 2.2k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match delivered artifacts: scripts for scanning skills, auditing outbound patterns, integrity baselines, workspace hardening, and a pre-install guard are all appropriate for a 'security hardening' tool. No unrelated credentials, external services, or strange binaries are requested.
Instruction Scope
SKILL.md instructs the agent to run the provided scripts. The scripts intentionally read many files and directories (workspace files, skill files, config in $HOME, .git, .env, .ssh and common credential locations) so they can detect exposures — this is expected for this tool. Be aware these scans require file-system access and will enumerate/inspect potentially sensitive files; the scripts do not attempt to transmit data externally (they flag outbound patterns instead).
Install Mechanism
Instruction-only + bundled shell scripts; there is no remote download/install step, no package registries, and no URL-based extract operations. Risk from install mechanism is low — the tool writes files into $HOME/.openclaw/security (baseline, whitelist), which is expected for a local security tool.
Credentials
No environment variables or credentials are requested. Scripts reference HOME and common system tools (shasum, realpath, grep, git, python3 optional) and standard paths (~/.openclaw, workspace paths, ~/.ssh, ~/.aws). This is proportionate to the stated purpose, but the user should note the tool will read many sensitive locations to detect issues.
Persistence & Privilege
The skill is not 'always:true' and does not request elevated platform privileges. It does create/modify local state under $HOME/.openclaw/security (hash baseline, whitelist) and may write fixes when run with --fix; that behavior is expected for a hardening tool. Review and consent to these local writes before running.
Scan Findings in Context
[pre-scan:ignore-previous-instructions] expected: The SKILL.md and security rules intentionally include prompt-injection patterns (e.g., 'ignore previous instructions') because the scanner needs to detect such malicious patterns. The static detector flagged these strings in the skill content — this is expected and not a sign of the skill trying to perform prompt-injection itself.
Assessment
This package is a local hardening/audit toolkit and appears to do what it says: it will scan your skills/workspace and create local baselines and whitelists under $HOME/.openclaw/security. Before running: (1) review the scripts yourself (they run shell commands and inspect many files); (2) back up AGENTS.md, MEMORY.md and any important files, since harden-workspace.sh can modify permissions and .gitignore when run with --fix; (3) confirm you’re comfortable with files being written to ~/.openclaw/security (hash files, whitelist); (4) run scan tools in non-privileged/test environment first, then run with --fix only after manual review; (5) check the domain whitelist and incident logging locations (memory/security-incidents.md) so you know what will be recorded. Overall the pieces are coherent for a security tool — there are no unexplained external endpoints or credential requests, but exercising normal caution (review code and run in a controlled environment) is recommended.Like a lobster shell, security has layers — review code before you run it.
latestvk974r63zwxqpf7ssy2kr2j1e6h80cy18
License
MIT-0
Free to use, modify, and redistribute. No attribution required.