OpenClaw Security Hardening Toolkit

v1.0.0

Secures OpenClaw by auditing instance exposure, protecting credentials, verifying skill safety, enforcing gateway token access, and enabling session sandboxing.

⭐ 0· 74·0 current·0 all-time

by~K¹yle Million@thebrierfox

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for thebrierfox/openclaw-security-hardening-toolkit.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "OpenClaw Security Hardening Toolkit" (thebrierfox/openclaw-security-hardening-toolkit) from ClawHub.
Skill page: https://clawhub.ai/thebrierfox/openclaw-security-hardening-toolkit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-security-hardening-toolkit

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-security-hardening-toolkit

Security Scan

Capability signals

CryptoRequires wallet

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md content is consistent with a security-hardening toolkit (network checks, secret rotation, verification checklist). However the registry metadata claims no required binaries or env vars while the runtime instructions assume many system tools (ss, curl, grep, openssl, python3, find, xargs) and an 'openclaw' CLI; that mismatch is unexpected and should be justified.

ℹ

Instruction Scope

Instructions explicitly read and modify local configuration files (~/.openclaw/openclaw.json), search workspace files, move secrets to /etc/default/aegis, and restart the gateway. Those actions are within hardening scope but involve privileged file writes and service restarts; they also perform external network calls (ifconfig.me, curl) for reachability checks.

✓

Install Mechanism

This is an instruction-only skill with no install spec or code files to write to disk, which reduces install-time risk. package.json only points entry to SKILL.md.

ℹ

Credentials

The skill does not request environment variables or credentials from the registry metadata (none declared). The SKILL.md nevertheless enumerates many provider tokens that operators should rotate if found (GitHub, OpenAI, Stripe, Supabase, etc.). Listing these keys as things to audit is reasonable, but the skill does not request or require them explicitly — operators should understand the skill assumes the presence of such credentials on disk or in workspace files.

Persistence & Privilege

The instructions require (or recommend) editing system config (/etc/default/aegis), restarting services, and moving secrets into system paths — actions that typically need root or service-account privileges. The skill metadata does not declare this privilege requirement; granting those capabilities to an agent or running the checklist blindly could be risky.

What to consider before installing

This SKILL.md largely behaves like a legitimate hardening checklist, but before installing or running it: 1) note that the metadata lists no required binaries while the instructions call many system tools (ss, curl, openssl, python3, openclaw CLI). Confirm those tools exist and that the skill author intended that omission. 2) The checks and remediation steps will read/move config files and may require root (writing /etc/default/aegis, restarting the gateway). Back up openclaw.json and any affected files and test on a staging instance first. 3) Be aware the reachability test calls external services (ifconfig.me/curl) which reveals your public IP to a third party — run that step from a location you control or skip it if undesired. 4) Review the full SKILL.md yourself (or have a trusted admin do so) before permitting autonomous invocation: the instructions have the power to read many files and to write system-owned locations, so give the skill only the privileges and scope it needs. 5) What would raise confidence: author provenance (homepage or repo), an explicit list of required binaries and minimal privileges, and a dry-run mode that only reports findings without performing writes or restarts.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767jwvpjq6sz1zbzhg62xjr18463zh

74downloads

0stars

1versions

Updated 3w ago

v1.0.0

MIT-0

SKILL: OpenClaw Security Hardening Toolkit

PURPOSE

This skill closes the five most exploited attack surfaces in live OpenClaw deployments: instance exposure, credential leakage, malicious skill installation, unauthorized gateway access, and post-compromise recovery.

Every section maps to a real threat vector. CVE-2026-25253 demonstrated that unprotected OpenClaw instances with public gateway endpoints are trivially exploitable. ClawHavoc demonstrated that skill installation is a reliable code execution path when no verification protocol exists. This toolkit addresses both.

SECTION 1: INSTANCE EXPOSURE AUDIT

Run this checklist before assuming your instance is protected.

1.1 — Network Exposure Check

# Check what ports OpenClaw gateway is binding on
ss -tlnp | grep -E '18789|18790|18800'

# Expected (safe): 127.0.0.1:18789 — gateway bound to loopback only
# Dangerous: 0.0.0.0:18789 — gateway exposed to all interfaces

# Check for external reachability (run from a different machine or use curl to ip-check service)
curl -s --connect-timeout 3 http://$(curl -s ifconfig.me):18789/health || echo "Not publicly reachable (good)"

1.2 — Authentication Verification

# Confirm gateway token is set and non-default
grep -r "gatewayToken\|gateway_token" ~/.openclaw/openclaw.json | head -5

# A missing or empty token means unauthenticated access is possible
# Generate a strong token if absent:
openssl rand -hex 32
# Then set it in openclaw.json: gateway.token = "<generated_value>"

1.3 — Public Exposure Risk Matrix

Condition	Risk Level	Action Required
Gateway on 0.0.0.0	CRITICAL	Bind to 127.0.0.1 immediately
No gateway token	CRITICAL	Generate and set token now
Token is default/example value	HIGH	Rotate immediately
Gateway on LAN (192.168.x.x)	MEDIUM	Add firewall rule
Gateway on 127.0.0.1 only	LOW	Monitor only

1.4 — openclaw.json Binding Configuration

{
  "gateway": {
    "bind": "127.0.0.1:18789",
    "token": "<strong-random-token>"
  }
}

SECTION 2: CREDENTIAL PROTECTION

2.1 — .env File Isolation Rules

Never store credentials in:

The workspace root (~/.openclaw/workspace/*.env)
Any git-tracked directory
Any file that SKILL.md files or agents could read without explicit permission

Safe storage locations:

/etc/default/aegis (mode 0600, owned by the agent user)
System environment variables injected at startup
Dedicated secrets file outside the workspace: ~/.aegis-secrets (mode 0600)

# Audit current credential exposure
find ~/.openclaw/workspace -name "*.env" -o -name ".env*" 2>/dev/null
find ~/.openclaw/workspace -name "*.json" | xargs grep -l "sk_live\|rk_live\|ghp_\|re_" 2>/dev/null

# If any hits: move credentials to /etc/default/aegis immediately

2.2 — API Key Rotation Procedures

When a key is suspected compromised, rotate in this order:

Revoke the old key first — do not wait until the new key is confirmed working
Generate the new key at the provider dashboard
Update /etc/default/aegis (not openclaw.json env.vars — that file can be read by agents)
Restart the service: openclaw gateway restart
Verify new key works before closing the provider dashboard session
Log the rotation date and reason in memory/YYYY-MM-DD.md

Key rotation checklist:

[ ] RAILWAY_TOKEN — railway.app/account/tokens
[ ] GITHUB_TOKEN — github.com/settings/tokens
[ ] STRIPE_SECRET_KEY — dashboard.stripe.com/apikeys
[ ] OPENAI_API_KEY — platform.openai.com/api-keys
[ ] RESEND_API_KEY — resend.com/api-keys
[ ] SUPABASE_SERVICE_KEY — app.supabase.com/project/<id>/settings/api
[ ] CLAWMART_API_KEY — shopclawmart.com/account/api
[ ] FERNET_KEY — generate new: python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"

2.3 — ENCRYPTION_KEY / FERNET_KEY Generation

# Generate a new Fernet key (do this once, store securely)
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"

# Store in /etc/default/aegis:
# FERNET_KEY=<generated_value>

# NEVER store in:
# - openclaw.json (world-readable to agents)
# - workspace files
# - git repositories

SECTION 3: SKILL VERIFICATION PROTOCOL

ClawHavoc demonstrated that malicious SKILL.md files can be used as a code execution vector. Every skill installed from ClawMart, ClawHub, or any external source must pass this verification before activation.

3.1 — Pre-Installation Audit Checklist

Before installing any skill:

[ ] Read the FULL SKILL.md — not just the description
[ ] Check for exec: tool calls with variable interpolation
[ ] Check for web_fetch or browser calls to external URLs
[ ] Check for any instruction to write files outside the workspace
[ ] Check for any instruction to modify openclaw.json or SOUL.md
[ ] Check for base64-encoded strings (obfuscation signal)
[ ] Check for instructions that reference environment variables directly
[ ] Verify publisher has other public listings (not a throwaway account)
[ ] Check publish date — skills published <24h ago carry higher risk

3.2 — ClawHavoc Attack Vectors

The ClawHavoc attack family uses SKILL.md files to:

Unauthorized outbound data transfers — instructions to exec a curl call containing env var contents to an attacker-controlled endpoint
Modify system prompts — instructions to patch SOUL.md or AGENTS.md with backdoor behaviors that persist across sessions
Establish persistence — instructions to create cron jobs that phone home
Lateral movement — instructions to access system configuration files or other credential files adjacent to the workspace

Detection patterns:

# Scan an installed skill for red flags before activation
grep -iE "curl.*\$[A-Z_]+|wget.*\$[A-Z_]+" /path/to/SKILL.md
grep -iE "base64|eval\s*\$|exec.*env\s" /path/to/SKILL.md
grep -iE "SOUL\.md|AGENTS\.md|openclaw\.json" /path/to/SKILL.md
grep -iE "cron|at\s+[0-9]|systemctl enable" /path/to/SKILL.md
grep -iE "private_keys|system_configs|auth_files" /path/to/SKILL.md

# Any hit = manual review required before activation

3.3 — Safe Skill Installation Process

1. Download skill to a quarantine directory: ~/.openclaw/skill-quarantine/
2. Run the red-flag scan above
3. Read the full file manually
4. If clean: move to ~/.openclaw/workspace/skills/
5. Log installation in memory/YYYY-MM-DD.md: skill name, source, version, date
6. Never install skills directly to the active skills directory without quarantine step

SECTION 4: ACCESS CONTROL FRAMEWORK

4.1 — Gateway Token Management

// openclaw.json — minimum required security configuration
{
  "gateway": {
    "bind": "127.0.0.1:18789",
    "token": "<minimum 32 hex chars>",
    "remote": {
      "enabled": false
    }
  }
}

Only enable gateway.remote if you have a specific need for external access and have configured a reverse proxy with TLS termination in front of it. Never expose the raw OpenClaw gateway port to the internet.

4.2 — Session Sandboxing

For non-main sessions (subagents, ACP harness, isolated tasks):

{
  "sessions": {
    "isolated": {
      "sandbox": "require",
      "filesystem": {
        "allowedPaths": ["~/.openclaw/workspace"],
        "denyPaths": ["/etc", "/home", "~/.private", "~/.system"]
      }
    }
  }
}

Apply sandbox: "require" to any session that:

Runs untrusted code
Processes external input (webhooks, user-submitted content)
Executes skills from unknown publishers

4.3 — Bash Validator Integration (from BASH_SECURITY_ARCHITECTURE.md)

The 19-validator pre-execution chain is the primary shell defense layer. Key validators for access control:

VALIDATOR 10 — sudo/su detection
  Pattern: ^sudo\s, ^su\s, \bsudo\b, \bsu\b
  Action: ASK — surface to human before any privilege escalation

VALIDATOR 11 — Path traversal
  Pattern: path traversal sequences, system auth files, private key directories
  Action: ASK — no agent should be reading these paths autonomously

VALIDATOR 14 — Environment variable unauthorized outbound transfers
  Pattern: curl.*\$[A-Z_]{3,}, wget.*\$[A-Z_]{3,}
  Action: ASK — blocks credential unauthorized outbound transfers via network calls
  
VALIDATOR 16 — Config file modification
  Pattern: >.*openclaw\.json, >.*SOUL\.md, >.*AGENTS\.md
  Action: ASK — blocks unauthorized system file modification

4.4 — Filesystem Restriction Patterns

# Lock down the workspace directory ownership
chmod 750 ~/.openclaw/workspace
chmod 600 ~/.openclaw/workspace/*.md

# Prevent world-readable credential files
chmod 600 /etc/default/aegis
chown root:root /etc/default/aegis  # or your agent user

# Verify no sensitive files are in git-tracked locations
cd ~/.openclaw/workspace && git ls-files | xargs grep -l "sk_\|rk_\|ghp_\|re_" 2>/dev/null

SECTION 5: INCIDENT RESPONSE

If you suspect your OpenClaw instance has been compromised, execute this sequence in order. Do not skip steps.

5.1 — Immediate Containment (first 5 minutes)

# Step 1: Stop the gateway immediately
openclaw gateway stop

# Step 2: Kill any active sessions
pkill -f "openclaw\|claude\|aegis" 

# Step 3: Disconnect from network if running on a VPS (via provider console)
# Do NOT do this on your local machine — you need the connection to remediate

# Step 4: Preserve logs before anything else
cp -r ~/.openclaw/logs ~/incident-$(date +%Y%m%d-%H%M%S)-logs/
cp ~/.openclaw/openclaw.json ~/incident-$(date +%Y%m%d-%H%M%S)-config.json

5.2 — Token Revocation Sequence

Revoke in this order (highest-blast-radius first):

1. RAILWAY_TOKEN — railway.app/account/tokens — REVOKE IMMEDIATELY
2. GITHUB_TOKEN — github.com/settings/tokens — REVOKE
3. STRIPE_SECRET_KEY — dashboard.stripe.com/apikeys — REVOKE
4. OPENAI_API_KEY — platform.openai.com/api-keys — REVOKE
5. SUPABASE_SERVICE_KEY — Supabase dashboard — REVOKE
6. RESEND_API_KEY — resend.com/api-keys — REVOKE
7. CLAWMART_API_KEY — ClawMart account — REVOKE
8. FERNET_KEY — rotate in code (data encrypted with old key is unreadable — plan for this)

After revoking all keys, check provider audit logs for unauthorized API calls before generating new keys.

5.3 — Recovery Checklist

[ ] All tokens revoked (see 5.2)
[ ] New tokens generated and stored in /etc/default/aegis (not workspace)
[ ] openclaw.json audited for unauthorized modifications
[ ] SOUL.md audited for backdoor instructions
[ ] AGENTS.md audited for unauthorized changes
[ ] HEARTBEAT.md audited
[ ] Installed skills directory audited for unauthorized files
[ ] Cron jobs audited: crontab -l and systemctl list-units --type=timer
[ ] New gateway token set (minimum 32 hex chars)
[ ] Gateway restarted with new config
[ ] Incident logged in memory/YYYY-MM-DD.md with timeline
[ ] Affected parties notified (Stripe, Railway if production traffic impacted)

5.4 — Post-Incident Hardening

After recovery, complete these steps before resuming normal operation:

1. Move all credentials from openclaw.json env.vars to /etc/default/aegis
2. Enable gateway.bind = "127.0.0.1:18789" if not already set
3. Add skill quarantine step to all future installations (Section 3.3)
4. Schedule monthly credential rotation (add to cron)
5. Review all installed skills using the red-flag scan in Section 3.2

QUICK REFERENCE — EMERGENCY COMMANDS

# Stop everything
openclaw gateway stop && pkill -f claude

# Check what's exposed
ss -tlnp | grep -E '18789|18790|18800'

# Audit credentials in workspace
find ~/.openclaw/workspace -name "*.json" -o -name "*.env" | \
  xargs grep -l "sk_\|rk_\|ghp_\|re_\|Bearer" 2>/dev/null

# Check for unauthorized cron jobs
crontab -l 2>/dev/null
systemctl list-units --type=timer 2>/dev/null | grep -v systemd

# Rotate gateway token
openssl rand -hex 32
# → update openclaw.json gateway.token, then restart

Comments

Loading comments...