Trent OpenClaw Security Assessment

Assess your Agent deployment against security risks using Trent.

Audits

Pending

ClawScanReview

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPending

Multi-engine malware detections and file reputation.

Install

openclaw skills install trentclaw

Trent OpenClaw Security Assessment

Audit your OpenClaw deployment for security risks. Identifies misconfigurations, chained attack paths, and provides severity-rated findings with fixes.

Setup

All tools are bundled — no external installer needed.

Set the TRENT_API_KEY environment variable. Get a key at https://trent.ai/openclaw/

Instructions

This audit runs in three phases. Run them in order.

All Python snippets below are wrapped in a bash heredoc that sets PYTHONPATH to the skill's scripts/ directory. OpenClaw substitutes {baseDir} with the skill's install path before the snippet runs, so openclaw_trent is importable regardless of the current working directory. Run each block exactly as shown.

Phase 1 — Configuration Audit

Collect metadata and send to Trent for analysis:

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.openclaw_config.collector import collect_openclaw_metadata
from openclaw_trent.lib.audit_prompt import build_audit_prompt
from openclaw_trent.lib import trent_client

metadata = collect_openclaw_metadata()
message = build_audit_prompt(metadata)
response = trent_client.chat(message=message)
PY

Save response["thread_id"] for Phase 3.

Present findings grouped by severity (see "Present results" below).

Summarize: "Phase 1 complete. N findings from configuration analysis. Phase 2 will scan your skills for deeper analysis — I'll show you exactly what would be uploaded before anything is sent. Ready to continue?"

Optional: specify a custom config path. Same wrapper as the main Phase 1 block; replace the metadata = … line with:

from pathlib import Path
metadata = collect_openclaw_metadata(openclaw_path=Path("/path/to/openclaw/config"))

Phase 2 — Skill Upload

Scan the workspace first (nothing is uploaded yet):

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.lib.package_skills import scan_workspace

skills = scan_workspace()
PY

Present what was found and how it will be protected. Example:

I found N skills in your workspace:

Skill Type Size
skill-name installed-skill 12KB

Before upload, each skill is packaged with its source code and metadata (name, version, dependencies). Files like .env, .pem, .key, and .db are excluded, and secrets in standard formats (API keys, tokens, AWS credentials, connection strings) are automatically redacted locally. If you use custom secret formats, keep them in environment variables rather than hard-coded in skill files.

Ready to upload?

Skill	Type	Size
skill-name	installed-skill	12KB

Use the secrets_redacted field — if any skills had secrets redacted, mention which ones in the table or below it.

Wait for the user to confirm before uploading.

After user confirms, upload:

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.lib.upload_skills import upload_packaged_skills

upload_summary = upload_packaged_skills(skills)
PY

Present the upload summary:

How many skills were uploaded, skipped (unchanged), failed, or too large
List each skill by name and status

If all uploads failed, report the errors and stop. Otherwise proceed.

Summarize: "Phase 2 complete. N skills uploaded. Proceeding to deep skill analysis..."

Phase 3 — Deep Skill Analysis

Analyse each uploaded skill using the thread ID from Phase 1:

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.lib.prompts import build_per_skill_analysis_prompt
from openclaw_trent.lib import trent_client

thread_id = "<THREAD_ID from Phase 1>"
for skill in upload_summary["skills"]:
    if skill["status"] in ("uploaded", "skipped"):
        prompt = build_per_skill_analysis_prompt(skill)
        result = trent_client.chat(message=prompt, thread_id=thread_id)
PY

Each request uses the Phase 1 thread ID so the advisor has full context from the configuration audit.

Present the deep analysis results alongside the Phase 1 findings.

Inspect system context separately

To view the system analysis data without running a full audit:

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
import json
from openclaw_trent.lib.system_analyzer import collect_system_analysis
result = collect_system_analysis()
print(json.dumps(result, indent=2))
PY

This returns channel configuration and installed skill names. Useful for debugging or verifying what data is sent.

Present results

Format findings grouped by severity:

CRITICAL: Immediate action required
HIGH: Fix soon
MEDIUM: Recommended improvement
LOW: Minor hardening

For each finding show: the risk, where it was found, and the exact fix.

Highlight chained attack paths — where multiple settings combine to create worse outcomes.

Present recommended config changes as a diff snippet for the user to review and apply manually. Do not modify any system files directly.

When to use

User asks "Is my setup secure?" or "audit my config"
After changes to OpenClaw configuration, new plugins, or new MCP servers