Compliance Audit
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a local audit-log utility, but its immutability and compliance-proof claims are stronger than the implementation supports.
Install only if you are comfortable with a local hash-chained audit log rather than a truly immutable compliance system. Do not log secrets, protect the ~/.openclaw/audit directory, and treat verification results cautiously unless stronger tamper-resistant storage is added.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may rely on this for compliance or incident response and wrongly believe it proves no tampering occurred.
This wording could cause users to over-trust the audit trail. The included implementation stores normal local JSON files and has no external checkpoint, signature, append-only storage, or deletion protection, so some deletion or full-rewrite scenarios may not be detected.
Immutable, tamper-evident audit logging ... If any entry is modified or deleted, the chain breaks
Describe it as a local hash-chained log, not immutable storage. For compliance use, add append-only permissions, external notarization/checkpoints, signatures, backups, or another tamper-resistant storage mechanism.
A damaged or tampered audit file could lead to incomplete or misleading compliance reports.
If an audit file is corrupted or malformed, the loader silently treats it as empty. Verification, export, and summary operations can then omit entries instead of clearly reporting an integrity failure.
except json.JSONDecodeError:
return []Fail closed on parse errors, report the affected file, and make verification return a non-zero status when any audit file cannot be parsed.
Audit logs may accumulate private operational information on the local machine.
The skill intentionally persists operational details such as decisions, data access, and budget changes. This is aligned with the audit purpose, but those records may contain sensitive context if users include it in the details field.
Audit logs are stored in `~/.openclaw/audit/` as daily JSON files (`audit-YYYY-MM-DD.json`).
Avoid logging secrets or unnecessary personal/business details, protect the audit directory, and define a retention/export policy before using it for sensitive workflows.