v1.0.0

OpenClaw Security Audit

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:44 AM.

Analysis

This appears to be a local defensive audit tool, but it reads, stores, and rewrites OpenClaw credentials while some documentation and metadata understate those effects.

GuidanceReview this skill carefully before installing or running harden.py. It appears intended for local security hardening and no external data transmission is shown, but it directly handles real credentials, creates .env files and setup scripts, and rewrites OpenClaw configuration. Back up existing files, secure generated secret files, and verify the source before use.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

harden.py

with open(env_file, 'w', encoding='utf-8') as f: ... with open(self.config_file, 'w', encoding='utf-8') as f: json.dump(config, f, indent=2, ensure_ascii=False)

The tool writes credential files and rewrites openclaw.json in place when hardening is run.

User impactA normal documented run can change OpenClaw’s configuration and overwrite generated credential files, which may break the instance if environment variables are not set correctly.

RecommendationUse a dry run or test instance first if available, manually back up existing .env and openclaw.json files, and review the generated placeholders before restarting OpenClaw.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Create .env file with credentials ... This tool does NOT: ... Store or log actual credential values

The documentation both says the tool creates a .env file containing credentials and later claims it does not store actual credential values.

User impactUsers may underestimate the sensitivity of the generated files and fail to protect the .env file or backup files appropriately.

RecommendationTreat the generated .env and backups as secret material; the documentation should be corrected to clearly state where real credentials are stored.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The skill handles credentials but has limited provenance information and no formal install specification.

User impactIt is harder to verify who maintains the credential-handling code or whether the package matches a trusted upstream source.

RecommendationInstall only from a trusted repository or reviewed package version, and compare the local files against a known-good source before running hardening.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

harden.py

script_content = f'''#!/bin/bash ... export "$name=$value" ...''' ... os.chmod(script_path, 0o755)

The tool generates executable shell or PowerShell setup scripts that load credentials into environment variables.

User impactThe generated scripts are purpose-aligned, but they persist a convenient way to load secrets and should be reviewed before being sourced or run.

RecommendationOpen and inspect set_env.sh or set_env.ps1 before executing it, and delete it if you do not need it after setting environment variables.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

harden.py

credentials['FEISHU_APP_SECRET'] = feishu_config['appSecret'] ... credentials['OPENCLAW_GATEWAY_TOKEN'] = gateway_config['token'] ... lines.append(f"{key}={value}")

The hardening tool extracts live service credentials from OpenClaw configuration and writes the actual values into a .env file.

User impactRunning the tool gives it access to API secrets and gateway tokens and stores those secrets in a new local file that other processes or users with file access may read.

RecommendationOnly run hardening when you intend to migrate credentials; inspect the generated .env file, restrict its file permissions, and confirm backups before changing production configuration.