Security Audit (Sona)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The main audit workflow is mostly coherent, but one included wrapper runs an unreviewed hard-coded external script and can scan the whole OpenClaw workspace by default.
Use the documented scripts/run_audit_json.sh <path> workflow rather than scripts/security_audit.sh unless the hard-coded external orchestrator path has been reviewed. Pick an explicit target path, and treat generated JSON reports as sensitive because they may include secret-scan results.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this wrapper is used, the audit result may depend on code outside the installed skill, so the user cannot verify from this package alone what will execute.
The included wrapper does not call the packaged scripts/run_audit_json.sh. It changes into a hard-coded external workspace and executes ./scripts/audit/run_audit_json.sh, which is not included in the supplied skill manifest. That creates a provenance gap and could run unreviewed local code.
cd /home/virta/.openclaw/workspace/hybrid_orchestrator REPORT=$(./scripts/audit/run_audit_json.sh "$TARGET")
Change the wrapper to call the bundled script by a path relative to the skill directory, or clearly remove/document the external dependency and include it in the reviewed package.
Running the wrapper without a target can inspect a much larger workspace than intended and may surface secrets or findings from unrelated projects.
The convenience wrapper defaults to scanning the whole OpenClaw workspace rather than requiring the user-specified repository path emphasized in SKILL.md. For a secrets/SAST audit, that is a broader local read scope than the primary documented command.
TARGET="/home/virta/.openclaw/workspace"
Require an explicit target path by default, or prominently warn before scanning the whole workspace and keep the scan within the declared target scope.
A user or automation could mistakenly believe an audit passed because the command exited successfully.
The skill is advertised as fail-closed, but this wrapper always exits successfully even when findings exist. The JSON .ok field preserves the signal, but automated callers that rely on process status could treat a failed audit as passed.
# Note: run_audit_json.sh uses exit code 10 for findings. We intentionally # swallow non-zero exit codes here so callers always get a JSON payload. ... # OpenClaw treats non-zero as tool failure. So we always exit 0. # (Callers should read `.ok` in the JSON.) exit 0
Make the fail-open wrapper behavior very prominent in user-facing docs, prefer the main runner for gating, and ensure any promotion/install workflow checks the JSON .ok field rather than only the exit code.
Audit output files or logs may reveal secrets discovered in the scanned repository.
The audit intentionally includes trufflehog secret-scan output in the JSON report. This is purpose-aligned, but those reports may contain sensitive credential findings from the scanned target.
trufflehog filesystem "$TARGET" --no-update --json --log-level=-1 >"$TRUFFLE_OUT" 2>/dev/null || true ... trufflehog: $truffle
Treat audit reports as sensitive, store them in restricted locations, avoid sharing them broadly, and redact secret values before posting results elsewhere.