Security Audit (Sona)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: sona-security-audit Version: 0.1.3 This skill is a security auditing tool designed to detect malicious behavior, including prompt injection, data exfiltration, persistence, and supply chain vulnerabilities. The `hostile_audit.py` script explicitly scans for these patterns using regular expressions. The `openclaw-skill.json` manifest declares highly restrictive permissions, denying network access and sensitive filesystem paths, while allowing only necessary read/write access and execution of specific, legitimate security tools (`trufflehog`, `semgrep`, `jq`, `python3`). There is no evidence of intentional harmful behavior or prompt injection attempts against the agent; instead, the skill is designed to identify such threats in other code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this wrapper is used, the audit result may depend on code outside the installed skill, so the user cannot verify from this package alone what will execute.
The included wrapper does not call the packaged scripts/run_audit_json.sh. It changes into a hard-coded external workspace and executes ./scripts/audit/run_audit_json.sh, which is not included in the supplied skill manifest. That creates a provenance gap and could run unreviewed local code.
cd /home/virta/.openclaw/workspace/hybrid_orchestrator REPORT=$(./scripts/audit/run_audit_json.sh "$TARGET")
Change the wrapper to call the bundled script by a path relative to the skill directory, or clearly remove/document the external dependency and include it in the reviewed package.
Running the wrapper without a target can inspect a much larger workspace than intended and may surface secrets or findings from unrelated projects.
The convenience wrapper defaults to scanning the whole OpenClaw workspace rather than requiring the user-specified repository path emphasized in SKILL.md. For a secrets/SAST audit, that is a broader local read scope than the primary documented command.
TARGET="/home/virta/.openclaw/workspace"
Require an explicit target path by default, or prominently warn before scanning the whole workspace and keep the scan within the declared target scope.
A user or automation could mistakenly believe an audit passed because the command exited successfully.
The skill is advertised as fail-closed, but this wrapper always exits successfully even when findings exist. The JSON .ok field preserves the signal, but automated callers that rely on process status could treat a failed audit as passed.
# Note: run_audit_json.sh uses exit code 10 for findings. We intentionally # swallow non-zero exit codes here so callers always get a JSON payload. ... # OpenClaw treats non-zero as tool failure. So we always exit 0. # (Callers should read `.ok` in the JSON.) exit 0
Make the fail-open wrapper behavior very prominent in user-facing docs, prefer the main runner for gating, and ensure any promotion/install workflow checks the JSON .ok field rather than only the exit code.
Audit output files or logs may reveal secrets discovered in the scanned repository.
The audit intentionally includes trufflehog secret-scan output in the JSON report. This is purpose-aligned, but those reports may contain sensitive credential findings from the scanned target.
trufflehog filesystem "$TARGET" --no-update --json --log-level=-1 >"$TRUFFLE_OUT" 2>/dev/null || true ... trufflehog: $truffle
Treat audit reports as sensitive, store them in restricted locations, avoid sharing them broadly, and redact secret values before posting results elsewhere.