Comprehensive security audit tool for OpenClaw instances
Based on the ZAST.AI Security Handbook β 100% deterministic, fully reproducible results.
Disclaimer: This skill is designed solely to help OpenClaw users discover potential security misconfigurations and usage risks. It does not support automatic hardening, and it is strongly discouraged to use an agent to auto-remediate based on the audit results β doing so may crash your OpenClaw instance!
- 12 Attack Surfaces β Gateway exposure, prompt injection, sandbox escape, supply chain, and more
- 80 Deterministic Checks β Every check is scripted, no LLM judgment involved
- 27 Threat ID Mappings β Mapped to official ZAST.AI threat identifiers
- Multiple Targets β Local instance, Docker container, and remote port scanning
- Multiple Outputs β Terminal colored summary, Markdown report, JSON (CI/CD integration)
- Zero Dependencies β Python standard library + CLI commands only
# Full audit with fix suggestions (default: ~/.openclaw/)
python3 scripts/openclaw_audit.py --fix
# Only critical issues
python3 scripts/openclaw_audit.py --fix --severity critical
# Docker container audit
python3 scripts/openclaw_audit.py --docker-name my-openclaw --fix
# Remote port exposure check
python3 scripts/openclaw_audit.py --remote 192.168.1.100:18789 --fixClaude Code users: Run
/openclaw-security-auditdirectly β no path needed.
The following is the complete 80-item checklist, organized by 12 attack surfaces and 11 modules
12 Attack Surfaces
βββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββββββ¬ββββββββββββββ
β ID β Attack Surface β Handbook Ref β Check Count β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-1 β Gateway Exposure β Β§2 β 22 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-2 β Message Channels β Β§3 β 9 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-3 β Prompt Injection β Β§5 β 3 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-4 β Business Document Inject β Β§3.12 β 1 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-5 β Skill Supply Chain β Β§4, Β§9 β 12 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-6 β Data Leakage β Β§5.3, Β§8.2 β 10 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-7 β File System & Credentialsβ Β§6 β 10 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-8 β Sandbox Escape β Β§7, Β§8.1 β 11 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-9 β Network/SSRF β Β§8, Β§9.6 β 3 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-10 β Agent Behavior Abuse β Β§10 β 8 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-11 β CI/CD Supply Chain β Β§9.6 β 2 β
βββββββββΌβββββββββββββββββββββββββββΌβββββββββββββββΌββββββββββββββ€
β AS-12 β Windows-Specific β Β§9.4 β 2 β
βββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββββββ΄ββββββββββββββ
Complete 80-Item Security Checklist
Module 01: File System & Permissions (FP-001 ~ FP-010) β Attack Surface AS-7
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-001 β OpenClaw Dir Permissions β CRITICAL β Β§6.1 β ~/.openclaw/ directory permissions must be 700 β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-002 β Credentials Dir Perms β CRITICAL β Β§6.1 β credentials/ directory permissions must be 700 β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-003 β .env File Permissions β CRITICAL β Β§6.1 β .env file permissions must be 600 β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-004 β openclaw.json Perms β CRITICAL β Β§6.5 β Config file permissions 600, prevent hot-reload tampering β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-005 β Sessions Dir Permissions β HIGH β Β§6.1 β sessions/ directory permissions must be 700 β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-006 β Attachment File Perms β MEDIUM β Β§3.10 β Media attachments must not be readable by group/other β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-007 β Config Immutable Flag β INFO β Β§6.5 β Whether openclaw.json has chattr/uchg immutable flag set β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-008 β Not in Cloud Sync Dir β HIGH β Β§6.9 β .openclaw/ not inside iCloud/OneDrive/Dropbox/Google Drive β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-009 β Not Tracked by Git β HIGH β Β§6.9 β .openclaw/ not inside a git repository working tree β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FP-010 β Running User Groups β HIGH β Β§1.2 β Running user should not belong to docker/sudo/wheel/admin β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 02: Gateway Configuration (GW-001 ~ GW-013) β Attack Surface AS-1
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-001 β auth.mode Not none β CRITICAL β Β§2.1 β Gateway auth mode must not be "none" β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-002 β auth.mode Recommend tokenβ MEDIUM β Β§2.1 β Recommended to use "token" mode β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-003 β Token Uses secretRef β HIGH β Β§2.1 β Token not stored in plaintext, uses env var reference β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-004 β No Hardcoded hex token β HIGH β Β§2.1 β No 32+ char hardcoded hex tokens in config files β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-005 β bind Is loopback β CRITICAL β Β§2.2 β Gateway bind address must be "loopback" β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-006 β Env bind Not lan β CRITICAL β Β§2.2 β OPENCLAW_GATEWAY_BIND is not "lan" β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-007 β trusted-proxy Warning β HIGH β Β§2.3 β When using trusted-proxy mode, firewall must limit IPs β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-008 β Webhook Token Separate β MEDIUM β Β§2.6 β Gateway token and Webhook token use different env vars β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-009 β debug/verbose Disabled β MEDIUM β Β§6.2 β debug/verbose mode disabled in production β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-010 β Telemetry Disabled β INFO β Β§8.3 β DISABLE_TELEMETRY=1 is set β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-011 β OpenClaw Version Latest β HIGH β Β§9.1 β Compare against npm registry for latest version β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-012 β Paired Device Count β INFO β Β§2.5 β Check device count in paired/sessions/devices dirs β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GW-013 β Token Rotation Period β MEDIUM β Β§9.3 β .env file modification time not exceeding 90 days β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 03: Network Exposure (NE-001 ~ NE-009) β Attack Surfaces AS-1, AS-8, AS-9
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NE-001 β Gateway Port 18789 β CRITICAL β Β§2.2 β Port bind address must be 127.0.0.1 β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NE-002 β CDP Port 9222 β CRITICAL β Β§7.4 β Chrome DevTools Protocol port not exposed β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NE-003 β VNC Port 5900 β HIGH β Β§7.4 β VNC port not exposed to network β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NE-004 β Extra Ports 18790/6080 β MEDIUM β Β§2.2 β Extra port bind address check β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NE-005 β External Reachability β CRITICAL β Β§2.3 β Remote --remote HOST:PORT HTTP reachability probe β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NE-006 β docker-compose Binding β CRITICAL β Β§1.4 β No 0.0.0.0 bindings or bare port mappings in compose β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NE-007 β SSH Tunnel/Tailscale β INFO β Β§2.3 β Detect SSH tunnel forwarding 18789 or active Tailscale β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NE-008 β ACP Port Binding β HIGH β Β§9.6 β Ports 3000/3001/8080/8443 not exposed β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NE-009 β HTTP Proxy Env Vars β MEDIUM β Β§8.4 β Proxy vars inherited by child processes affect sandbox β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 04: Message Channel Config (CH-001 ~ CH-009) β Attack Surface AS-2
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CH-001 β allowFrom Whitelist β CRITICAL β Β§3.2 β Each channel must have allowFrom whitelist configured β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CH-002 β Use Numeric IDs β MEDIUM β Β§3.4 β allowFrom uses numeric IDs not usernames (anti-spoof) β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CH-003 β dmPolicy Is pairing β HIGH β Β§3.2 β DM policy must be "pairing" mode β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CH-004 β Email Channel Warning β HIGH β Β§3.11 β Don't connect primary email, prevent handling OTP/reset β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CH-005 β Cross-Channel Info Leak β MEDIUM β Β§3.5 β Info leak risk when multiple channels connect same Agent β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CH-006 β Bot Not in Groups β CRITICAL β Β§3.3 β Bot should not be in group/channel mode(any member injects)β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CH-007 β Discord Message Intent β HIGH β Β§3.3 β Message Content Intent not enabled / no admin permissions β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CH-008 β Unofficial Connectors β MEDIUM β Β§3.7 β WhatsApp/WeChat/Line reverse-protocol connector risks β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CH-009 β Paired Device Count β INFO β Β§3.8 β Paired device/session count in channel β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 05: Credential Leak Detection (CL-001 ~ CL-008) β Attack Surfaces AS-6, AS-7
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CL-001 β API Keys in Session Logs β CRITICAL β Β§6.8 β Search sessions/ for sk-/AKIA/sk-ant- patterns β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CL-002 β Passwords in Session Logsβ HIGH β Β§6.8 β Search sessions/ for password/secret/private.key β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CL-003 β Sensitive Data in Debug β HIGH β Β§6.2 β Search logs/ for sk-/password/token/cookie β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CL-004 β .env Plaintext Key Formatβ MEDIUM β Β§2.1 β Detect plaintext API keys for OpenAI/AWS/GitHub/Slack etc β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CL-005 β OAuth Token Rotation β MEDIUM β Β§6.7 β Files in credentials/ not modified for over 90 days β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CL-006 β Hardcoded Token in Configβ HIGH β Β§2.1 β Scan all .json/.yaml/.yml/.toml for hardcoded hex tokens β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CL-007 β Base64 Values in .env β MEDIUM β Β§9.6 β Base64 encoding can bypass sanitize-env-vars.ts matching β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β CL-008 β Shell History Leak β HIGH β Β§6.4 β Search .zsh_history/.bash_history for token/key patterns β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 06: Skill Supply Chain Audit (SK-001 ~ SK-012) β Attack Surface AS-5
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-001 β Skill Inventory & Dates β INFO β Β§4.1 β List all installed Skills with mod times, flag new in 7d β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-002 β Dangerous Function Ptrns β HIGH β Β§4.2 β Search for exec/eval/spawn/child_process/new Function β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-003 β Credential Theft Ptrns β CRITICAL β Β§4.2 β Detect env read + network send combo (process.env+fetch) β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-004 β Cryptomining Signatures β CRITICAL β Β§4.2 β Search for xmrig/coinhive/cryptonight/stratum+tcp etc β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-005 β Covert Comm Channels β MEDIUM β Β§4.2 β Detect WebSocket/ws:///wss:// C2 channel patterns β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-006 β Code Obfuscation Detect β HIGH β Β§4.2 β Shannon entropy >5.5 + Unicode homoglyphs (Cyrillic spoof) β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-007 β Auto-Start Events β MEDIUM β Β§4.3 β Detect onStartup/activationEvents/autostart registration β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-008 β Network Request Patterns β HIGH β Β§4.4 β Detect fetch/axios/urllib/requests/curl (staged payloads) β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-009 β Version Lock/Auto-Update β MEDIUM β Β§4.5 β Whether version lock file exists, auto-update enabled β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-010 β curl|bash Install Historyβ HIGH β Β§9.5 β Search shell history for curl|bash/ wget|sh unsafe installsβ
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-011 β npm audit CVE β HIGH β Β§9.1 β Run npm audit on Skill npm deps, detect known vulns β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SK-012 β Unused Skills β INFO β Β§9.3 β Skills not accessed for 90+ days, reduce attack surface β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 07: Sandbox & Docker (SB-001 ~ SB-011) β Attack Surface AS-8
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-001 β Docker Socket Mount β CRITICAL β Β§7.1 β Sandbox container must not mount docker.sock (equals host root) β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-002 β Network Mode β CRITICAL β Β§7.2 β Must not use "host" network mode β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-003 β Outbound Network Restrictβ HIGH β Β§8.1 β Container network marked internal, limit outbound traffic β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-004 β Dangerous Linux Caps β CRITICAL β Β§7.2 β No ALL/SYS_ADMIN/NET_ADMIN capabilities β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-005 β seccomp Configuration β HIGH β Β§7.2 β Not "unconfined" (allows all syscalls) β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-006 β Dangerous Path Mounts β CRITICAL β Β§7.2 β Must not mount /etc, /proc, /sys, /dev, /root β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-007 β no-new-privileges β HIGH β Β§1.4 β Set no-new-privileges to prevent setuid escalation β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-008 β Sandbox Image Compilers β INFO β Β§7.3 β Whether image contains go/gcc/rustc/node/python3 β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-009 β compose Comprehensive Chkβ HIGH β Β§1.4 β Compose file: no docker.sock + cap_drop ALL + loopback bind β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-010 β cap_drop ALL β MEDIUM β Β§1.4 β Container drops all capabilities then adds back as needed β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SB-011 β Docker Image SLSA Prov β INFO β Β§9.6 β Whether image has SLSA provenance tag (supply chain verify) β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 08: Session & Memory (SM-001 ~ SM-005) β Attack Surfaces AS-3, AS-7
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SM-001 β MEMORY.md Injection Ptrn β HIGH β Β§5.7 β Detect "ignore instruction", script tags, eval inject ptrns β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SM-002 β memory/ Anomalous Files β MEDIUM β Β§5.7 β Memory files modified in last 7 days need manual review β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SM-003 β Old Session Log Cleanup β INFO β Β§6.8 β .jsonl/.json/.log files in sessions/ older than 30 days β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SM-004 β Session Log Total Size β INFO β Β§6.8 β sessions/ directory over 100MB needs cleanup β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SM-005 β Workspace Isolation β INFO β Β§1.3 β Multi-workspace scenarios should use independent configs β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 09: Agent Behavior Config (AB-001 ~ AB-008) β Attack Surfaces AS-4, AS-6, AS-10
βββββββββββ¬βββββββββββββββββββββββββββ¬ββββββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β AB-001 β exec.mode Is ask β CRITICAL β Β§5.5 β Agent must confirm with user before executing, not "allow" β
βββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β AB-002 β sandbox.mode Config β HIGH β Β§7.1 β Sandbox mode should be docker/sandbox/container β
βββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β AB-003 β Message Send Limit β MEDIUM β Β§10.4 β Configure message rate limit, prevent infinite messaging β
βββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β AB-004 β API Spend Limit Alert β INFO β Β§10.3 β Detect OpenAI/Anthropic API Keys, remind monthly cap setup β
βββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β AB-005 β MCP Server Audit β HIGH/MEDIUM β Β§5.3 β List configured MCP server count, each is an exec surface β
βββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β AB-006 β Document Processing Cfg β HIGH β Β§3.12 β Whether format stripping enabled (anti white-text/OCR inj) β
βββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β AB-007 β Outbound URL Whitelist β HIGH β Β§8.2 β web_fetch has URL whitelist configured (anti data exfil) β
βββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β AB-008 β Financial API Key Alert β CRITICAL β Β§10.1 β Detect Stripe/PayPal/Crypto Keys, require dual-sign approve β
βββββββββββ΄βββββββββββββββββββββββββββ΄ββββββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 10: System Persistence (SP-001 ~ SP-004) β Attack Surface AS-5
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SP-001 β Crontab Entries β HIGH β Β§11.4 β Check crontab for openclaw-related scheduled tasks β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SP-002 β macOS launchd Services β HIGH β Β§11.4 β Suspicious services in LaunchAgents/LaunchDaemons β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SP-003 β Linux systemd Services β HIGH β Β§11.4 β Suspicious openclaw services in systemd user/system β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SP-004 β Shell Startup Files β MEDIUM β Β§11.4 β openclaw-related entries in .bashrc/.zshrc etc β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Module 11: Windows-Specific (WIN-001 ~ WIN-002) β Attack Surface AS-12
βββββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Check IDβ Name β Severity β Handbook Ref β Check Description β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β WIN-001 β Node.js Version β CRITICAL β Β§9.4 β >= 20.11.1 (fixes CVE-2024-27980 command injection) β
βββββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β WIN-002 β Suspicious .bat/.cmd β MEDIUM β Β§9.4 β .bat/.cmd files in non-system PATH dirs (CVE-2024-27980) β
βββββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
27 Threat ID Mappings
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββ
β Threat ID β Name β Associated Checks β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-RECON-001 β Public API Reconnaissance β NE-005, GW-005, GW-006 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-RECON-002 β Channel Enumeration β CH-006, CH-007 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-RECON-003 β Message Metadata Analysis β CH-005 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-ACCESS-001 β Gateway Auth Bypass (none mode) β GW-001, GW-002 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-ACCESS-002 β Config Exposure Token Theft β GW-003, GW-004, CL-006 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-ACCESS-003 β trusted-proxy Bypass β GW-007 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-ACCESS-004 β Malicious Skill Installation β SK-002, SK-003, SK-004, SK-010 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-ACCESS-005 β Skill Auto-Update Hijack β SK-009 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-ACCESS-006 β DM Policy Bypass β CH-003 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EXEC-001 β Channel Message Prompt Injection β CH-001, CH-002, AB-001 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EXEC-002 β Cross-Channel Info Leak Exploitation β CH-005 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EXEC-003 β Docker Socket Sandbox Escape β SB-001, SB-006 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EXEC-004 β Linux Capabilities Sandbox Escape β SB-004, SB-005 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EXEC-005 β Skill Code Execution (eval/exec/spawn) β SK-002, SK-003 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EXEC-006 β Agent Unrestricted Command Execution β AB-001, AB-002 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EVADE-001 β Obfuscated Skill Code β SK-006 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EVADE-002 β Config Hot-Reload Tampering β FP-004, FP-007 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EVADE-003 β Telemetry/Debug Info Leakage β GW-009, GW-010 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EVADE-004 β Staged Payload Delivery β SK-008 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-PERSIST-001 β cron/launchd/systemd/shell Persistence β SP-001, SP-002, SP-003, SP-004 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-DISC-001 β Permission-Based Dir Traversal β FP-001, FP-002, FP-003, FP-005 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-DISC-002 β Cloud Sync Credential Leak β FP-008 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-DISC-003 β Git Repo Credential Leak β FP-009 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-DISC-004 β Shell History Credential Leak β CL-008 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EXFIL-001 β web_fetch Outbound Data Exfiltration β AB-007, SB-003 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EXFIL-002 β Session Log Data Exposure β CL-001, CL-002, CL-003, SM-003, SM-004 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-EXFIL-003 β Skill Credential Theft β SK-003, SK-005 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-IMPACT-001 β Financial API Unauthorized Access β AB-008 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-IMPACT-002 β Agent Message Spam/Abuse β AB-003 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-IMPACT-003 β API Over-Consumption β AB-004 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-IMPACT-004 β Memory Poisoning Persistence β SM-001, SM-002 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ€
β T-IMPACT-005 β MCP Server Abuse β AB-005 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββ
Severity Distribution Statistics
ββββββββββββ¬ββββββββ¬ββββββββ
β Level β Count β % β
ββββββββββββΌββββββββΌββββββββ€
β CRITICAL β 20 β 25% β
ββββββββββββΌββββββββΌββββββββ€
β HIGH β 34 β 42.5% β
ββββββββββββΌββββββββΌββββββββ€
β MEDIUM β 16 β 20% β
ββββββββββββΌββββββββΌββββββββ€
β INFO β 10 β 12.5% β
ββββββββββββΌββββββββΌββββββββ€
β Total β 80 β 100% β
ββββββββββββ΄ββββββββ΄ββββββββ
| Parameter | Description | Default |
|---|---|---|
| (no parameters) | Audit the local default instance at ~/.openclaw/, run all modules |
β |
--openclaw-dir PATH |
Custom OpenClaw directory path | ~/.openclaw/ |
--remote HOST[:PORT] |
Additionally check remote instance port exposure (can be specified multiple times) | β |
--docker-name NAME |
Specify Docker container name | openclaw-sandbox |
--compose-file PATH |
Specify docker-compose.yml path | Auto-search |
--modules 01,03,07 |
Only run specified modules (comma-separated) | All modules |
--skip 07,11 |
Skip specified modules (comma-separated) | β |
--severity critical |
Minimum display level: critical | high | medium | info |
info |
--format terminal|md|both |
Output format | both |
--fix |
Include fix command suggestions in the report | Off |
--checklist |
Output Β§9.3 periodic checklist table | Off |
--json |
Additionally output JSON format (CI/CD integration) | Off |
--output-dir PATH |
Report output directory | ./openclaw-audit-report/ |
--whitelist SKILL1,SKILL2 |
Skill whitelist, excluded from supply chain scan | openclaw-security-audit |
Simply run /openclaw-security-audit
No parameters needed, audits ~/.openclaw/ directory by default, runs all 11 modules:
ββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββ
β Module β Check Content β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 01 β File System Permissions β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 02 β Gateway Configuration β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 03 β Network Port Exposure (local bind check) β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 04 β Channel Configuration β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 05 β Credential Leak Detection β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 06 β Skill Supply Chain Audit β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 07 β Sandbox & Docker Security β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 08 β Session & Memory β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 09 β Agent Behavior Configuration β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 10 β System Persistence Check β
ββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 11 β Windows-Specific (auto-skipped on macOS) β
ββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββ
Common Combinations
# Full audit + fix suggestions
/openclaw-security-audit --fix
# Only show critical issues
/openclaw-security-audit --fix --severity critical
# Specify OpenClaw directory (when not using default path)
/openclaw-security-audit --openclaw-dir /path/to/openclaw --fix
# Include Docker container checks
/openclaw-security-audit --fix --docker-name my-openclaw-container
# Only run specific modules (e.g., permissions + network + credentials)
/openclaw-security-audit --modules 01,03,05 --fix
# Skip Docker and Windows modules
/openclaw-security-audit --skip 07,11 --fix
# Terminal summary only (no Markdown report)
/openclaw-security-audit --fix --format terminal
# Specify report output directory
/openclaw-security-audit --fix --output-dir /tmp/my-audit-report
# Full audit + JSON output + periodic checklist
/openclaw-security-audit --fix --json --checklistDocker checks use --docker-name to specify the container name:
/openclaw-security-audit --docker-name openclaw-sandbox --fix
The default container name is openclaw-sandbox. If your container name differs, you must specify it explicitly.
Common Combinations
# Basic Docker audit
/openclaw-security-audit --docker-name my-openclaw --fix
# Also specify docker-compose file (check port binding config)
/openclaw-security-audit --docker-name my-openclaw --compose-file ./docker-compose.yml --fix
# Only run Docker-related modules (Sandbox + Network + compose config)
/openclaw-security-audit --docker-name my-openclaw --modules 03,07 --fix
# Full audit: Docker + Remote port + JSON
/openclaw-security-audit --docker-name my-openclaw --remote 10.0.0.5:18789 --fix --json
Docker-Related Check Items
Primarily involves two modules:
Module 03 (Network Exposure) β NE-006:
- Scans docker-compose.yml for port bindings
- Detects 0.0.0.0:PORT:PORT exposure (should be 127.0.0.1:PORT:PORT)
- Detects bare port mappings like 18789:18789 (Docker defaults to 0.0.0.0)
- Detects LAN-related network_mode configuration
Module 07 (Sandbox & Docker) β Checks:
- Container isolation configuration
- Sandbox security policies
- Container runtime permissions
Compose File Search Paths
If --compose-file is not specified, the script searches in order:
1. ~/.openclaw/docker-compose.yml
2. ~/.openclaw/docker-compose.yaml
3. ~/docker-compose.yml
4. ./docker-compose.yml Use /openclaw-security-audit to check remote OpenClaw security
Basic Usage
/openclaw-security-audit --remote HOST:PORT
Example:
/openclaw-security-audit --remote 192.168.1.100:18789
What Remote Checks Can Do
The --remote parameter triggers the NE-005 external reachability test, which:
1. Sends a curl request to http://HOST:PORT/health (3-second timeout)
2. If a valid HTTP status code is returned β CRITICAL FAIL (port exposed on network)
3. If connection fails β PASS (port unreachable, as expected)
Check multiple remote hosts simultaneously
/openclaw-security-audit --remote 10.0.0.5:18789 --remote 10.0.0.5:9222 --remote 10.0.0.5:5900
Full command example (with all common options)
/openclaw-security-audit --remote 192.168.1.100:18789 --fix --json --severity critical
--fix β Include fix command suggestions
--json β Additionally output JSON (for CI/CD)
--severity critical β Only show CRITICAL level
Important Notes
1. Remote check scope is limited β --remote only performs port reachability tests (HTTP probe), it does not SSH into the remote machine for local checks
2. Local checks still run β In addition to remote probing, the script also checks the local ~/.openclaw/ directory, port bindings, Docker config, and all 11 modules
3. To run only remote checks, use --modules 03 to run only the network exposure module:
/openclaw-security-audit --remote 192.168.1.100:18789 --modules 03 --fix
4. Checked ports include: 18789 (Gateway), 9222 (CDP), 5900 (VNC), 18790/6080 (extension ports), 3000/3001/8080/8443 (ACP ports)
Report Output
After audit completion, reports are generated in ./openclaw-audit-report/ (customizable with --output-dir):
- Terminal colored summary
- Markdown report (when --format is md or both)
- JSON report (when --json is used)