🎁 Get the FREE AI Skills Starter GuideSubscribe →
BytesAgainBytesAgain
🦀 ClawHub

AI Shield — OpenClaw Security Audit

by @laurentaia

Security audit engine for OpenClaw configurations. Detects vulnerabilities, misconfigurations, secret leaks, and over-privileged agents. Use when the user as...

Versionv1.0.0
Downloads1,454
Installs3
TERMINAL
clawhub install ai-shield-audit

📖 About This Skill


name: openclaw-shield description: Security audit engine for OpenClaw configurations. Detects vulnerabilities, misconfigurations, secret leaks, and over-privileged agents. Use when the user asks about security, hardening, config review, or audit of their OpenClaw setup. metadata: {"openclaw":{"emoji":"🛡️","homepage":"https://github.com/autonomous-intelligence/openclaw-shield"}}

OpenClaw Shield — Security Audit

Audit any OpenClaw config for security vulnerabilities, misconfigurations, and best-practice violations. Produces a structured JSON report with risk scores, findings, and remediation steps.

When to Use

  • User asks to check/audit/review their OpenClaw security
  • User wants to harden their config before deploying
  • User is setting up a new OpenClaw instance
  • User asks about secret leakage or API key exposure in their config
  • Before publishing or sharing any config file
  • Quick Audit (live config)

    node scripts/shield-audit.sh
    

    Or directly:

    node SKILL_DIR/bin/shield.js audit ~/.openclaw/openclaw.json --summary
    

    What It Checks (11 categories)

    1. Gateway Auth — missing/weak auth, insecure UI settings 2. Network Exposure — bind address, Tailscale funnel, wildcard proxies 3. Channel Security — wildcard allowFrom, missing allowlists 4. DM Policy — open DM policy without pairing 5. Subagent Permissions — wildcard allowAgents, circular delegation chains, self-delegation 6. Tool Permissions — over-privileged agents with tools.profile: "full" 7. Secret Leakage — API keys, tokens, private keys in plaintext config 8. Sandbox/Execution — missing workspace isolation, no execution policies 9. Plugin Config — enabled plugins without channel config 10. Heartbeat Exposure — sensitive data in heartbeat prompts 11. Remote Config — unencrypted WebSocket, exposed remote URLs/tokens

    Usage

    Audit a config file

    node SKILL_DIR/bin/shield.js audit 
    node SKILL_DIR/bin/shield.js audit  --summary   # human-readable
    

    Audit from stdin

    cat config.json | node SKILL_DIR/bin/shield.js audit --stdin
    

    Sanitize a config (strip secrets)

    node SKILL_DIR/bin/shield.js sanitize 
    

    Programmatic use

    const { auditConfig } = require('SKILL_DIR/src/audit');
    const config = require('./openclaw.json');
    const report = auditConfig(config);
    console.log(report.risk_level);      // "CRITICAL" | "HIGH" | "MEDIUM" | "LOW"
    console.log(report.overall_score);   // 0-100
    console.log(report.vulnerabilities); // detailed findings
    

    Output

    Returns JSON with: risk_level, overall_score (0-100), vulnerabilities[], vulnerability_count, best_practices_compliance, action_recommended, safe_to_deploy, audit_timestamp.

    Workflow for Agent

    1. Load the user's config: cat ~/.openclaw/openclaw.json 2. Run: node SKILL_DIR/bin/shield.js audit ~/.openclaw/openclaw.json --summary 3. Present findings to user with prioritized recommendations 4. Offer to sanitize before sharing: node SKILL_DIR/bin/shield.js sanitize

    ⚡ When to Use

    TriggerAction
    - User wants to harden their config before deploying
    - User is setting up a new OpenClaw instance
    - User asks about secret leakage or API key exposure in their config
    - Before publishing or sharing any config file

    💡 Examples

    Audit a config file

    node SKILL_DIR/bin/shield.js audit 
    node SKILL_DIR/bin/shield.js audit  --summary   # human-readable
    

    Audit from stdin

    cat config.json | node SKILL_DIR/bin/shield.js audit --stdin
    

    Sanitize a config (strip secrets)

    node SKILL_DIR/bin/shield.js sanitize 
    

    Programmatic use

    const { auditConfig } = require('SKILL_DIR/src/audit');
    const config = require('./openclaw.json');
    const report = auditConfig(config);
    console.log(report.risk_level);      // "CRITICAL" | "HIGH" | "MEDIUM" | "LOW"
    console.log(report.overall_score);   // 0-100
    console.log(report.vulnerabilities); // detailed findings