Audit OpenClaw Security
by @tristanmanchester
Audit and harden OpenClaw deployments and interpret `openclaw security audit` findings. Use when the user wants to secure OpenClaw, review gateway exposure/a...
clawhub install audit-openclaw-security📖 About This Skill
name: audit-openclaw-security description: Audit and harden OpenClaw deployments and interpret
openclaw security audit findings. Use when the user wants to secure OpenClaw, review gateway exposure/auth/reverse proxies/Tailscale Serve or Funnel, check DM/group access (pairing, allowlists, mention gating, session.dmScope), minimise tool permissions and sandboxing, review plugins/skills/secrets/transcripts/log retention, or lock down Docker/macOS/laptop/EC2 installs. Not for generic OS, Docker, or cloud hardening unrelated to OpenClaw.
license: MIT
compatibility: Best with local shell access (Claude Code, OpenClaw desktop/CLI, or a similar agent runtime). In chat-only environments, ask the user to run the bundled commands locally and share redacted outputs.
metadata: {"author":"community","version":"2.1.0","validated_for":"2026.3.8","upstream":"OpenClaw docs + Agent Skills guidance (validated 2026-03-11)"}
audit-openclaw-security
Run a defensive, permissioned security audit of an OpenClaw deployment and turn the results into a practical remediation plan.
This revision is tuned for OpenClaw 2026.3.8 and uses {baseDir} when referencing bundled scripts from commands.
Guardrails
1. Only audit systems the user owns or has explicit permission to assess.
2. Never ask for raw secrets. Do not request gateway tokens/passwords, model API keys, session cookies, OAuth creds, or raw credential files.
3. Prefer outputs that are designed to be shareable or redacted:
- openclaw status --all
- openclaw status --deep
- openclaw gateway probe --json
- openclaw security audit --json
- openclaw security audit --deep --json
4. Treat the Gateway, Control UI, browser control, paired nodes, and automation surfaces as operator-level access.
5. Default to audit-only. Before any config edits, --fix operations, firewall changes, or restarts, create a backup first and get explicit user approval.
6. When the user wants remediation, make the backup step explicit:
- openclaw backup create --verify
- use --no-include-workspace if the config is invalid but you still need state + creds
- use --only-config if the user only wants a minimal safety copy before edits
What “good” looks like
session.dmScope is isolated appropriately:per-channel-peer for most multi-user setups
- per-account-channel-peer when the same provider runs multiple accounts
tools.profile: "messaging" or stricter for inbox-facing agents
- deny group:runtime, group:fs, group:automation on untrusted surfaces
- tools.fs.workspaceOnly: true
- tools.exec.security: "deny" or at least approval-gated
- tools.elevated.enabled: false unless there is a narrow, intentional need
Use the bundled files progressively
Only open the extra files you need for the task:
references/command-cheatsheet.md — exact command laddersreferences/openclaw-audit-checks.md — current high-signal checkId glossaryreferences/openclaw-baseline-config.md — secure baseline snippetsreferences/platform-mac-mini.mdreferences/platform-personal-laptop.mdreferences/platform-docker.mdreferences/platform-aws-ec2.mdassets/report-template.md — report structureStep 0 — Establish context quickly
Collect just enough context to choose the audit path:
Mode A — Assisted self-audit (chat-only)
Ask the user to run the following on the OpenClaw host and share the outputs.
Minimum audit set
openclaw --version
openclaw status --all
openclaw status --deep
openclaw gateway status
openclaw gateway probe --json
openclaw channels status --probe
openclaw doctor
openclaw security audit --json
openclaw security audit --deep --json
Helpful extras
openclaw health --json
openclaw backup create --dry-run --json
openclaw backup create --only-config --dry-run --json
openclaw skills list --eligible --json
openclaw plugins list --json
Safe targeted config reads
Prefer targeted reads over a full config dump:
openclaw config get gateway.bind
openclaw config get gateway.auth.mode
openclaw config get gateway.auth.allowTailscale
openclaw config get gateway.controlUi.allowedOrigins
openclaw config get gateway.trustedProxies
openclaw config get gateway.allowRealIpFallback
openclaw config get discovery.mdns.mode
openclaw config get session.dmScope
openclaw config get tools.profile
openclaw config get tools.fs.workspaceOnly
openclaw config get tools.exec.security
openclaw config get tools.elevated.enabled
openclaw config get channels.defaults.dmPolicy
openclaw config get channels.defaults.groupPolicy
openclaw config get logging.redactSensitive
DM / group follow-up checks
If the issue is “the bot is online but DMs or groups behave strangely”, check pairing and mention gating:
openclaw pairing list
Examples of include discord, slack, signal, telegram, whatsapp, matrix, imessage, and bluebubbles.
If the user must share the config
OpenClaw config is often JSON5-like. Redact it before sharing:
python3 "{baseDir}/scripts/redact_openclaw_config.py" ~/.openclaw/openclaw.json > openclaw.json.redacted
Host / network snapshots
macOS
whoami
sw_vers
uname -a
lsof -nP -iTCP -sTCP:LISTEN
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
fdesetup status || true
Linux / cloud VM
whoami
cat /etc/os-release
uname -a
ss -ltnp
sudo ufw status verbose || true
sudo nft list ruleset || true
sudo iptables -S || true
Docker / Compose
docker ps --format 'table {{.Names}} {{.Image}} {{.Ports}}'
docker compose ps || true
docker port openclaw-gateway 18789 || true
Mode B — Automated local audit (shell access)
Run the bundled collector and report renderer:
bash "{baseDir}/scripts/collect_openclaw_audit.sh" --out ./openclaw-audit
python3 "{baseDir}/scripts/render_report.py" --input ./openclaw-audit --output ./openclaw-security-report.md
Then review openclaw-security-report.md, refine wording where needed, and present the final report to the user.
Notes on the collector
openclaw security audit --fix.openclaw status --deep
- openclaw gateway probe --json
- openclaw channels status --probe
- targeted safe config get values
- backup dry-run metadataHow to interpret the audit
Use OpenClaw’s own security audit output as the primary source of truth, then translate it into a clear threat narrative.
Triage order
Prioritise in this order:
1. Anything open + tools enabled Lock down DMs/groups first, then tighten tool policy and sandboxing. 2. Public network exposure LAN bind, Funnel, missing auth, weak reverse-proxy handling. 3. Browser / node / Control UI exposure Treat these as operator access, not “just another feature”. 4. Filesystem permissions State dir, config file, auth profiles, logs, and transcript locations. 5. Plugin / skill supply chain Trust only what is intentionally installed and writable by the right user. 6. Model and prompt-injection resilience Important, but not a substitute for access control.
Findings that are easy to miss in newer OpenClaw builds
Pay extra attention to these newer or high-signal check IDs:
gateway.control_ui.allowed_origins_requiredgateway.control_ui.host_header_origin_fallbackgateway.real_ip_fallback_enabledconfig.insecure_or_dangerous_flagssandbox.dangerous_network_modetools.exec.host_sandbox_no_sandbox_defaultstools.exec.host_sandbox_no_sandbox_agentstools.exec.safe_bins_interpreter_unprofiledskills.workspace.symlink_escapesecurity.exposure.open_groups_with_elevatedsecurity.exposure.open_groups_with_runtime_or_fssecurity.trust_model.multi_user_heuristicUse references/openclaw-audit-checks.md and assets/openclaw_checkid_map.json to map each finding to likely config paths and remediation areas.
Core remediation patterns
1) Gateway exposure and auth
gateway.bind: "loopback".gateway.remote.* values as protection for local WS access; actual protection comes from gateway.auth.*.openclaw doctor --generate-gateway-token is the safe boring path.2) Reverse proxies and browser-origin policy
If there is a reverse proxy in front of the Gateway:
gateway.trustedProxiesgateway.allowRealIpFallback: false unless there is a very specific needgateway.controlUi.allowedOrigins3) Tailscale Serve vs Funnel
tailscale.mode: "serve" keeps the Gateway tailnet-only.tailscale.mode: "funnel" is public and should be treated as urgent/high risk.gateway.auth.allowTailscale can allow tokenless Control UI/WebSocket auth via Tailscale identity headers. That assumes the gateway host itself is trusted.gateway.auth.allowTailscale and require token/password or trusted-proxy auth.4) DM and group isolation
dmPolicy: "pairing" or allowlist for inbox-facing bots.session.dmScope: "per-channel-peer".per-account-channel-peer.groupPolicy: "open" unless the tool surface is extremely limited.agents.list[].groupChat.mentionPatterns where native mentions are unreliable.5) Tool surface reduction
Start from the conservative baseline in references/openclaw-baseline-config.md.
Good defaults for user-facing agents:
tools.profile: "messaging"group:automationgroup:runtimegroup:fstools.fs.workspaceOnly: truetools.exec.security: "deny" and ask: "always"tools.exec.applyPatch.workspaceOnly: truetools.elevated.enabled: false6) Node / browser / automation trust
gateway / cron tools create persistence and should not be reachable from untrusted chat surfaces.7) Secrets, logs, transcripts, and writable paths
Audit and discuss these paths carefully without asking for raw contents:
~/.openclaw/openclaw.json~/.openclaw/secrets.json~/.openclaw/agents//agent/auth-profiles.json ~/.openclaw/agents//sessions/*.jsonl /tmp/openclaw/openclaw-YYYY-MM-DD.log~/.openclaw/credentials/Platform-specific guidance
Load the matching playbook when the environment is clear:
references/platform-mac-mini.mdreferences/platform-personal-laptop.mdreferences/platform-docker.mdreferences/platform-aws-ec2.mdDeliverable format
Use assets/report-template.md or the rendered report from {baseDir}/scripts/render_report.py.
The final deliverable should include:
Troubleshooting notes
“openclaw: command not found”
PATH.openclaw --version.“Gateway won’t start — configuration invalid”
OpenClaw now fails closed on invalid config keys, invalid values, or invalid types. That is intentional and security-relevant.
Use:
openclaw doctor
openclaw doctor --fix
Even when the config is invalid, diagnostic commands such as openclaw status, openclaw gateway status, openclaw gateway probe, and openclaw health are still useful.
“Runtime: running” but “RPC probe: failed”
Trust the probe details, not just the supervisor status:
Probe targetListeningLast gateway errorThis often means service/config drift, auth mismatch, or a listener that is not actually reachable by the CLI.
“Bot is online but DMs fail”
Check:
openclaw channels status --probe
openclaw pairing list
Common root causes:
dmPolicy too strict for the expected sender“Groups are silent”
Check:
groupPolicyrequireMentionmentionPatternsTrigger tests (skill author sanity check)
Should trigger:
openclaw security audit --deep --json findings.”Should not trigger: