🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Security Hardener

by @mariusfit

Audit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permiss...

Versionv1.0.0
Downloads2,420
Installs17
Stars⭐ 1
TERMINAL
clawhub install oc-security-hardener

πŸ“– About This Skill


name: security-hardener description: Audit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permissive exec rules, and missing security best practices. Use when asked to audit security, harden configuration, check for vulnerabilities, or secure an OpenClaw deployment.

Security Hardener

Audit your OpenClaw configuration and apply security best practices automatically.

Quick Start

# Full security audit (read-only, no changes)
python scripts/hardener.py audit

Audit a specific config file

python scripts/hardener.py audit --config /path/to/openclaw.json

Audit with JSON output

python scripts/hardener.py audit -f json

Auto-fix issues (creates backup first)

python scripts/hardener.py fix

Fix specific issues only

python scripts/hardener.py fix --only gateway,permissions

Scan for exposed credentials in config

python scripts/hardener.py scan-secrets

Generate a security report

python scripts/hardener.py report -o security-report.md

Check file permissions

python scripts/hardener.py check-perms

Commands

| Command | Args | Description | |---------|------|-------------| | audit | [--config PATH] [-f FORMAT] | Full security audit (read-only) | | fix | [--config PATH] [--only CHECKS] | Auto-fix issues (with backup) | | scan-secrets | [--config PATH] | Scan for exposed API keys/tokens | | report | [-o FILE] | Generate detailed security report | | check-perms | [--config-dir PATH] | Check file permissions |

Security Checks

| Check | Severity | Description | |-------|----------|-------------| | gateway-bind | CRITICAL | Gateway not bound to loopback | | exposed-keys | CRITICAL | API keys in config instead of .env | | insecure-auth | HIGH | allowInsecureAuth or dangerouslyDisableDeviceAuth enabled | | exec-sandbox | HIGH | exec sandbox mode not set to restricted | | file-perms | HIGH | Config files readable by others (not 600) | | agent-allow-all | MEDIUM | agentToAgent.allow: ["*"] is overly permissive | | no-heartbeat | MEDIUM | No heartbeat configured (can't detect outages) | | no-session-reset | MEDIUM | No session reset policy (memory leak risk) | | no-pruning | LOW | No context pruning (cost and performance impact) | | no-memory-flush | LOW | Memory flush disabled (context loss on pruning) |

Scoring

The audit produces a security score from 0-100:

  • 90-100: Excellent β€” production-ready
  • 70-89: Good β€” minor improvements recommended
  • 50-69: Fair β€” several issues to address
  • 0-49: Poor β€” critical issues require immediate attention
  • Example Output

    ╔══════════════════════════════════════════════════╗
    β•‘  OPENCLAW SECURITY AUDIT                         β•‘
    ╠══════════════════════════════════════════════════╣
    β•‘  Score: 75/100 (Good)                            β•‘
    β•‘                                                  β•‘
    β•‘  βœ… Gateway bound to loopback                    β•‘
    β•‘  βœ… No exposed API keys in config                β•‘
    β•‘  ⚠️  exec sandbox mode: unrestricted             β•‘
    β•‘  ⚠️  agentToAgent allow: * (too permissive)      β•‘
    β•‘  ❌ File permissions too open (644 β†’ should be 600) β•‘
    β•‘  βœ… Heartbeat configured                         β•‘
    β•‘  βœ… Session reset policy active                   β•‘
    β•‘  ⚠️  No context pruning configured               β•‘
    β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
    

    πŸ’‘ Examples

    # Full security audit (read-only, no changes)
    python scripts/hardener.py audit

    Audit a specific config file

    python scripts/hardener.py audit --config /path/to/openclaw.json

    Audit with JSON output

    python scripts/hardener.py audit -f json

    Auto-fix issues (creates backup first)

    python scripts/hardener.py fix

    Fix specific issues only

    python scripts/hardener.py fix --only gateway,permissions

    Scan for exposed credentials in config

    python scripts/hardener.py scan-secrets

    Generate a security report

    python scripts/hardener.py report -o security-report.md

    Check file permissions

    python scripts/hardener.py check-perms