Security Hardener
by @mariusfit
Audit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permiss...
clawhub install oc-security-hardenerπ About This Skill
name: security-hardener description: Audit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permissive exec rules, and missing security best practices. Use when asked to audit security, harden configuration, check for vulnerabilities, or secure an OpenClaw deployment.
Security Hardener
Audit your OpenClaw configuration and apply security best practices automatically.
Quick Start
# Full security audit (read-only, no changes)
python scripts/hardener.py auditAudit a specific config file
python scripts/hardener.py audit --config /path/to/openclaw.jsonAudit with JSON output
python scripts/hardener.py audit -f jsonAuto-fix issues (creates backup first)
python scripts/hardener.py fixFix specific issues only
python scripts/hardener.py fix --only gateway,permissionsScan for exposed credentials in config
python scripts/hardener.py scan-secretsGenerate a security report
python scripts/hardener.py report -o security-report.mdCheck file permissions
python scripts/hardener.py check-perms
Commands
| Command | Args | Description |
|---------|------|-------------|
| audit | [--config PATH] [-f FORMAT] | Full security audit (read-only) |
| fix | [--config PATH] [--only CHECKS] | Auto-fix issues (with backup) |
| scan-secrets | [--config PATH] | Scan for exposed API keys/tokens |
| report | [-o FILE] | Generate detailed security report |
| check-perms | [--config-dir PATH] | Check file permissions |
Security Checks
| Check | Severity | Description |
|-------|----------|-------------|
| gateway-bind | CRITICAL | Gateway not bound to loopback |
| exposed-keys | CRITICAL | API keys in config instead of .env |
| insecure-auth | HIGH | allowInsecureAuth or dangerouslyDisableDeviceAuth enabled |
| exec-sandbox | HIGH | exec sandbox mode not set to restricted |
| file-perms | HIGH | Config files readable by others (not 600) |
| agent-allow-all | MEDIUM | agentToAgent.allow: ["*"] is overly permissive |
| no-heartbeat | MEDIUM | No heartbeat configured (can't detect outages) |
| no-session-reset | MEDIUM | No session reset policy (memory leak risk) |
| no-pruning | LOW | No context pruning (cost and performance impact) |
| no-memory-flush | LOW | Memory flush disabled (context loss on pruning) |
Scoring
The audit produces a security score from 0-100:
Example Output
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β OPENCLAW SECURITY AUDIT β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Score: 75/100 (Good) β
β β
β β
Gateway bound to loopback β
β β
No exposed API keys in config β
β β οΈ exec sandbox mode: unrestricted β
β β οΈ agentToAgent allow: * (too permissive) β
β β File permissions too open (644 β should be 600) β
β β
Heartbeat configured β
β β
Session reset policy active β
β β οΈ No context pruning configured β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
π‘ Examples
# Full security audit (read-only, no changes)
python scripts/hardener.py auditAudit a specific config file
python scripts/hardener.py audit --config /path/to/openclaw.jsonAudit with JSON output
python scripts/hardener.py audit -f jsonAuto-fix issues (creates backup first)
python scripts/hardener.py fixFix specific issues only
python scripts/hardener.py fix --only gateway,permissionsScan for exposed credentials in config
python scripts/hardener.py scan-secretsGenerate a security report
python scripts/hardener.py report -o security-report.mdCheck file permissions
python scripts/hardener.py check-perms