OpenClaw Security Auditor
by @muhammad-waleed381
Audit OpenClaw configuration for security risks and generate a remediation report using the user's configured LLM.
clawhub install openclaw-security-auditorπ About This Skill
name: openclaw-security-audit description: Audit OpenClaw configuration for security risks and generate a remediation report using the user's configured LLM. metadata: openclaw: requires: bins: ["cat", "jq"] os: ["darwin", "linux", "windows"]
OpenClaw Security Audit Skill
Local-only skill that audits ~/.openclaw/openclaw.json, runs 15+ security
checks, and generates a detailed report using the user's existing LLM
configuration. No external APIs or keys required.
When to Use This Skill
How It Works
1. Read config with standard tools (cat, jq).
2. Extract security-relevant settings (NEVER actual secrets).
3. Build a structured findings object with metadata only.
4. Pass findings to the user's LLM via OpenClaw's normal agent flow.
5. Generate a markdown report with severity ratings and fixes.
Inputs
Outputs
Security Checks (15+)
1. API keys hardcoded in config (vs environment variables) 2. Weak or missing gateway authentication tokens 3. Unsafe gateway.bind settings (0.0.0.0 without proper auth) 4. Missing channel access controls (allowFrom not set) 5. Unsafe tool policies (elevated tools without restrictions) 6. Sandbox disabled when it should be enabled 7. Missing rate limits on channels 8. Secrets potentially exposed in logs 9. Outdated OpenClaw version 10. Insecure WhatsApp configuration 11. Insecure Telegram configuration 12. Insecure Discord configuration 13. Missing audit logging for privileged actions 14. Overly permissive file system access scopes 15. Unrestricted webhook endpoints 16. Insecure default admin credentials
Data Handling Rules
Example Findings Object (Redacted)
{
"config_path": "~/.openclaw/openclaw.json",
"openclaw_version": "present",
"gateway": {
"bind": "0.0.0.0",
"auth_token": "missing"
},
"channels": {
"allowFrom": "missing",
"rate_limits": "missing"
},
"secrets": {
"hardcoded": "detected"
},
"tool_policies": {
"elevated": "unrestricted"
}
}
Report Format
The report must include:
Skill Flow (Pseudo)
read_config_path = input.target_config_path || ~/.openclaw/openclaw.json
raw_config = cat(read_config_path)
json = jq parse raw_config
metadata = extract_security_metadata(json)
findings = build_findings(metadata)
report = openclaw.agent.analyze(findings, format=markdown)
return report