When to Use
- User asks to "audit security", "check for vulnerabilities", or "harden" an OpenClaw deployment
- After installing or updating OpenClaw or any skill
- Before deploying to production
- During security reviews or incident response
- When investigating suspicious skill behavior
Installation
Method 1: npx (no install)
npx clawpinch
Method 2: Global install
npm install -g clawpinch
clawpinch
Method 3: From source
git clone https://github.com/MikeeBuilds/clawpinch.git
cd clawpinch
bash clawpinch.sh
CLI Commands
# Standard interactive scan
clawpinch
# Deep scan (supply-chain hash verification, full skill decompilation)
clawpinch --deep
# JSON output for programmatic consumption
clawpinch --json
# Quiet mode — summary line only
clawpinch --quiet
# Show auto-fix commands in report
clawpinch --fix
# Skip interactive menu
clawpinch --no-interactive
# AI-powered remediation — scan then pipe to Claude for automated fixing
clawpinch --remediate
# Target specific config directory
clawpinch --config-dir /path/to/openclaw/config
# Version info
clawpinch --version
Output Schema
Each finding is a JSON object:
{
"id": "CHK-CFG-001",
"severity": "critical | warn | info | ok",
"title": "Short description",
"description": "Detailed explanation",
"evidence": "Relevant snippet or value",
"remediation": "How to fix",
"auto_fix": "Shell command to fix (may be empty)"
}
Check Categories
| Category | ID Range | Count | Description |
|---|
| Configuration | CHK-CFG-001..010 | 10 | Gateway, TLS, auth, CORS, rate limiting |
| Secrets | CHK-SEC-001..008 | 8 | API keys, passwords, tokens, .env files |
| Network | CHK-NET-001..008 | 8 | Port exposure, WebSocket auth, DNS rebinding |
| Skills | CHK-SKL-001..010 | 10 | Permissions, signatures, eval patterns |
| Permissions | CHK-PRM-001..008 | 8 | Least-privilege, wildcards, cross-tenant |
| Cron | CHK-CRN-001..006 | 6 | Sandbox, timeouts, privilege escalation |
| CVE | CHK-CVE-001..005 | 5 | Known vulnerabilities, outdated deps |
| Supply Chain | CHK-SUP-001..008 | 8 | Registry trust, hash verification, lockfiles |
Integration Patterns
OpenClaw Skill
npx skills add https://github.com/MikeeBuilds/clawpinch --skill clawpinch
Claude Code
# Slash commands (when repo is open in Claude Code)
/clawpinch-scan # Run security audit
/clawpinch-fix # Scan and fix all findings
# Direct remediation
clawpinch --remediate
CI/CD
npx clawpinch --json --no-interactive | jq '[.[] | select(.severity == "critical")] | length'
# Exit code 1 if any critical findings
npx clawpinch --quiet --no-interactive
Dependencies
- Required:
bash >= 4.0, jq
- Optional:
openssl (TLS checks), nmap / ss (network checks), sha256sum / shasum (supply-chain hash verification), claude CLI (for --remediate)
Safety Rules
- No remote execution. Runs entirely local. No outbound connections except version metadata checks.
- No system modifications without consent. Scanners are read-only by default.
- Always redact secrets. Secrets truncated to first 4 chars +
**** in all output.
- Treat all skills as untrusted. Deny-by-default permission policy.
- No privilege escalation. Never requests
sudo.
- Findings are advisory. Output is informational — operator decides whether to act.
Exit Codes
| Code | Meaning |
|---|
| 0 | No critical findings |
| 1 | One or more critical findings detected |