OpenClaw Security Check
Fast 10-point security audit for OpenClaw config + host. Read-only by default, optional auto-fix.
Quick Start
Run the bundled script for a non-interactive report:
scripts/security-check.sh # human-readable
scripts/security-check.sh --json # structured output
Or tell the agent: "run a security check" / "audit my OpenClaw config".
What It Checks
| # | Check | Severity if failed | What it looks at |
|---|---|---|---|
| 1 | Gateway Bind | CRITICAL | gateway.bind — must be loopback, not 0.0.0.0 |
| 2 | Gateway Auth | CRITICAL | gateway.auth.mode — must not be off/none |
| 3 | Token Strength | HIGH | gateway.auth.token — must be ≥32 chars |
| 4 | DM Policy | HIGH | Per-channel dmPolicy — open without allowFrom is dangerous |
| 5 | Group Policy | HIGH | Per-channel groupPolicy — open/any allows strangers to trigger the agent |
| 6 | Config Permissions | MEDIUM | File mode of openclaw.json — should be 600 or 400 |
| 7 | Plaintext Secrets | MEDIUM | Scans config values for keys matching password/secret/apiKey/privateKey |
| 8 | Host Firewall | HIGH | UFW or firewalld must be installed and active |
| 9 | SSH Hardening | MEDIUM | PasswordAuthentication and PermitRootLogin in sshd_config |
| 10 | Exposed Ports | MEDIUM | Count of non-loopback listening ports (>8 = FAIL) |
Auto-Fix Flow
If any item is FAIL or WARN, offer fixes. Always confirm with the user first.
Fix Recipes
#1 Gateway Bind → FAIL:
Set gateway.bind to "loopback". Use openclaw CLI if available, otherwise edit openclaw.json.
#2 Gateway Auth → FAIL:
Set gateway.auth.mode to "token". Generate a strong token if missing:
openssl rand -hex 24
#3 Token Strength → FAIL/WARN:
Replace with a new 48-char hex token: openssl rand -hex 24.
Warn user that paired clients will need the new token.
#4 DM Policy → FAIL:
Set affected channels to "dmPolicy": "pairing", or add specific IDs to allowFrom.
#5 Group Policy → FAIL:
Set affected channels to "groupPolicy": "allowlist".
#6 Config Permissions → FAIL/WARN:
chmod 600 ~/.openclaw/openclaw.json
#7 Plaintext Secrets → WARN:
Cannot auto-fix safely. Advise moving secrets to environment variables or .env.local.
#8 Host Firewall → FAIL:
sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
# IMPORTANT: Allow SSH before enabling!
sudo ufw allow from <trusted_ip_or_subnet> to any port 22 proto tcp
sudo ufw enable
#9 SSH Hardening → WARN:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo sed -i 's/^#*PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sshd -t && sudo systemctl reload ssh
CRITICAL: Ensure key-based SSH access works in a separate session before closing current one.
#10 Exposed Ports → WARN/FAIL:
Review with ss -ltnp, close unnecessary services, or restrict with firewall rules.
Fix Rules
- Backup first:
cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak - Merge, don't overwrite: Modify only the specific keys, preserve everything else.
- SSH changes need special care: Always test access in a second session before closing the first.
- Firewall: allow SSH first, enable second. Getting this backwards locks you out.
- After config changes:
openclaw gateway restartto apply. - Re-run the check after fixes to confirm everything passes.
Integration
Heartbeat
Add to HEARTBEAT.md for periodic checks:
- Every heartbeat: Run scripts/security-check.sh, alert on any FAIL
Cron
Schedule via OpenClaw cron for standalone audits:
openclaw cron add --name "security-check" --schedule "0 8 * * *" --task "Run scripts/security-check.sh and report results"
Combining with healthcheck skill
This skill focuses on fast config + host audit (10 checks, <5 seconds).
The built-in healthcheck skill provides a full hardening workflow (risk profiling, remediation planning, guided execution).
Use this skill for quick checks; escalate to healthcheck for comprehensive hardening.