OpenClaw Security Audit
Comprehensive security auditing for OpenClaw deployments. This skill performs automated security checks and generates reports.
⚠️ Security Notice: This skill requires elevated system access for legitimate security auditing purposes. See SECURITY.md for detailed security declarations and data handling policies.
Quick Start
Run the security audit script:
python3 scripts/openclaw_security_audit.py
This generates:
- Brief summary printed to stdout
- Detailed report saved to
/tmp/openclaw-security-reports/report-{DATE}.txt
What It Checks
| Check | Description |
|---|---|
| Environment Isolation | Detects Docker/container/VM environments |
| Privilege Check | Verifies OpenClaw isn't running as root |
| Port Exposure | Checks if Gateway port 18789 is exposed |
| Skill Trust | Lists installed skills and their sources |
| Version Check | Compares current vs latest OpenClaw version |
| Process & Network | Captures listening ports and top processes |
| Sensitive Directories | Counts file changes in /etc, ~/.ssh, etc. |
| System Cron | Lists system timers and cron jobs |
| OpenClaw Cron | Retrieves internal OpenClaw scheduled tasks |
| SSH Audit | Recent logins and failed SSH attempts |
| File Integrity | SHA256 hash and permission checks |
| Yellow Line Audit | Compares sudo logs with memory records |
| Disk Usage | Root partition usage and large files |
| Environment Variables | Scans Gateway process for sensitive vars |
| DLP Scan | Detects plaintext private keys/mnemonics (read-only) |
| Skill/MCP Integrity | Tracks file hash changes over time |
| Disaster Recovery | Auto-commits OpenClaw state to Git (opt-in) |
Security & Privacy
Data Handling
- All scans are local-only - No data leaves your machine
- Read-only operations - No system modifications (except opt-in features)
- Opt-in external features - Git backup and Telegram notifications are disabled by default
Sensitive Operations
See SECURITY.md for detailed explanations of:
- DLP scanning (private key/mnemonic detection)
- Environment variable auditing
- Git disaster recovery
Required Permissions
This skill requires system access for:
- Running system commands (
ss,top,systemctl, etc.) - Reading OpenClaw configuration files
- Inspecting Gateway process environment
- Scanning workspace files for credential leaks
Output Format
Brief Format (stdout)
OpenClaw Daily Security Brief (2026-03-11)
[OK] Environment Isolation: Running in isolated environment
[OK] Privilege Check: Complies with least privilege principle
[WARNING] Port Exposure: Port 18789 listening on all interfaces, recommend binding to 127.0.0.1
...
Warning Items:
[WARNING] Port Exposure: Port 18789 listening on all interfaces, recommend binding to 127.0.0.1
Detailed Report
Full report saved to /tmp/openclaw-security-reports/report-{DATE}.txt
Configuration
Optional Features (Disabled by Default)
To enable external operations, set the following environment variables:
Git Disaster Recovery
export SECURITY_AUDIT_ENABLE_GIT=1
Enables automatic Git commit and push of OpenClaw state to your configured remote.
Telegram Notifications
export SECURITY_AUDIT_ENABLE_TELEGRAM=1
export TELEGRAM_BOT_TOKEN="your-bot-token"
export TELEGRAM_CHAT_ID="your-chat-id"
Sends audit summary to Telegram after each run.
Scheduling
To run daily via OpenClaw cron:
openclaw cron add --name "daily-security-audit" --schedule "0 9 * * *" --command "python3 ~/.openclaw/workspace/skills/openclaw-security/scripts/openclaw_security_audit.py"
Version History
| Version | Date | Changes |
|---|---|---|
| 1.0.2 | 2026-03-16 | Made Git backup and Telegram opt-in features (disabled by default) |
| 1.0.1 | 2026-03-16 | Added SECURITY.md, enhanced documentation |
| 1.0.0 | 2026-03-13 | Initial release |