openclaw-shield

Security audit engine for OpenClaw configurations. Detects vulnerabilities, misconfigurations, secret leaks, and over-privileged agents. Use when the user asks about security, hardening, config review, or audit of their OpenClaw setup.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "openclaw-shield" with this command: npx skills add laurentaia/ai-shield-audit

OpenClaw Shield — Security Audit

Audit any OpenClaw config for security vulnerabilities, misconfigurations, and best-practice violations. Produces a structured JSON report with risk scores, findings, and remediation steps.

When to Use

  • User asks to check/audit/review their OpenClaw security
  • User wants to harden their config before deploying
  • User is setting up a new OpenClaw instance
  • User asks about secret leakage or API key exposure in their config
  • Before publishing or sharing any config file

Quick Audit (live config)

node scripts/shield-audit.sh

Or directly:

node SKILL_DIR/bin/shield.js audit ~/.openclaw/openclaw.json --summary

What It Checks (11 categories)

  1. Gateway Auth — missing/weak auth, insecure UI settings
  2. Network Exposure — bind address, Tailscale funnel, wildcard proxies
  3. Channel Security — wildcard allowFrom, missing allowlists
  4. DM Policy — open DM policy without pairing
  5. Subagent Permissions — wildcard allowAgents, circular delegation chains, self-delegation
  6. Tool Permissions — over-privileged agents with tools.profile: "full"
  7. Secret Leakage — API keys, tokens, private keys in plaintext config
  8. Sandbox/Execution — missing workspace isolation, no execution policies
  9. Plugin Config — enabled plugins without channel config
  10. Heartbeat Exposure — sensitive data in heartbeat prompts
  11. Remote Config — unencrypted WebSocket, exposed remote URLs/tokens

Usage

Audit a config file

node SKILL_DIR/bin/shield.js audit <config.json>
node SKILL_DIR/bin/shield.js audit <config.json> --summary   # human-readable

Audit from stdin

cat config.json | node SKILL_DIR/bin/shield.js audit --stdin

Sanitize a config (strip secrets)

node SKILL_DIR/bin/shield.js sanitize <config.json>

Programmatic use

const { auditConfig } = require('SKILL_DIR/src/audit');
const config = require('./openclaw.json');
const report = auditConfig(config);
console.log(report.risk_level);      // "CRITICAL" | "HIGH" | "MEDIUM" | "LOW"
console.log(report.overall_score);   // 0-100
console.log(report.vulnerabilities); // detailed findings

Output

Returns JSON with: risk_level, overall_score (0-100), vulnerabilities[], vulnerability_count, best_practices_compliance, action_recommended, safe_to_deploy, audit_timestamp.

Workflow for Agent

  1. Load the user's config: cat ~/.openclaw/openclaw.json
  2. Run: node SKILL_DIR/bin/shield.js audit ~/.openclaw/openclaw.json --summary
  3. Present findings to user with prioritized recommendations
  4. Offer to sanitize before sharing: node SKILL_DIR/bin/shield.js sanitize <file>

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Production Code Audit

Deep-scan a codebase, understand its architecture and patterns, then produce a comprehensive audit report with prioritized fixes. Optionally apply changes on...

Registry SourceRecently Updated
1520Profile unavailable
Security

Soc Deploy Misp

Deploy MISP threat intelligence platform on any Docker-ready Linux host. Official misp-docker project with automatic MariaDB memory tuning (prevents OOM on s...

Registry SourceRecently Updated
1760Profile unavailable
Security

SEO Intel

Local SEO competitive intelligence tool. Use when the user asks about SEO analysis, competitor research, keyword gaps, content strategy, site audits, AI cita...

Registry SourceRecently Updated
2230Profile unavailable
Security

MAL-Updater

Multi-provider anime → MyAnimeList sync and recommendations skill with guarded auth, review-queue triage, health checks, bootstrap auditing, and user-systemd...

Registry SourceRecently Updated
2190Profile unavailable