Security Monitor
Real-time security monitoring with threat intelligence from ClawHavoc research, the April 2026 OpenClaw advisory rollups, daily automated scans, web dashboard, and Telegram alerting for OpenClaw.
Commands
Note: Replace <skill-dir> with the actual folder name where this skill is installed (commonly openclaw-security-monitor or security-monitor).
/security-scan
Run a comprehensive 41-point security scan:
- Known C2 IPs (ClawHavoc: 91.92.242.x, 95.92.242.x, 54.91.154.110)
- Malware signatures & obfuscation (AMOS stealer, base64 payloads, binary downloads)
- Reverse shells & backdoors (bash, python, perl, ruby, php, lua)
- Credential exfiltration endpoints (webhook.site, pipedream, ngrok, etc.)
- Crypto wallet targeting (seed phrases, private keys, exchange APIs)
- Curl-pipe / download attacks
- File & credential permission audit (config files, credentials dir, sessions)
- Skill integrity hash verification
- AI prompt injection & instruction manipulation (SKILL.md injection, memory poisoning, MCP tool poisoning, rules file backdoor, trusted prompt-channel downgrade fixes)
- Gateway security configuration audit
- WebSocket security (CVE-2026-25253, ClawJacked, device identity skip, CSWSH)
- Known malicious publisher detection
- Credential leakage & plaintext secrets (env access, hardcoded API keys, config.get redaction bypass GHSA-8372)
- DM, tool & sandbox policies (open DM, elevated tools, disabled sandbox, Matrix room-control bypass GHSA-2gvc, wildcard owner command and bundled MCP/LSP tool-policy bypasses)
- mDNS/Bonjour exposure detection
- Persistence mechanism scan (LaunchAgents, crontabs, systemd)
- Log security & poisoning (redaction, ANSI injection, header injection)
- Plugin/extension security audit (including setup-api.js cwd/plugin hijack GHSA-r39h)
- Docker container security (root, socket mount, privileged mode)
- Authentication & route security (proxy bypass, CDP auth, browser bridge, /agent/act, webchat local-root bypass GHSA-mr34, SecretRef stale auth GHSA-xmxx, webhook SecretRef replay GHSA-q8ff, gateway config mutation guard GHSA-cwj3)
- Exec guardrails & approval security (safeBins bypass CVE-2026-28363, shell expansion CVE-2026-28463, approval injection CVE-2026-28466, heredoc/env-argv/applet/pipeline approval gaps, replay)
- Node.js version / CVE-2026-21636 permission model bypass
- VS Code extension trojan detection
- Internet exposure detection
- MCP server security audit (tool poisoning, stdio env filtering, loopback owner context, bundled MCP/LSP policy)
- PATH hijacking & command resolution (GHSA-jqpq, CVE-2026-29610)
- SSRF protection (CVE-2026-26322, CVE-2026-27488, QQBot/Zalo/browser media SSRF hardening)
- Path traversal & file handling (deep link CVE-2026-26320, browser control CVE-2026-28462, TAR CVE-2026-28453, OpenShell FS bridge read/write pinning)
- DoS protection (webhook CVE-2026-28478, fetchWithGuard CVE-2026-29609)
- ACP permission auto-approval (GHSA-7jx5)
- Skill env override host injection (GHSA-82g8, workspace dotenv connector/runtime host overrides)
- Privilege escalation & scope abuse (pairing creds GHSA-7h7g, operator GHSA-vmhq, shared-auth GHSA-rqpp, paired-device and ACP child-session scope fixes)
- SHA-1 sandbox cache key poisoning (CVE-2026-28479, CVSS 8.7)
- Google Chat webhook cross-account bypass (CVE-2026-28469, CVSS 9.8)
- SANDWORM_MODE MCP worm detection
- Workspace plugin auto-discovery (GHSA-99qw)
- Symlink traversal (CVE-2026-32013, CVE-2026-32055)
- Sandbox escape & session inheritance (CVE-2026-32048, CVE-2026-32051)
- Shell environment RCE (CVE-2026-32056, CVE-2026-27566)
- VNC & observer authentication (CVE-2026-32064)
- Device identity & metadata spoofing (CVE-2026-32014, CVE-2026-32042, CVE-2026-32025)
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/scan.sh
Exit codes: 0=SECURE, 1=WARNINGS, 2=COMPROMISED
/security-dashboard
Display a security overview with process trees via witr.
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/dashboard.sh
/security-network
Monitor network connections and check against IOC database.
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/network-check.sh
/security-remediate
Scan-driven remediation: runs scan.sh, skips CLEAN checks, and executes per-check remediation scripts for each WARNING/CRITICAL finding. Includes 41 individual scripts covering file permissions, exfiltration domain blocking, tool deny lists, gateway hardening, sandbox configuration, credential auditing, ClawJacked protection, SSRF hardening, PATH hijacking cleanup, log poisoning remediation, /agent/act hardening, SHA-1 cache key migration, Google Chat webhook hardening, WebSocket identity enforcement, MCP tool poisoning quarantine, SANDWORM_MODE worm cleanup, rules file Unicode sanitization, workspace plugin auto-loading, shared-auth scope abuse, and exec approval replay.
# Full scan + remediate (interactive)
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh
# Auto-approve all fixes (explicit opt-in)
OPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1 \
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh --yes
# Dry run (preview)
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh --dry-run
# Remediate a single check
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh --check 7 --dry-run
# Run all 41 remediation scripts (skip scan)
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh --all
Flags:
--yes/-y— Skip confirmation prompts only whenOPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1--dry-run— Show what would be fixed without making changes--check N— Run remediation for check N only (skip scan)--all— Run all 41 remediation scripts without scanning first
Exit codes: 0=fixes applied, 1=some fixes failed, 2=nothing to fix
/clawhub-scan
Scan all locally installed ClawHub skills for security issues. Checks each skill against:
- Known malicious publishers (
ioc/malicious-publishers.txt) - Malicious skill name patterns (
ioc/malicious-skill-patterns.txt) - Suspicious script patterns: curl/wget pipe-to-shell, base64 decode/eval, reverse shells, credential file access, environment variable exfiltration
- Known C2 IP references (
ioc/c2-ips.txt) - Malicious domain references (
ioc/malicious-domains.txt) - SKILL.md integrity (shell injection in Prerequisites)
- Known malicious file hashes (
ioc/file-hashes.txt) - April 2026 plugin/dotenv/MCP artifacts (
setup-api.js, OpenClaw runtime env overrides, high-risk startup env)
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/clawhub-scan.sh
Exit codes: 0=all clean, 1=warnings found, 2=critical findings
/security-setup-telegram
Register a Telegram chat for daily security alerts.
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/telegram-setup.sh [chat_id]
Web Dashboard
URL: http://<vm-ip>:18800
Read-only dark-themed browser dashboard that displays scan results from log files, IOC stats, installed skills list, and scan history. Does not execute any shell commands or child processes — all scans and remediation are triggered via CLI scripts.
Service Management
launchctl list | grep security-dashboard
launchctl unload ~/Library/LaunchAgents/com.openclaw.security-dashboard.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.security-dashboard.plist
IOC Database
Threat intelligence files in ioc/:
c2-ips.txt- Known command & control IP addressesmalicious-domains.txt- Payload hosting and exfiltration domainsfile-hashes.txt- Known malicious file SHA-256 hashesmalicious-publishers.txt- Known malicious ClawHub publishersmalicious-skill-patterns.txt- Malicious skill naming patterns
Daily Automated Scan (Optional)
Optional cron job at 06:00 UTC with Telegram alerts. Not auto-installed — requires explicit user action:
crontab -l | { cat; echo "0 6 * * * $HOME/.openclaw/workspace/skills/<skill-dir>/scripts/daily-scan-cron.sh"; } | crontab -
Threat Coverage
Based on research from 40+ security sources including:
- ClawHavoc: 341 Malicious Skills (Koi Security)
- CVE-2026-25253: 1-Click RCE
- From SKILL.md to Shell Access (Snyk)
- VirusTotal: From Automation to Infection
- OpenClaw Official Security Docs
- DefectDojo Hardening Checklist
- Vectra: Automation as Backdoor
- Cisco: AI Agents Security Nightmare
- Bloom Security/JFrog: 37 Malicious Skills
- OpenSourceMalware: Skills Ganked Your Crypto
- Snyk: clawdhub Campaign Deep-Dive
- OWASP Top 10 for Agentic Applications 2026
- CrowdStrike: OpenClaw AI Super Agent
- Argus Security Audit (512 findings)
- ToxSec: OpenClaw Security Checklist
- Aikido.dev: Fake ClawdBot VS Code Extension
- Prompt Security: Top 10 MCP Risks
- Oasis Security: ClawJacked (Feb 26)
- CVE-2026-28363: safeBins Bypass (CVSS 9.9)
- CVE-2026-28479: SHA-1 Cache Poisoning (CVSS 8.7)
- CVE-2026-28485: /agent/act No Auth
- CVE-2026-29610: Command Hijacking via PATH
- Flare: Widespread Exploitation (Feb 25)
- CVE-2026-28469: Google Chat Webhook Cross-Account Bypass (CVSS 9.8)
- CVE-2026-28472: Gateway WebSocket Device Identity Skip
- CVE-2026-32302: Cross-Site WebSocket Hijacking
- GHSA-7h7g: Device Pairing Credential Exposure
- GHSA-vmhq: Operator Privilege Escalation
- Socket: SANDWORM_MODE npm Worm (Feb 20)
- Pillar Security: Rules File Backdoor
- OWASP MCP Top 10
- CyberArk: MCP Output Poisoning
- Semgrep: First Malicious MCP Server on npm
- OpenClaw GitHub Security Advisories — current upstream advisory source for patched-version baselines
- GHSA-r39h-4c2p-3jxp: setup-api.js cwd execution
- GHSA-q8ff-7ffm-m3r9: webhook SecretRef route secret replay
- GHSA-cwj3-vqpp-pmxr: gateway config mutation guard bypass
Security & Transparency
Source repository: github.com/adibirzu/openclaw-security-monitor — all source code is publicly auditable.
Detection signatures in repository: This project contains threat-signature patterns (IP addresses, domain names, hash values) because it scans skills for risky content. These strings are used for grep/regex matching only and are not executable instructions.
Required binaries: bash, curl, node (for dashboard), lsof (for network checks). Optional: witr (process trees), docker (container audits), openclaw CLI (config checks).
Environment variables: OPENCLAW_TELEGRAM_TOKEN (optional, for daily scan alerts), OPENCLAW_HOME (optional, overrides default ~/.openclaw directory). Both are declared in the frontmatter metadata above.
What the scanner reads: scan.sh reads files within ~/.openclaw/ (configs, skills, credentials, logs) to detect threats. It pattern-matches against .env, .ssh, and keychain paths for detection only — it never exfiltrates, transmits, or modifies data. The scanner is read-only.
What remediation does: remediate.sh can modify file permissions, block domains in /etc/hosts, adjust OpenClaw gateway config, quarantine MCP configs, and remove malicious skills. Always run --dry-run first to preview changes. Unattended mode (--yes) requires explicit OPENCLAW_ALLOW_UNATTENDED_REMEDIATE=1 — without this env var, --yes is silently ignored.
IOC updates: update-ioc.sh fetches threat intelligence from this project's GitHub repository. In interactive mode it shows pending changes and asks for confirmation before writing. --auto mode (for cron) writes without prompting. Validates incoming IOC file format (field counts). Untrusted upstream repos require explicit OPENCLAW_ALLOW_UNTRUSTED_IOC_SOURCE=1.
No auto-installed persistence: The installer does NOT create cron jobs, LaunchAgents, symlinks, or background services. Cron and LaunchAgent setup are documented as optional manual steps that the user must explicitly run themselves.
Dashboard binding: The web dashboard is read-only (no shell commands, no child processes) and defaults to 127.0.0.1:18800 (localhost only). It reads log files and IOC stats only.
Installation
# From GitHub
git clone https://github.com/adibirzu/openclaw-security-monitor.git \
~/.openclaw/workspace/skills/<skill-dir>
chmod +x ~/.openclaw/workspace/skills/<skill-dir>/scripts/*.sh
The OpenClaw agent auto-discovers skills from ~/.openclaw/workspace/skills/ via SKILL.md frontmatter. After cloning, the /security-scan, /security-remediate, /security-dashboard, /security-network, and /security-setup-telegram commands will be available in the agent.