trent-openclaw-security

Assess your Agent deployment against security risks using Trent.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "trent-openclaw-security" with this command: npx skills add trent-ai-release/trentclaw

Trent OpenClaw Security Assessment

Audit your OpenClaw deployment for security risks. Identifies misconfigurations, chained attack paths, and provides severity-rated findings with fixes.

Setup

All tools are bundled — no external installer needed.

Set the TRENT_API_KEY environment variable. Get a key at https://trent.ai/openclaw/

Instructions

This audit runs in three phases. Run them in order.

Phase 1 — Configuration Audit

Collect metadata and send to Trent for analysis:

from openclaw_trent.openclaw_config.collector import collect_openclaw_metadata
from openclaw_trent.lib.audit_prompt import build_audit_prompt
from openclaw_trent.lib import trent_client

metadata = collect_openclaw_metadata()
message = build_audit_prompt(metadata)
response = trent_client.chat(message=message)

Save response["thread_id"] for Phase 3.

Present findings grouped by severity (see "Present results" below).

Summarize: "Phase 1 complete. N findings from configuration analysis. Phase 2 will scan your skills for deeper analysis — I'll show you exactly what would be uploaded before anything is sent. Ready to continue?"

Optional: specify a custom config path:

from pathlib import Path
metadata = collect_openclaw_metadata(openclaw_path=Path("/path/to/openclaw/config"))

Phase 2 — Skill Upload

Scan the workspace first (nothing is uploaded yet):

from openclaw_trent.lib.package_skills import scan_workspace

skills = scan_workspace()

Present what was found and how it will be protected. Example:

I found N skills in your workspace:

SkillTypeSize
skill-nameinstalled-skill12KB

Before upload, each skill is packaged with its source code and metadata (name, version, dependencies). Files like .env, .pem, .key, and .db are excluded, and secrets in standard formats (API keys, tokens, AWS credentials, connection strings) are automatically redacted locally. If you use custom secret formats, keep them in environment variables rather than hard-coded in skill files.

Ready to upload?

Use the secrets_redacted field — if any skills had secrets redacted, mention which ones in the table or below it.

Wait for the user to confirm before uploading.

After user confirms, upload:

from openclaw_trent.lib.upload_skills import upload_packaged_skills

upload_summary = upload_packaged_skills(skills)

Present the upload summary:

  • How many skills were uploaded, skipped (unchanged), failed, or too large
  • List each skill by name and status

If all uploads failed, report the errors and stop. Otherwise proceed.

Summarize: "Phase 2 complete. N skills uploaded. Proceeding to deep skill analysis..."

Phase 3 — Deep Skill Analysis

Analyse each uploaded skill using the thread ID from Phase 1:

from openclaw_trent.lib.prompts import build_per_skill_analysis_prompt
from openclaw_trent.lib import trent_client

thread_id = "<THREAD_ID from Phase 1>"
for skill in upload_summary["skills"]:
    if skill["status"] in ("uploaded", "skipped"):
        prompt = build_per_skill_analysis_prompt(skill)
        result = trent_client.chat(message=prompt, thread_id=thread_id)

Each request uses the Phase 1 thread ID so the advisor has full context from the configuration audit.

Present the deep analysis results alongside the Phase 1 findings.

Inspect system context separately

To view the system analysis data without running a full audit:

from openclaw_trent.lib.system_analyzer import collect_system_analysis
import json
result = collect_system_analysis()
print(json.dumps(result, indent=2))

This returns channel configuration and installed skill names. Useful for debugging or verifying what data is sent.

Present results

Format findings grouped by severity:

  • CRITICAL: Immediate action required
  • HIGH: Fix soon
  • MEDIUM: Recommended improvement
  • LOW: Minor hardening

For each finding show: the risk, where it was found, and the exact fix.

Highlight chained attack paths — where multiple settings combine to create worse outcomes.

Present recommended config changes as a diff snippet for the user to review and apply manually. Do not modify any system files directly.

When to use

  • User asks "Is my setup secure?" or "audit my config"
  • After changes to OpenClaw configuration, new plugins, or new MCP servers

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Git Secrets Scanner

Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token)

Registry SourceRecently Updated
1.5K0guohongbin-git
Security

Secure API Calls

Call any API without leaking credentials. Keychains proxies requests and injects real tokens server-side — your agent never sees them.

Registry SourceRecently Updated
2.7K4Profile unavailable
Security

Hookflo Webhooks

Use this skill for requests touching webhooks, event-driven infrastructure, or real-time HTTP callbacks — from beginner setup to advanced security and archit...

Registry SourceRecently Updated
7112Profile unavailable
Security

Security Guardian

Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides...

Registry SourceRecently Updated
1.4K0Profile unavailable