{ "schemaVersion": "1.0", "item": { "slug": "audit-openclaw-security", "name": "Audit OpenClaw Security", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/tristanmanchester/audit-openclaw-security", "canonicalUrl": "https://clawhub.ai/tristanmanchester/audit-openclaw-security", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/audit-openclaw-security", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=audit-openclaw-security", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "references/command-cheatsheet.md", "references/openclaw-baseline-config.md", "references/platform-personal-laptop.md", "references/openclaw-audit-checks.md", "references/platform-docker.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/audit-openclaw-security" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/audit-openclaw-security", "agentPageUrl": "https://openagent3.xyz/skills/audit-openclaw-security/agent", "manifestUrl": "https://openagent3.xyz/skills/audit-openclaw-security/agent.json", "briefUrl": "https://openagent3.xyz/skills/audit-openclaw-security/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "audit-openclaw-security", "body": "Run a defensive, permissioned security audit of an OpenClaw deployment and turn the results into a practical remediation plan.\n\nThis revision is tuned for OpenClaw 2026.3.8 and uses {baseDir} when referencing bundled scripts from commands." }, { "title": "Guardrails", "body": "Only audit systems the user owns or has explicit permission to assess.\nNever ask for raw secrets. Do not request gateway tokens/passwords, model API keys, session cookies, OAuth creds, or raw credential files.\nPrefer outputs that are designed to be shareable or redacted:\n\nopenclaw status --all\nopenclaw status --deep\nopenclaw gateway probe --json\nopenclaw security audit --json\nopenclaw security audit --deep --json\n\n\nTreat the Gateway, Control UI, browser control, paired nodes, and automation surfaces as operator-level access.\nDefault to audit-only. Before any config edits, --fix operations, firewall changes, or restarts, create a backup first and get explicit user approval.\nWhen the user wants remediation, make the backup step explicit:\n\nopenclaw backup create --verify\nuse --no-include-workspace if the config is invalid but you still need state + creds\nuse --only-config if the user only wants a minimal safety copy before edits" }, { "title": "What “good” looks like", "body": "Gateway is bound to loopback unless there is a deliberate, defended reason not to.\nStrong Gateway auth is enabled.\nNo accidental public exposure (LAN bind, port-forward, permissive reverse proxy, Tailscale Funnel).\nControl UI is either localhost/Serve or explicitly origin-restricted behind a trusted proxy.\nDMs require pairing or strict allowlists.\nGroups require mention gating and are not open if broad tools are enabled.\nsession.dmScope is isolated appropriately:\n\nper-channel-peer for most multi-user setups\nper-account-channel-peer when the same provider runs multiple accounts\n\n\nTooling is least privilege:\n\ntools.profile: \"messaging\" or stricter for inbox-facing agents\ndeny group:runtime, group:fs, group:automation on untrusted surfaces\ntools.fs.workspaceOnly: true\ntools.exec.security: \"deny\" or at least approval-gated\ntools.elevated.enabled: false unless there is a narrow, intentional need\n\n\nPlugins and skills are explicitly trusted, minimally writable, and not used as an easy persistence path.\nSecrets, transcripts, and logs have tight permissions and an intentional retention plan." }, { "title": "Use the bundled files progressively", "body": "Only open the extra files you need for the task:\n\nreferences/command-cheatsheet.md — exact command ladders\nreferences/openclaw-audit-checks.md — current high-signal checkId glossary\nreferences/openclaw-baseline-config.md — secure baseline snippets\nreferences/platform-mac-mini.md\nreferences/platform-personal-laptop.md\nreferences/platform-docker.md\nreferences/platform-aws-ec2.md\nassets/report-template.md — report structure" }, { "title": "Step 0 — Establish context quickly", "body": "Collect just enough context to choose the audit path:\n\nWhere is OpenClaw running?\n\nmacOS host / Mac mini\npersonal laptop\nDocker host\nEC2 / VPS / other cloud VM\n\n\nInstall style?\n\nnative install\nDocker / Compose\nsource checkout\n\n\nDo we have local shell access?\n\nMode A: chat-only / user runs commands\nMode B: agent can run shell commands directly" }, { "title": "Mode A — Assisted self-audit (chat-only)", "body": "Ask the user to run the following on the OpenClaw host and share the outputs." }, { "title": "Minimum audit set", "body": "openclaw --version\nopenclaw status --all\nopenclaw status --deep\nopenclaw gateway status\nopenclaw gateway probe --json\nopenclaw channels status --probe\nopenclaw doctor\nopenclaw security audit --json\nopenclaw security audit --deep --json" }, { "title": "Helpful extras", "body": "openclaw health --json\nopenclaw backup create --dry-run --json\nopenclaw backup create --only-config --dry-run --json\nopenclaw skills list --eligible --json\nopenclaw plugins list --json" }, { "title": "Safe targeted config reads", "body": "Prefer targeted reads over a full config dump:\n\nopenclaw config get gateway.bind\nopenclaw config get gateway.auth.mode\nopenclaw config get gateway.auth.allowTailscale\nopenclaw config get gateway.controlUi.allowedOrigins\nopenclaw config get gateway.trustedProxies\nopenclaw config get gateway.allowRealIpFallback\nopenclaw config get discovery.mdns.mode\nopenclaw config get session.dmScope\nopenclaw config get tools.profile\nopenclaw config get tools.fs.workspaceOnly\nopenclaw config get tools.exec.security\nopenclaw config get tools.elevated.enabled\nopenclaw config get channels.defaults.dmPolicy\nopenclaw config get channels.defaults.groupPolicy\nopenclaw config get logging.redactSensitive" }, { "title": "DM / group follow-up checks", "body": "If the issue is “the bot is online but DMs or groups behave strangely”, check pairing and mention gating:\n\nopenclaw pairing list \n\nExamples of include discord, slack, signal, telegram, whatsapp, matrix, imessage, and bluebubbles." }, { "title": "If the user must share the config", "body": "OpenClaw config is often JSON5-like. Redact it before sharing:\n\npython3 \"{baseDir}/scripts/redact_openclaw_config.py\" ~/.openclaw/openclaw.json > openclaw.json.redacted" }, { "title": "Host / network snapshots", "body": "macOS\n\nwhoami\nsw_vers\nuname -a\nlsof -nP -iTCP -sTCP:LISTEN\n/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate\n/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode\nfdesetup status || true\n\nLinux / cloud VM\n\nwhoami\ncat /etc/os-release\nuname -a\nss -ltnp\nsudo ufw status verbose || true\nsudo nft list ruleset || true\nsudo iptables -S || true\n\nDocker / Compose\n\ndocker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Ports}}'\ndocker compose ps || true\ndocker port openclaw-gateway 18789 || true" }, { "title": "Mode B — Automated local audit (shell access)", "body": "Run the bundled collector and report renderer:\n\nbash \"{baseDir}/scripts/collect_openclaw_audit.sh\" --out ./openclaw-audit\npython3 \"{baseDir}/scripts/render_report.py\" --input ./openclaw-audit --output ./openclaw-security-report.md\n\nThen review openclaw-security-report.md, refine wording where needed, and present the final report to the user." }, { "title": "Notes on the collector", "body": "It is read-only by default.\nIt does not run openclaw security audit --fix.\nIt collects shareable CLI diagnostics plus basic host/network context.\nIt now captures current high-value signals such as:\n\nopenclaw status --deep\nopenclaw gateway probe --json\nopenclaw channels status --probe\ntargeted safe config get values\nbackup dry-run metadata" }, { "title": "How to interpret the audit", "body": "Use OpenClaw’s own security audit output as the primary source of truth, then translate it into a clear threat narrative." }, { "title": "Triage order", "body": "Prioritise in this order:\n\nAnything open + tools enabled\nLock down DMs/groups first, then tighten tool policy and sandboxing.\nPublic network exposure\nLAN bind, Funnel, missing auth, weak reverse-proxy handling.\nBrowser / node / Control UI exposure\nTreat these as operator access, not “just another feature”.\nFilesystem permissions\nState dir, config file, auth profiles, logs, and transcript locations.\nPlugin / skill supply chain\nTrust only what is intentionally installed and writable by the right user.\nModel and prompt-injection resilience\nImportant, but not a substitute for access control." }, { "title": "Findings that are easy to miss in newer OpenClaw builds", "body": "Pay extra attention to these newer or high-signal check IDs:\n\ngateway.control_ui.allowed_origins_required\ngateway.control_ui.host_header_origin_fallback\ngateway.real_ip_fallback_enabled\nconfig.insecure_or_dangerous_flags\nsandbox.dangerous_network_mode\ntools.exec.host_sandbox_no_sandbox_defaults\ntools.exec.host_sandbox_no_sandbox_agents\ntools.exec.safe_bins_interpreter_unprofiled\nskills.workspace.symlink_escape\nsecurity.exposure.open_groups_with_elevated\nsecurity.exposure.open_groups_with_runtime_or_fs\nsecurity.trust_model.multi_user_heuristic\n\nUse references/openclaw-audit-checks.md and assets/openclaw_checkid_map.json to map each finding to likely config paths and remediation areas." }, { "title": "1) Gateway exposure and auth", "body": "Prefer gateway.bind: \"loopback\".\nRequire token or password auth for anything beyond strictly local use.\nDo not treat gateway.remote.* values as protection for local WS access; actual protection comes from gateway.auth.*.\nIf the user needs a new shared secret, openclaw doctor --generate-gateway-token is the safe boring path." }, { "title": "2) Reverse proxies and browser-origin policy", "body": "If there is a reverse proxy in front of the Gateway:\n\nconfigure gateway.trustedProxies\nkeep gateway.allowRealIpFallback: false unless there is a very specific need\nfor non-loopback Control UI use, set gateway.controlUi.allowedOrigins\ndo not enable Host-header origin fallback unless the user knowingly accepts the downgrade" }, { "title": "3) Tailscale Serve vs Funnel", "body": "tailscale.mode: \"serve\" keeps the Gateway tailnet-only.\ntailscale.mode: \"funnel\" is public and should be treated as urgent/high risk.\ngateway.auth.allowTailscale can allow tokenless Control UI/WebSocket auth via Tailscale identity headers. That assumes the gateway host itself is trusted.\nIf untrusted code can run on the host, or if any reverse proxy sits in front of the gateway, disable gateway.auth.allowTailscale and require token/password or trusted-proxy auth." }, { "title": "4) DM and group isolation", "body": "Use dmPolicy: \"pairing\" or allowlist for inbox-facing bots.\nFor shared or support-style inboxes, set session.dmScope: \"per-channel-peer\".\nFor multi-account channel setups, prefer per-account-channel-peer.\nAvoid groupPolicy: \"open\" unless the tool surface is extremely limited.\nRequire mentions in groups and use agents.list[].groupChat.mentionPatterns where native mentions are unreliable." }, { "title": "5) Tool surface reduction", "body": "Start from the conservative baseline in references/openclaw-baseline-config.md.\n\nGood defaults for user-facing agents:\n\ntools.profile: \"messaging\"\ndeny group:automation\ndeny group:runtime\ndeny group:fs\ntools.fs.workspaceOnly: true\ntools.exec.security: \"deny\" and ask: \"always\"\ntools.exec.applyPatch.workspaceOnly: true\ntools.elevated.enabled: false" }, { "title": "6) Node / browser / automation trust", "body": "Paired nodes are remote execution surfaces. Audit them like you would audit operator access.\nBrowser control is not “just viewing pages”; it is effectively remote operator capability.\ngateway / cron tools create persistence and should not be reachable from untrusted chat surfaces." }, { "title": "7) Secrets, logs, transcripts, and writable paths", "body": "Audit and discuss these paths carefully without asking for raw contents:\n\n~/.openclaw/openclaw.json\n~/.openclaw/secrets.json\n~/.openclaw/agents//agent/auth-profiles.json\n~/.openclaw/agents//sessions/*.jsonl\n/tmp/openclaw/openclaw-YYYY-MM-DD.log\npairing stores under ~/.openclaw/credentials/" }, { "title": "Platform-specific guidance", "body": "Load the matching playbook when the environment is clear:\n\nmacOS host / Mac mini -> references/platform-mac-mini.md\npersonal laptop -> references/platform-personal-laptop.md\nDocker / Compose -> references/platform-docker.md\nEC2 / VPS -> references/platform-aws-ec2.md" }, { "title": "Deliverable format", "body": "Use assets/report-template.md or the rendered report from {baseDir}/scripts/render_report.py.\n\nThe final deliverable should include:\n\nexecutive summary\nenvironment overview\nfindings table with redacted evidence\nsequenced remediation plan\nverification commands\nresidual risk / operational practices" }, { "title": "“openclaw: command not found”", "body": "Confirm the CLI is installed and on PATH.\nOn Windows, prefer WSL2 for shell-driven audit flows.\nRe-run the official install / update path, then retry openclaw --version." }, { "title": "“Gateway won’t start — configuration invalid”", "body": "OpenClaw now fails closed on invalid config keys, invalid values, or invalid types. That is intentional and security-relevant.\n\nUse:\n\nopenclaw doctor\nopenclaw doctor --fix\n\nEven when the config is invalid, diagnostic commands such as openclaw status, openclaw gateway status, openclaw gateway probe, and openclaw health are still useful." }, { "title": "“Runtime: running” but “RPC probe: failed”", "body": "Trust the probe details, not just the supervisor status:\n\nProbe target\nListening\nLast gateway error\n\nThis often means service/config drift, auth mismatch, or a listener that is not actually reachable by the CLI." }, { "title": "“Bot is online but DMs fail”", "body": "Check:\n\nopenclaw channels status --probe\nopenclaw pairing list \n\nCommon root causes:\n\npending pairing approval\ndmPolicy too strict for the expected sender\nprovider-side permission or token drift" }, { "title": "“Groups are silent”", "body": "Check:\n\ngroupPolicy\nrequireMention\nmentionPatterns\naudit findings about open groups combined with runtime/fs/elevated tools" }, { "title": "Trigger tests (skill author sanity check)", "body": "Should trigger:\n\n“Can you audit my OpenClaw setup for security?”\n“My OpenClaw gateway is exposed through Tailscale Serve — is that okay?”\n“Interpret my openclaw security audit --deep --json findings.”\n“I’m running OpenClaw in Docker on a VPS; help me harden it.”\n“Why is my OpenClaw Control UI complaining about origins and trusted proxies?”\n“My bot is online but DMs don’t reply; can you audit pairing and access policy?”\n\nShould not trigger:\n\ngeneric macOS hardening unrelated to OpenClaw\ngeneric Docker security unrelated to OpenClaw\ngeneral AWS or VPS hardening unrelated to OpenClaw\nunrelated software audits" } ], "body": "audit-openclaw-security\n\nRun a defensive, permissioned security audit of an OpenClaw deployment and turn the results into a practical remediation plan.\n\nThis revision is tuned for OpenClaw 2026.3.8 and uses {baseDir} when referencing bundled scripts from commands.\n\nGuardrails\nOnly audit systems the user owns or has explicit permission to assess.\nNever ask for raw secrets. Do not request gateway tokens/passwords, model API keys, session cookies, OAuth creds, or raw credential files.\nPrefer outputs that are designed to be shareable or redacted:\nopenclaw status --all\nopenclaw status --deep\nopenclaw gateway probe --json\nopenclaw security audit --json\nopenclaw security audit --deep --json\nTreat the Gateway, Control UI, browser control, paired nodes, and automation surfaces as operator-level access.\nDefault to audit-only. Before any config edits, --fix operations, firewall changes, or restarts, create a backup first and get explicit user approval.\nWhen the user wants remediation, make the backup step explicit:\nopenclaw backup create --verify\nuse --no-include-workspace if the config is invalid but you still need state + creds\nuse --only-config if the user only wants a minimal safety copy before edits\nWhat “good” looks like\nGateway is bound to loopback unless there is a deliberate, defended reason not to.\nStrong Gateway auth is enabled.\nNo accidental public exposure (LAN bind, port-forward, permissive reverse proxy, Tailscale Funnel).\nControl UI is either localhost/Serve or explicitly origin-restricted behind a trusted proxy.\nDMs require pairing or strict allowlists.\nGroups require mention gating and are not open if broad tools are enabled.\nsession.dmScope is isolated appropriately:\nper-channel-peer for most multi-user setups\nper-account-channel-peer when the same provider runs multiple accounts\nTooling is least privilege:\ntools.profile: \"messaging\" or stricter for inbox-facing agents\ndeny group:runtime, group:fs, group:automation on untrusted surfaces\ntools.fs.workspaceOnly: true\ntools.exec.security: \"deny\" or at least approval-gated\ntools.elevated.enabled: false unless there is a narrow, intentional need\nPlugins and skills are explicitly trusted, minimally writable, and not used as an easy persistence path.\nSecrets, transcripts, and logs have tight permissions and an intentional retention plan.\nUse the bundled files progressively\n\nOnly open the extra files you need for the task:\n\nreferences/command-cheatsheet.md — exact command ladders\nreferences/openclaw-audit-checks.md — current high-signal checkId glossary\nreferences/openclaw-baseline-config.md — secure baseline snippets\nreferences/platform-mac-mini.md\nreferences/platform-personal-laptop.md\nreferences/platform-docker.md\nreferences/platform-aws-ec2.md\nassets/report-template.md — report structure\nStep 0 — Establish context quickly\n\nCollect just enough context to choose the audit path:\n\nWhere is OpenClaw running?\nmacOS host / Mac mini\npersonal laptop\nDocker host\nEC2 / VPS / other cloud VM\nInstall style?\nnative install\nDocker / Compose\nsource checkout\nDo we have local shell access?\nMode A: chat-only / user runs commands\nMode B: agent can run shell commands directly\nMode A — Assisted self-audit (chat-only)\n\nAsk the user to run the following on the OpenClaw host and share the outputs.\n\nMinimum audit set\nopenclaw --version\nopenclaw status --all\nopenclaw status --deep\nopenclaw gateway status\nopenclaw gateway probe --json\nopenclaw channels status --probe\nopenclaw doctor\nopenclaw security audit --json\nopenclaw security audit --deep --json\n\nHelpful extras\nopenclaw health --json\nopenclaw backup create --dry-run --json\nopenclaw backup create --only-config --dry-run --json\nopenclaw skills list --eligible --json\nopenclaw plugins list --json\n\nSafe targeted config reads\n\nPrefer targeted reads over a full config dump:\n\nopenclaw config get gateway.bind\nopenclaw config get gateway.auth.mode\nopenclaw config get gateway.auth.allowTailscale\nopenclaw config get gateway.controlUi.allowedOrigins\nopenclaw config get gateway.trustedProxies\nopenclaw config get gateway.allowRealIpFallback\nopenclaw config get discovery.mdns.mode\nopenclaw config get session.dmScope\nopenclaw config get tools.profile\nopenclaw config get tools.fs.workspaceOnly\nopenclaw config get tools.exec.security\nopenclaw config get tools.elevated.enabled\nopenclaw config get channels.defaults.dmPolicy\nopenclaw config get channels.defaults.groupPolicy\nopenclaw config get logging.redactSensitive\n\nDM / group follow-up checks\n\nIf the issue is “the bot is online but DMs or groups behave strangely”, check pairing and mention gating:\n\nopenclaw pairing list \n\n\nExamples of include discord, slack, signal, telegram, whatsapp, matrix, imessage, and bluebubbles.\n\nIf the user must share the config\n\nOpenClaw config is often JSON5-like. Redact it before sharing:\n\npython3 \"{baseDir}/scripts/redact_openclaw_config.py\" ~/.openclaw/openclaw.json > openclaw.json.redacted\n\nHost / network snapshots\n\nmacOS\n\nwhoami\nsw_vers\nuname -a\nlsof -nP -iTCP -sTCP:LISTEN\n/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate\n/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode\nfdesetup status || true\n\n\nLinux / cloud VM\n\nwhoami\ncat /etc/os-release\nuname -a\nss -ltnp\nsudo ufw status verbose || true\nsudo nft list ruleset || true\nsudo iptables -S || true\n\n\nDocker / Compose\n\ndocker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Ports}}'\ndocker compose ps || true\ndocker port openclaw-gateway 18789 || true\n\nMode B — Automated local audit (shell access)\n\nRun the bundled collector and report renderer:\n\nbash \"{baseDir}/scripts/collect_openclaw_audit.sh\" --out ./openclaw-audit\npython3 \"{baseDir}/scripts/render_report.py\" --input ./openclaw-audit --output ./openclaw-security-report.md\n\n\nThen review openclaw-security-report.md, refine wording where needed, and present the final report to the user.\n\nNotes on the collector\nIt is read-only by default.\nIt does not run openclaw security audit --fix.\nIt collects shareable CLI diagnostics plus basic host/network context.\nIt now captures current high-value signals such as:\nopenclaw status --deep\nopenclaw gateway probe --json\nopenclaw channels status --probe\ntargeted safe config get values\nbackup dry-run metadata\nHow to interpret the audit\n\nUse OpenClaw’s own security audit output as the primary source of truth, then translate it into a clear threat narrative.\n\nTriage order\n\nPrioritise in this order:\n\nAnything open + tools enabled\nLock down DMs/groups first, then tighten tool policy and sandboxing.\nPublic network exposure\nLAN bind, Funnel, missing auth, weak reverse-proxy handling.\nBrowser / node / Control UI exposure\nTreat these as operator access, not “just another feature”.\nFilesystem permissions\nState dir, config file, auth profiles, logs, and transcript locations.\nPlugin / skill supply chain\nTrust only what is intentionally installed and writable by the right user.\nModel and prompt-injection resilience\nImportant, but not a substitute for access control.\nFindings that are easy to miss in newer OpenClaw builds\n\nPay extra attention to these newer or high-signal check IDs:\n\ngateway.control_ui.allowed_origins_required\ngateway.control_ui.host_header_origin_fallback\ngateway.real_ip_fallback_enabled\nconfig.insecure_or_dangerous_flags\nsandbox.dangerous_network_mode\ntools.exec.host_sandbox_no_sandbox_defaults\ntools.exec.host_sandbox_no_sandbox_agents\ntools.exec.safe_bins_interpreter_unprofiled\nskills.workspace.symlink_escape\nsecurity.exposure.open_groups_with_elevated\nsecurity.exposure.open_groups_with_runtime_or_fs\nsecurity.trust_model.multi_user_heuristic\n\nUse references/openclaw-audit-checks.md and assets/openclaw_checkid_map.json to map each finding to likely config paths and remediation areas.\n\nCore remediation patterns\n1) Gateway exposure and auth\nPrefer gateway.bind: \"loopback\".\nRequire token or password auth for anything beyond strictly local use.\nDo not treat gateway.remote.* values as protection for local WS access; actual protection comes from gateway.auth.*.\nIf the user needs a new shared secret, openclaw doctor --generate-gateway-token is the safe boring path.\n2) Reverse proxies and browser-origin policy\n\nIf there is a reverse proxy in front of the Gateway:\n\nconfigure gateway.trustedProxies\nkeep gateway.allowRealIpFallback: false unless there is a very specific need\nfor non-loopback Control UI use, set gateway.controlUi.allowedOrigins\ndo not enable Host-header origin fallback unless the user knowingly accepts the downgrade\n3) Tailscale Serve vs Funnel\ntailscale.mode: \"serve\" keeps the Gateway tailnet-only.\ntailscale.mode: \"funnel\" is public and should be treated as urgent/high risk.\ngateway.auth.allowTailscale can allow tokenless Control UI/WebSocket auth via Tailscale identity headers. That assumes the gateway host itself is trusted.\nIf untrusted code can run on the host, or if any reverse proxy sits in front of the gateway, disable gateway.auth.allowTailscale and require token/password or trusted-proxy auth.\n4) DM and group isolation\nUse dmPolicy: \"pairing\" or allowlist for inbox-facing bots.\nFor shared or support-style inboxes, set session.dmScope: \"per-channel-peer\".\nFor multi-account channel setups, prefer per-account-channel-peer.\nAvoid groupPolicy: \"open\" unless the tool surface is extremely limited.\nRequire mentions in groups and use agents.list[].groupChat.mentionPatterns where native mentions are unreliable.\n5) Tool surface reduction\n\nStart from the conservative baseline in references/openclaw-baseline-config.md.\n\nGood defaults for user-facing agents:\n\ntools.profile: \"messaging\"\ndeny group:automation\ndeny group:runtime\ndeny group:fs\ntools.fs.workspaceOnly: true\ntools.exec.security: \"deny\" and ask: \"always\"\ntools.exec.applyPatch.workspaceOnly: true\ntools.elevated.enabled: false\n6) Node / browser / automation trust\nPaired nodes are remote execution surfaces. Audit them like you would audit operator access.\nBrowser control is not “just viewing pages”; it is effectively remote operator capability.\ngateway / cron tools create persistence and should not be reachable from untrusted chat surfaces.\n7) Secrets, logs, transcripts, and writable paths\n\nAudit and discuss these paths carefully without asking for raw contents:\n\n~/.openclaw/openclaw.json\n~/.openclaw/secrets.json\n~/.openclaw/agents//agent/auth-profiles.json\n~/.openclaw/agents//sessions/*.jsonl\n/tmp/openclaw/openclaw-YYYY-MM-DD.log\npairing stores under ~/.openclaw/credentials/\nPlatform-specific guidance\n\nLoad the matching playbook when the environment is clear:\n\nmacOS host / Mac mini -> references/platform-mac-mini.md\npersonal laptop -> references/platform-personal-laptop.md\nDocker / Compose -> references/platform-docker.md\nEC2 / VPS -> references/platform-aws-ec2.md\nDeliverable format\n\nUse assets/report-template.md or the rendered report from {baseDir}/scripts/render_report.py.\n\nThe final deliverable should include:\n\nexecutive summary\nenvironment overview\nfindings table with redacted evidence\nsequenced remediation plan\nverification commands\nresidual risk / operational practices\nTroubleshooting notes\n“openclaw: command not found”\nConfirm the CLI is installed and on PATH.\nOn Windows, prefer WSL2 for shell-driven audit flows.\nRe-run the official install / update path, then retry openclaw --version.\n“Gateway won’t start — configuration invalid”\n\nOpenClaw now fails closed on invalid config keys, invalid values, or invalid types. That is intentional and security-relevant.\n\nUse:\n\nopenclaw doctor\nopenclaw doctor --fix\n\n\nEven when the config is invalid, diagnostic commands such as openclaw status, openclaw gateway status, openclaw gateway probe, and openclaw health are still useful.\n\n“Runtime: running” but “RPC probe: failed”\n\nTrust the probe details, not just the supervisor status:\n\nProbe target\nListening\nLast gateway error\n\nThis often means service/config drift, auth mismatch, or a listener that is not actually reachable by the CLI.\n\n“Bot is online but DMs fail”\n\nCheck:\n\nopenclaw channels status --probe\nopenclaw pairing list \n\n\nCommon root causes:\n\npending pairing approval\ndmPolicy too strict for the expected sender\nprovider-side permission or token drift\n“Groups are silent”\n\nCheck:\n\ngroupPolicy\nrequireMention\nmentionPatterns\naudit findings about open groups combined with runtime/fs/elevated tools\nTrigger tests (skill author sanity check)\n\nShould trigger:\n\n“Can you audit my OpenClaw setup for security?”\n“My OpenClaw gateway is exposed through Tailscale Serve — is that okay?”\n“Interpret my openclaw security audit --deep --json findings.”\n“I’m running OpenClaw in Docker on a VPS; help me harden it.”\n“Why is my OpenClaw Control UI complaining about origins and trusted proxies?”\n“My bot is online but DMs don’t reply; can you audit pairing and access policy?”\n\nShould not trigger:\n\ngeneric macOS hardening unrelated to OpenClaw\ngeneric Docker security unrelated to OpenClaw\ngeneral AWS or VPS hardening unrelated to OpenClaw\nunrelated software audits" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/tristanmanchester/audit-openclaw-security", "publisherUrl": "https://clawhub.ai/tristanmanchester/audit-openclaw-security", "owner": "tristanmanchester", "version": "2.0.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/audit-openclaw-security", "downloadUrl": "https://openagent3.xyz/downloads/audit-openclaw-security", "agentUrl": "https://openagent3.xyz/skills/audit-openclaw-security/agent", "manifestUrl": "https://openagent3.xyz/skills/audit-openclaw-security/agent.json", "briefUrl": "https://openagent3.xyz/skills/audit-openclaw-security/agent.md" } }