OpenClaw Shield — Security Audit

Audit any OpenClaw config for security vulnerabilities, misconfigurations, and best-practice violations. Produces a structured JSON report with risk scores, findings, and remediation steps.

When to Use

• User asks to check/audit/review their OpenClaw security
• User wants to harden their config before deploying
• User is setting up a new OpenClaw instance
• User asks about secret leakage or API key exposure in their config
• Before publishing or sharing any config file

Quick Audit (live config)

node scripts/shield-audit.sh

Or directly:

node SKILL_DIR/bin/shield.js audit ~/.openclaw/openclaw.json --summary

What It Checks (11 categories)

1. Gateway Auth — missing/weak auth, insecure UI settings
2. Network Exposure — bind address, Tailscale funnel, wildcard proxies
3. Channel Security — wildcard allowFrom, missing allowlists
4. DM Policy — open DM policy without pairing
5. Subagent Permissions — wildcard allowAgents, circular delegation chains, self-delegation
6. Tool Permissions — over-privileged agents with tools.profile: "full"
7. Secret Leakage — API keys, tokens, private keys in plaintext config
8. Sandbox/Execution — missing workspace isolation, no execution policies
9. Plugin Config — enabled plugins without channel config
10. Heartbeat Exposure — sensitive data in heartbeat prompts
11. Remote Config — unencrypted WebSocket, exposed remote URLs/tokens

Usage

Audit a config file

node SKILL_DIR/bin/shield.js audit <config.json>
node SKILL_DIR/bin/shield.js audit <config.json> --summary   # human-readable

Audit from stdin

cat config.json | node SKILL_DIR/bin/shield.js audit --stdin

Sanitize a config (strip secrets)

node SKILL_DIR/bin/shield.js sanitize <config.json>

Programmatic use

const { auditConfig } = require('SKILL_DIR/src/audit');
const config = require('./openclaw.json');
const report = auditConfig(config);
console.log(report.risk_level);      // "CRITICAL" | "HIGH" | "MEDIUM" | "LOW"
console.log(report.overall_score);   // 0-100
console.log(report.vulnerabilities); // detailed findings

Output

Returns JSON with: risk_level, overall_score (0-100), vulnerabilities[], vulnerability_count, best_practices_compliance, action_recommended, safe_to_deploy, audit_timestamp.

Workflow for Agent

1. Load the user's config: cat ~/.openclaw/openclaw.json
2. Run: node SKILL_DIR/bin/shield.js audit ~/.openclaw/openclaw.json --summary
3. Present findings to user with prioritized recommendations
4. Offer to sanitize before sharing: node SKILL_DIR/bin/shield.js sanitize