Audit your OpenClaw configuration and apply security best practices automatically.
# Full security audit (read-only, no changes)
python scripts/hardener.py audit
# Audit a specific config file
python scripts/hardener.py audit --config /path/to/openclaw.json
# Audit with JSON output
python scripts/hardener.py audit -f json
# Auto-fix issues (creates backup first)
python scripts/hardener.py fix
# Fix specific issues only
python scripts/hardener.py fix --only gateway,permissions
# Scan for exposed credentials in config
python scripts/hardener.py scan-secrets
# Generate a security report
python scripts/hardener.py report -o security-report.md
# Check file permissions
python scripts/hardener.py check-perms
| Command | Args | Description |
|---|---|---|
| --------- | ------ | ------------- |
audit | [--config PATH] [-f FORMAT] | Full security audit (read-only) |
fix | [--config PATH] [--only CHECKS] | Auto-fix issues (with backup) |
scan-secrets | [--config PATH] | Scan for exposed API keys/tokens |
report | [-o FILE] | Generate detailed security report |
check-perms | [--config-dir PATH] | Check file permissions |
| Check | Severity | Description |
|---|---|---|
| ------- | ---------- | ------------- |
gateway-bind | CRITICAL | Gateway not bound to loopback |
exposed-keys | CRITICAL | API keys in config instead of .env |
insecure-auth | HIGH | allowInsecureAuth or dangerouslyDisableDeviceAuth enabled |
exec-sandbox | HIGH | exec sandbox mode not set to restricted |
file-perms | HIGH | Config files readable by others (not 600) |
agent-allow-all | MEDIUM | agentToAgent.allow: ["*"] is overly permissive |
no-heartbeat | MEDIUM | No heartbeat configured (can't detect outages) |
no-session-reset | MEDIUM | No session reset policy (memory leak risk) |
no-pruning | LOW | No context pruning (cost and performance impact) |
no-memory-flush | LOW | Memory flush disabled (context loss on pruning) |
The audit produces a security score from 0-100:
╔══════════════════════════════════════════════════╗
║ OPENCLAW SECURITY AUDIT ║
╠══════════════════════════════════════════════════╣
║ Score: 75/100 (Good) ║
║ ║
║ ✅ Gateway bound to loopback ║
║ ✅ No exposed API keys in config ║
║ ⚠️ exec sandbox mode: unrestricted ║
║ ⚠️ agentToAgent allow: * (too permissive) ║
║ ❌ File permissions too open (644 → should be 600) ║
║ ✅ Heartbeat configured ║
║ ✅ Session reset policy active ║
║ ⚠️ No context pruning configured ║
╚══════════════════════════════════════════════════╝
共 1 个版本