OpenClaw Security Audit
A comprehensive security toolkit for OpenClaw instances. Protect your credentials, audit your configuration, and maintain best security practices.
Features
- Sensitive File Scanning - Detect .env, .key, .pem files and other sensitive artifacts
- Credential Exposure Detection - Find API keys, secrets, tokens, and passwords in config files
- Gateway Security Check - Verify gateway bind mode and authentication settings
- Credential Hardening - Automatically migrate credentials from config files to environment variables
- JSON Reports - Generate detailed audit reports for review
Installation
# Clone to your OpenClaw skills directory
cd ~/.openclaw/skills
git clone <repository> openclaw-security-audit
# Or manually copy the skill files
Usage
Security Audit
Run a comprehensive security audit:
python ~/.openclaw/skills/openclaw-security-audit/audit.py
This will:
- Scan for sensitive files
- Check for credential exposure in openclaw.json
- Verify gateway security configuration
- Generate a JSON report with findings
Credential Hardening
Migrate credentials to environment variables:
python ~/.openclaw/skills/openclaw-security-audit/harden.py
This will:
- Backup your current configuration
- Extract credentials from openclaw.json
- Create .env file with credentials
- Sanitize openclaw.json (replace with placeholders)
- Generate setup scripts for Windows/macOS/Linux
IMPORTANT: After running harden.py, you must set environment variables before OpenClaw can access credentials.
Custom Configuration
Edit config.json to customize scanning behavior:
{
"exclude_dirs": ["node_modules", ".git", "__pycache__"],
"whitelist": ["secret-input.ts"],
"sensitive_extensions": [".env", ".key", ".pem"],
"sensitive_keywords": ["password", "secret", "credentials"]
}
Security Checks
What We Check
| Check | Description | Risk Level |
|---|
| ------- | ------------- | ------------ |
| Sensitive files | .env, .key, .pem files | MEDIUM |
| Credential exposure | API keys, secrets in config | HIGH/CRITICAL |
| Gateway bind mode | 0.0.0.0 exposure | CRITICAL |
| Gateway auth | Missing authentication | HIGH |
| File permissions | Config file permissions | INFO |
Risk Levels
- CRITICAL: Immediate action required
- HIGH: Fix within 24 hours
- MEDIUM: Fix within a week
- LOW: Monitor and review
- INFO: For awareness
Best Practices
- Run audit weekly - Schedule regular security checks
- Harden immediately - Migrate credentials to env vars on first run
- Backup before hardening - Always backup configs before changes
- Secure .env files - Never commit .env to version control
- Rotate credentials - Regularly update API keys and tokens
Report Location
Audit reports are saved to:
~/.openclaw/security-tools/security_report_YYYYMMDD_HHMMSS.json
Supported Platforms
- Windows (PowerShell scripts)
- macOS (Bash scripts)
- Linux (Bash scripts)
Privacy & Safety
This tool:
- ✅ Only reads your OpenClaw configuration
- ✅ Does not transmit data externally
- ✅ Masks credential values in reports
- ✅ Creates backups before modifications
- ✅ Respects file permissions
This tool does NOT:
- ❌ Send data to external servers
- ❌ Modify system files outside ~/.openclaw
- ❌ Store or log actual credential values
- ❌ Require elevated permissions
Requirements
- Python 3.7+
- OpenClaw installed
- Read access to ~/.openclaw directory
License
MIT License - Feel free to use, modify, and distribute.
Contributing
Contributions welcome! Please ensure:
- Code follows Python PEP 8
- No hardcoded credentials or paths
- Privacy-respecting practices
- Clear documentation
Disclaimer
This tool is for security auditing your own OpenClaw instance. Always review changes before applying them. The authors are not responsible for misconfiguration or data loss.