Trent OpenClaw Security Assessment

Audit your OpenClaw deployment for security risks. Identifies misconfigurations,

chained attack paths, and provides severity-rated findings with fixes.

Setup

All tools are bundled — no external installer needed.

Set the TRENT_API_KEY environment variable. Get a key at https://trent.ai/openclaw/

Instructions

This audit runs in three phases. Run them in order.

All Python snippets below are wrapped in a bash heredoc that sets

PYTHONPATH to the skill's scripts/ directory. OpenClaw substitutes

{baseDir} with the skill's install path before the snippet runs, so

openclaw_trent is importable regardless of the current working directory.

Run each block exactly as shown.

Phase 1 — Configuration Audit

Collect metadata and send to Trent for analysis:

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.openclaw_config.collector import collect_openclaw_metadata
from openclaw_trent.lib.audit_prompt import build_audit_prompt
from openclaw_trent.lib import trent_client

metadata = collect_openclaw_metadata()
message = build_audit_prompt(metadata)
response = trent_client.chat(message=message)
PY

Save response["thread_id"] for Phase 3.

Present findings grouped by severity (see "Present results" below).

Summarize: "Phase 1 complete. N findings from configuration analysis.

Phase 2 will scan your skills for deeper analysis — I'll show you exactly

what would be uploaded before anything is sent. Ready to continue?"

Optional: specify a custom config path. Same wrapper as the main Phase 1

block; replace the metadata = … line with:

from pathlib import Path
metadata = collect_openclaw_metadata(openclaw_path=Path("/path/to/openclaw/config"))

Phase 2 — Skill Upload

Scan the workspace first (nothing is uploaded yet):

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.lib.package_skills import scan_workspace

skills = scan_workspace()
PY

Present what was found and how it will be protected. Example:

> I found N skills in your workspace:

>

> | Skill | Type | Size |

> |---|---|---|

> | skill-name | installed-skill | 12KB |

>

> Before upload, each skill is packaged with its source code and metadata

> (name, version, dependencies). Files like .env, .pem, .key, and .db are

> excluded, and secrets in standard formats (API keys, tokens, AWS credentials,

> connection strings) are automatically redacted locally. If you use custom

> secret formats, keep them in environment variables rather than hard-coded

> in skill files.

>

> Ready to upload?

Use the secrets_redacted field — if any skills had secrets redacted,

mention which ones in the table or below it.

Wait for the user to confirm before uploading.

After user confirms, upload:

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.lib.upload_skills import upload_packaged_skills

upload_summary = upload_packaged_skills(skills)
PY

Present the upload summary:

• How many skills were uploaded, skipped (unchanged), failed, or too large
• List each skill by name and status

If all uploads failed, report the errors and stop. Otherwise proceed.

Summarize: "Phase 2 complete. N skills uploaded. Proceeding to deep skill analysis..."

Phase 3 — Deep Skill Analysis

Analyse each uploaded skill using the thread ID from Phase 1:

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.lib.prompts import build_per_skill_analysis_prompt
from openclaw_trent.lib import trent_client

thread_id = "<THREAD_ID from Phase 1>"
for skill in upload_summary["skills"]:
    if skill["status"] in ("uploaded", "skipped"):
        prompt = build_per_skill_analysis_prompt(skill)
        result = trent_client.chat(message=prompt, thread_id=thread_id)
PY

Each request uses the Phase 1 thread ID so the advisor has full

context from the configuration audit.

Present the deep analysis results alongside the Phase 1 findings.

Inspect system context separately

To view the system analysis data without running a full audit:

cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
import json
from openclaw_trent.lib.system_analyzer import collect_system_analysis
result = collect_system_analysis()
print(json.dumps(result, indent=2))
PY

This returns channel configuration and installed skill names.

Useful for debugging or verifying what data is sent.

Present results

Format findings grouped by severity:

• CRITICAL: Immediate action required
• HIGH: Fix soon
• MEDIUM: Recommended improvement
• LOW: Minor hardening

For each finding show: the risk, where it was found, and the exact fix.

Highlight chained attack paths — where multiple settings combine to create worse outcomes.

Present recommended config changes as a diff snippet for the user to review

and apply manually. Do not modify any system files directly.

When to use

• User asks "Is my setup secure?" or "audit my config"
• After changes to OpenClaw configuration, new plugins, or new MCP servers