shield_lock
金大哥
返回 Skill 列表
extension
分类: 安全与合规无需 API Key

OpenClaw Security Audit

⚠️ 高权限安全审计技能。对 OpenClaw 部署进行全面安全审计,需系统级访问权限以执行合法安全检查。

person作者: iaadoahubclawhub
open_in_new仓库download下载资源包

OpenClaw Security Audit

Comprehensive security auditing for OpenClaw deployments. This skill performs automated security checks and generates reports.

⚠️ Security Notice: This skill requires elevated system access for legitimate security auditing purposes. See SECURITY.md for detailed security declarations and data handling policies.

Quick Start

Run the security audit script:

python3 scripts/openclaw_security_audit.py

This generates:

  • Brief summary printed to stdout
  • Detailed report saved to /tmp/openclaw-security-reports/report-{DATE}.txt

What It Checks

| Check | Description | |-------|-------------| | Environment Isolation | Detects Docker/container/VM environments | | Privilege Check | Verifies OpenClaw isn't running as root | | Port Exposure | Checks if Gateway port 18789 is exposed | | Skill Trust | Lists installed skills and their sources | | Version Check | Compares current vs latest OpenClaw version | | Process & Network | Captures listening ports and top processes | | Sensitive Directories | Counts file changes in /etc, ~/.ssh, etc. | | System Cron | Lists system timers and cron jobs | | OpenClaw Cron | Retrieves internal OpenClaw scheduled tasks | | SSH Audit | Recent logins and failed SSH attempts | | File Integrity | SHA256 hash and permission checks | | Yellow Line Audit | Compares sudo logs with memory records | | Disk Usage | Root partition usage and large files | | Environment Variables | Scans Gateway process for sensitive vars | | DLP Scan | Detects plaintext private keys/mnemonics (read-only) | | Skill/MCP Integrity | Tracks file hash changes over time | | Disaster Recovery | Auto-commits OpenClaw state to Git (opt-in) |

Security & Privacy

Data Handling

  • All scans are local-only - No data leaves your machine
  • Read-only operations - No system modifications (except opt-in features)
  • Opt-in external features - Git backup and Telegram notifications are disabled by default

Sensitive Operations

See SECURITY.md for detailed explanations of:

  • DLP scanning (private key/mnemonic detection)
  • Environment variable auditing
  • Git disaster recovery

Required Permissions

This skill requires system access for:

  • Running system commands (ss, top, systemctl, etc.)
  • Reading OpenClaw configuration files
  • Inspecting Gateway process environment
  • Scanning workspace files for credential leaks

Output Format

Brief Format (stdout)

OpenClaw Daily Security Brief (2026-03-11)

[OK] Environment Isolation: Running in isolated environment
[OK] Privilege Check: Complies with least privilege principle
[WARNING] Port Exposure: Port 18789 listening on all interfaces, recommend binding to 127.0.0.1
...

Warning Items:
[WARNING] Port Exposure: Port 18789 listening on all interfaces, recommend binding to 127.0.0.1

Detailed Report

Full report saved to /tmp/openclaw-security-reports/report-{DATE}.txt

Configuration

Optional Features (Disabled by Default)

To enable external operations, set the following environment variables:

Git Disaster Recovery

export SECURITY_AUDIT_ENABLE_GIT=1

Enables automatic Git commit and push of OpenClaw state to your configured remote.

Telegram Notifications

export SECURITY_AUDIT_ENABLE_TELEGRAM=1
export TELEGRAM_BOT_TOKEN="your-bot-token"
export TELEGRAM_CHAT_ID="your-chat-id"

Sends audit summary to Telegram after each run.

Scheduling

To run daily via OpenClaw cron:

openclaw cron add --name "daily-security-audit" --schedule "0 9 * * *" --command "python3 ~/.openclaw/workspace/skills/openclaw-security/scripts/openclaw_security_audit.py"

Version History

| Version | Date | Changes | |---------|------|---------| | 1.0.2 | 2026-03-16 | Made Git backup and Telegram opt-in features (disabled by default) | | 1.0.1 | 2026-03-16 | Added SECURITY.md, enhanced documentation | | 1.0.0 | 2026-03-13 | Initial release |