openclaw-audit

A deployment auditing utility focused on practical OpenClaw security posture checks.

Why this project

• Impact: Surfaces critical misconfiguration and exposure issues before they become incidents.
• Scale: Supports host-by-host auditing and pipeline integration through JSON output.
• Use case: Security baselining for OpenClaw deployments in production and lab environments.

Demo media

• Screenshot:

Capability snapshot

• Version and CVE exposure checks
• Secret handling quality checks (weak vs strong plaintext detection)
• Gateway and Control UI policy checks (bind, allowedOrigins, trustedProxies)
• Filesystem permissions audit for OpenClaw paths and config
• Skill permission heatmap and policy-focused findings
• Regression snapshot baseline and delta detection between runs
• Structured findings with severity, confidence, data_source, remediation, rollback, and impact

Project overview

openclaw-audit is a lightweight host-side auditing tool for engineering teams running OpenClaw in production or lab environments. It focuses on high-value checks that map directly to known operational risks and selected CVEs.

The project follows a barbell strategy.

• The core script is intentionally simple, deterministic, and dependency-light.
• The threat model and remediation guidance are detailed, explicit, and suitable for governance and security review.

Scope of checks

The current audit.py release evaluates:

1. Version exposure check
   • Flags OpenClaw versions below 2026.1.29 as vulnerable to CVE-2026-25253.
2. Secret handling check
   • Scans discovered OpenClaw config files (~/.openclaw/config.json, ~/.openclaw/openclaw.json, and root equivalents) for likely plaintext API keys and secrets.
3. Gateway and Control UI policy checks
   • Detects risky bind settings such as 0.0.0.0.
   • Validates gateway.controlUi.allowedOrigins and flags wildcard trust.
   • Validates gateway.trustedProxies configuration posture.
4. Environment and permissions check
   • Evaluates ~/.openclaw directory and key OpenClaw paths (logs, sessions, config file) for restrictive permissions.
5. Feishu extension check
   • Detects Feishu extension indicators linked to CVE-2026-26321 review requirements.
6. Skill permission heatmap
   • Performs static analysis of installed OpenClaw skills under ~/.openclaw/skills/ and categorises risk indicators.

Architecture

flowchart TD
    A[audit.py] --> B[Version probe via openclaw --version]
    A --> C[Config discovery and parser]
    C --> D[Secret pattern scan]
    C --> E[Gateway bind assessment]
    A --> P[Directory permission check ~/.openclaw mode]
    C --> F[Plugin and Feishu checks]
    A --> S[Skill Permission Heatmap analysis]
    S --> T[Skill risk table: critical or moderate or low]
    A --> G[Terminal output mode]
    A --> J[JSON output mode]
    G --> H[Critical, warning, pass summary]
    J --> K[Structured findings + summary + exit code]

Loading

Skill Permission Heatmap

The auditor now includes a Skill Permission Heatmap for agent skill manifests.

It inspects SKILL.md files under ~/.openclaw/skills/ and performs static keyword analysis to identify risky capability patterns before runtime. This helps reduce supply-chain risk and lowers the chance of Agentic Cascade Failures caused by unsafe skill composition.

Risk categorisation:

• 🔴 CRITICAL: sudo, exec: true, chmod, base64, /bin/bash, ssh-add
• 🟡 MODERATE: curl, wget, http, api_key, token, requests
• 🟢 LOW: no matching high-risk indicators

Sample output:

Skill Name	Risk Level	Indicators Found
infra-deploy	CRITICAL	sudo, /bin/bash, chmod
threat-feed-sync	MODERATE	curl, token
weather-helper	LOW	none

This feature is intended to support Agentic Posture Management by making privilege and execution intent visible during audit time.

Threat model

Assets

• OpenClaw control plane exposure posture
• API credentials and secrets in local configuration
• Plugin and extension trust boundary
• Version hygiene and vulnerability exposure

Adversaries

• External attackers scanning public control interfaces
• Opportunistic actors abusing exposed API keys
• Supply chain or plugin abuse paths
• Internal misuse due to insecure defaults and poor segregation

Trust boundaries

• Local host to OpenClaw gateway
• Configuration file to runtime process
• Plugin ecosystem to core agent execution
• Human operators to automation pipelines

Primary attack paths

1. Public gateway binding exposes control endpoints.
2. Plaintext keys are exfiltrated from local config.
3. Outdated versions remain unpatched against known CVEs.
4. Risky or unreviewed extensions increase attack surface.

Security assumptions

• Audit runs with local read access to user OpenClaw config.
• Findings are advisory and should be paired with change control.
• CVE mapping is point-in-time and must be maintained over time.

Installation

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Usage

# Default coloured terminal output
python3 audit.py

# Force a specific config path
python3 audit.py --config /root/.openclaw/openclaw.json

# JSON output for CI, pipelines, and automation
python3 audit.py --output json

# Markdown output for sharing in tickets, PRs, or chat
python3 audit.py --output markdown

# Store and compare against a specific baseline snapshot
python3 audit.py --baseline ~/.openclaw/audit-baseline.json

Identity and memory file integrity baseline

To enable tamper checks for AGENTS.md, SOUL.md, and MEMORY.md, generate the baseline hash file once from a known-good state:

./scripts/generate-identity-integrity-baseline.sh

This writes:

• ~/.openclaw/identity-integrity.json

After generating it, run the audit normally and it will report:

• PASS when file hashes match baseline
• WARN when baseline entries are missing
• CRITICAL when file content has changed unexpectedly

Output formats:

• --output terminal (default): colourised severity-first terminal report
• --output json: structured machine-readable output
• --output markdown: shareable report format with findings and remediation sections
• --json: legacy alias for --output json

JSON output includes:

• timestamp
• config_path_used
• config_paths_attempted
• findings
• summary
• exit_code

Exit code behaviour:

• 0: no critical findings
• 1: one or more critical findings

Remediation matrix

Finding	Risk level	Fix
OpenClaw version below 2026.1.29	Critical	Upgrade OpenClaw to a patched release and validate runtime version post-deploy
Potential plaintext API keys in config	Critical	Move secrets to environment or secret manager, rotate exposed keys, remove plaintext values
Gateway bound to 0.0.0.0	Critical	Bind to loopback (127.0.0.1 or loopback) and expose only through controlled proxy or private network
~/.openclaw permissions not 700	Warning/Critical	Restrict directory permissions to owner-only with chmod 700 ~/.openclaw and verify ownership
Feishu extension detected	Warning/Critical	Disable or remove Feishu integration unless explicitly required and patched; review extension source and access scope

Engineering notes

• No heavy third-party libraries are required.
• Script is designed for predictable behaviour in CI and server shells.
• Extend checks by adding pure functions that return structured findings.

Quick Demo

# 1) Run a core check
# 2) Request JSON output
# 3) Pipe into jq for analyst workflows

Licence

Apache 2.0