← Back to Skills Marketplace
1924
Downloads
1
Stars
15
Active Installs
1
Versions
Install in OpenClaw
/install oc-security-hardener
Description
Audit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permiss...
README (SKILL.md)
Security Hardener
Audit your OpenClaw configuration and apply security best practices automatically.
Quick Start
# Full security audit (read-only, no changes)
python scripts/hardener.py audit
# Audit a specific config file
python scripts/hardener.py audit --config /path/to/openclaw.json
# Audit with JSON output
python scripts/hardener.py audit -f json
# Auto-fix issues (creates backup first)
python scripts/hardener.py fix
# Fix specific issues only
python scripts/hardener.py fix --only gateway,permissions
# Scan for exposed credentials in config
python scripts/hardener.py scan-secrets
# Generate a security report
python scripts/hardener.py report -o security-report.md
# Check file permissions
python scripts/hardener.py check-perms
Commands
| Command | Args | Description |
|---|---|---|
audit |
[--config PATH] [-f FORMAT] |
Full security audit (read-only) |
fix |
[--config PATH] [--only CHECKS] |
Auto-fix issues (with backup) |
scan-secrets |
[--config PATH] |
Scan for exposed API keys/tokens |
report |
[-o FILE] |
Generate detailed security report |
check-perms |
[--config-dir PATH] |
Check file permissions |
Security Checks
| Check | Severity | Description |
|---|---|---|
gateway-bind |
CRITICAL | Gateway not bound to loopback |
exposed-keys |
CRITICAL | API keys in config instead of .env |
insecure-auth |
HIGH | allowInsecureAuth or dangerouslyDisableDeviceAuth enabled |
exec-sandbox |
HIGH | exec sandbox mode not set to restricted |
file-perms |
HIGH | Config files readable by others (not 600) |
agent-allow-all |
MEDIUM | agentToAgent.allow: ["*"] is overly permissive |
no-heartbeat |
MEDIUM | No heartbeat configured (can't detect outages) |
no-session-reset |
MEDIUM | No session reset policy (memory leak risk) |
no-pruning |
LOW | No context pruning (cost and performance impact) |
no-memory-flush |
LOW | Memory flush disabled (context loss on pruning) |
Scoring
The audit produces a security score from 0-100:
- 90-100: Excellent — production-ready
- 70-89: Good — minor improvements recommended
- 50-69: Fair — several issues to address
- 0-49: Poor — critical issues require immediate attention
Example Output
╔══════════════════════════════════════════════════╗
║ OPENCLAW SECURITY AUDIT ║
╠══════════════════════════════════════════════════╣
║ Score: 75/100 (Good) ║
║ ║
║ ✅ Gateway bound to loopback ║
║ ✅ No exposed API keys in config ║
║ ⚠️ exec sandbox mode: unrestricted ║
║ ⚠️ agentToAgent allow: * (too permissive) ║
║ ❌ File permissions too open (644 → should be 600) ║
║ ✅ Heartbeat configured ║
║ ✅ Session reset policy active ║
║ ⚠️ No context pruning configured ║
╚══════════════════════════════════════════════════╝
Usage Guidance
This tool appears coherent and local-only, but be cautious before running automatic fixes: 1) Run an initial 'audit' (read-only) and/or 'audit -f json' to review findings. 2) Inspect the generated report and any suggested fixes; consider backing up your config manually even if the script claims to create backups. 3) If you run 'fix', review the script or the backup to confirm changes are safe. 4) Note the secret scanner may produce false positives; verify any 'exposed keys' before rotating credentials. 5) Because the tool suggests moving keys to ~/.openclaw/.env, ensure that file is created and restricted (chmod 600). If you want extra assurance, run the script in a controlled environment or inspect scripts/hardener.py in full before invoking write operations.
Capability Analysis
Type: OpenClaw Skill
Name: oc-security-hardener
Version: 1.0.0
The OpenClaw AgentSkills bundle 'oc-security-hardener' is designed for auditing and hardening OpenClaw configurations. The `SKILL.md` and `README.md` clearly describe its purpose, which aligns with the Python script's functionality. The `scripts/hardener.py` script identifies exposed API keys (masking them in output, not exfiltrating), checks and fixes file permissions (using `os.chmod` on specified config files), and modifies `openclaw.json` to apply security best practices, always creating a backup first. There is no evidence of data exfiltration, unauthorized remote execution, persistence mechanisms, or prompt injection attempts against the agent. All actions are transparent, documented, and intended for security improvement.
Capability Assessment
Purpose & Capability
Name/description match the implementation: the tool inspects OpenClaw config files, checks gateway/auth/exec/agent settings, scans for API-key patterns, and checks file permissions. No unrelated binaries, installs, or external services are required.
Instruction Scope
SKILL.md and the script restrict operations to local config files (default ~/.openclaw/openclaw.json or a supplied path) and config directory permissions. The 'fix' command (per README/SKILL.md) will modify local config files (it claims to create backups first) — this is expected for a hardener but users should review fixes before applying them.
Install Mechanism
No install spec or external downloads — the skill is instruction-only with a bundled Python script. This minimizes supply-chain risk.
Credentials
No environment variables or credentials are requested. The script scans for many common API-key formats (Anthropic, OpenAI, Google, GitHub, Slack, etc.), which is appropriate for a secret scanner targeting OpenClaw configs.
Persistence & Privilege
always is false; the skill does not request persistent/platform-wide privileges. It operates locally and only modifies files when the user runs 'fix'. Autonomous invocation is permitted by default for skills but is not combined with other red flags here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install oc-security-hardener - After installation, invoke the skill by name or use
/oc-security-hardener - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of security-hardener for OpenClaw.
- Scans openclaw.json for vulnerabilities, exposed credentials, insecure settings, and missing best practices.
- Provides audit, auto-fix, secret scanning, and security report generation commands.
- Checks file permissions and outputs a security score with summary and detailed findings.
- Supports customizable checks and outputs in multiple formats.
Metadata
Frequently Asked Questions
What is Security Hardener?
Audit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permiss... It is an AI Agent Skill for Claude Code / OpenClaw, with 1924 downloads so far.
How do I install Security Hardener?
Run "/install oc-security-hardener" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Security Hardener free?
Yes, Security Hardener is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Security Hardener support?
Security Hardener is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Security Hardener?
It is built and maintained by mariusfit (@mariusfit); the current version is v1.0.0.
More Skills