← Back to Skills Marketplace
Openclaw Audit
by
shawnpetros
· GitHub ↗
· v1.2.0
· MIT-0
175
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install openclaw-audit
Description
Audit your OpenClaw configuration against 12 production primitives PLUS 8 common setup footguns (silent cost leaks, prompt-injection paths, zombie session st...
Usage Guidance
This skill appears to do what it claims: read your local OpenClaw configuration, run local OpenClaw CLI checks, and report problems (including detecting inlined API keys). Before installing or running it: (1) ensure the agent has access only to the machine you intend — the audit will read files under ~/.openclaw and may output detected secret-like strings, (2) confirm the openclaw CLI is available locally (the SKILL.md uses it but the skill metadata doesn't declare it), (3) review findings before sharing them externally since they may contain sensitive configuration or example keys, and (4) if you want extra safety, run the checks yourself locally (the SKILL.md is self-contained) or ask the skill to redact secret values in its report. Overall the skill is internally consistent for its stated purpose, but be mindful of sensitive data exposure in its output.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-audit
Version: 1.2.0
The 'openclaw-audit' skill bundle is a configuration auditing tool designed to identify security risks and performance bottlenecks in an OpenClaw environment. It instructs the agent to inspect local configuration files (e.g., openclaw.json, secrets.json) and system status to detect issues like inlined API keys, zombie session states, and potential data leaks in Slack integrations. The instructions in SKILL.md include explicit security safeguards, such as directing the agent to check secret paths without reading their values, and the logic is entirely consistent with its stated purpose of improving system health.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's name/description align with the actions in SKILL.md (reading OpenClaw config, scanning for leaks, checking sessions and plugin/channel status). One mismatch: the runtime instructions call the openclaw CLI (e.g., `openclaw status`) but the registry metadata does not declare any required binaries. Declaring the openclaw CLI as a required binary would be expected.
Instruction Scope
The SKILL.md explicitly instructs reading many local files under ~/.openclaw (openclaw.json, cron jobs, workspace files, session files) and running local CLI audit commands. This is appropriate for a config auditor, but it will necessarily inspect potentially sensitive configuration (including any inlined API keys it detects). The doc claims 'Read secrets.json (path only, never the values)', which reduces risk, but the auditor does scan other files for plaintext API-key patterns — so results will include sensitive findings and may surface secret-like strings in the report.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes the risk of arbitrary code being installed on disk.
Credentials
The skill requests no environment variables, credentials, or config paths in the registry metadata. The SKILL.md inspects local config files for references to credentials (e.g., SecretRefs, auth.profiles) which is expected behavior for an audit and does not demand extra secrets from the environment.
Persistence & Privilege
The skill is not marked always:true, does not include an installer and does not request persistent system changes in the instructions. It reads local files and returns a report; it does not request writing to other skills' configs or global settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-audit - After installation, invoke the skill by name or use
/openclaw-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Added Tier 3: 8 common setup footguns. Severity scoring now 0/20.
v1.1.1
Tighten safety claims, default to offline/local-file audit, add explicit OpenClaw CLI requirement metadata for optional live checks, and improve secret-redaction guidance.
v1.1.0
**Expanded focus on security, read-only operation, and secrets hygiene.**
- Introduces strict read-only guarantees: no files modified, no secrets extracted, and no external network calls made.
- Adds explicit redaction requirements for secrets found in config files.
- Major overhaul of audit criteria: expands from "production primitives" to include detailed checks for secrets management, token/cost controls, gateway security, and operational documentation.
- Output is now more actionable, including config snippets and an explicit "Overall" production readiness summary.
- Includes a dedicated "Safety" section with user protections and clear guidance.
- Adds version metadata to SKILL.md and publicizes contact for free audits.
v1.0.0
Audit your config against 12 production primitives. By PennywiseOps.
Metadata
Frequently Asked Questions
What is Openclaw Audit?
Audit your OpenClaw configuration against 12 production primitives PLUS 8 common setup footguns (silent cost leaks, prompt-injection paths, zombie session st... It is an AI Agent Skill for Claude Code / OpenClaw, with 175 downloads so far.
How do I install Openclaw Audit?
Run "/install openclaw-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Audit free?
Yes, Openclaw Audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Openclaw Audit support?
Openclaw Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw Audit?
It is built and maintained by shawnpetros (@shawnpetros); the current version is v1.2.0.
More Skills