← Back to Skills Marketplace
288
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install security-audit-openclaw
Description
⚠️ HIGH PRIVILEGE SECURITY AUDIT SKILL Performs comprehensive security auditing for OpenClaw deployments. Requires system-level access for legitimate securit...
Usage Guidance
This skill appears to be a legitimate high-privilege audit tool, but it carries inherent sensitivity because it reads many system files and process environments. Before installing or running: (1) review the full script contents yourself (or have a trusted reviewer) because it runs many system inspections; (2) do not enable Git/Telegram options unless you understand what will be committed or sent (these are opt-in but will transmit data to remote endpoints if enabled); (3) run audits on systems you own/trust and avoid running as root unless needed (script will warn if root); (4) consider running in an isolated/test environment first to verify outputs; (5) if you need higher assurance, ask the author for reproducible build provenance or a signed release. Confidence is medium because the provided code was only partially visible in the prompt — review the full shipped script before trusting it with sensitive systems.
Capability Analysis
Type: OpenClaw Skill
Name: security-audit-openclaw
Version: 1.0.2
The skill performs high-privilege security auditing that includes several high-risk behaviors: scanning the workspace for plaintext private keys and mnemonics (DLP), reading sensitive environment variables from the /proc filesystem, and optionally exfiltrating the entire OpenClaw state directory (which may contain API keys and session data) to a remote Git repository. While these actions are documented in SKILL.md and SECURITY.md as legitimate auditing and backup functions, and external communication (Git/Telegram) is disabled by default, the broad system access and potential for data exposure via hardcoded endpoints (api.telegram.org) warrant a suspicious classification. Key files involved are scripts/openclaw_security_audit.py and SKILL.md.
Capability Assessment
Purpose & Capability
The skill name/description (OpenClaw security audit) aligns with its actions: reading system state, OpenClaw workspace, process env, ports, cron, file hashes, and producing reports. The declared required commands in SECURITY.md (ss, top, systemctl, journalctl, last, df, find, etc.) match the checks described.
Instruction Scope
SKILL.md directs running the included Python script which performs many read-only system inspections (/etc, ~/.ssh, /proc/{pid}/environ, listening ports, process lists, file hashes). These actions are within audit scope, but SKILL.md also documents opt-in features that perform writes/network activity (Git commits/pushes and Telegram notifications) — the top-level description initially states 'All operations are read-only and local-only', which is misleading without reading the later opt-in details.
Install Mechanism
No install spec or external downloads; the skill is distributed with a bundled Python script and docs. This is lower risk than remote fetch/install mechanisms.
Credentials
Metadata lists no required environment variables (none mandatory). SKILL.md and the script read optional env vars (SECURITY_AUDIT_ENABLE_GIT, SECURITY_AUDIT_ENABLE_TELEGRAM, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, OPENCLAW_STATE_DIR). These are reasonable for opt-in features, but the skill will read process envs and files that can contain secrets — acceptable for an audit tool but sensitive. The skill does not require external API credentials by default.
Persistence & Privilege
The skill does not request persistent always-on privilege and is user-invocable. It requires elevated filesystem/process read privileges to be effective (expected). Optional Git backup will write/commit to the user's repo only if enabled.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install security-audit-openclaw - After installation, invoke the skill by name or use
/security-audit-openclaw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Made Git backup and Telegram notifications opt-in features (disabled by default). Added SECURITY_AUDIT_ENABLE_GIT and SECURITY_AUDIT_ENABLE_TELEGRAM env vars for explicit opt-in.
v1.0.1
Added SECURITY.md with detailed security declarations, enhanced SKILL.md documentation
v0.0.4
Security audit tool for OpenClaw deployments with cross-platform support
Metadata
Frequently Asked Questions
What is OpenClaw Security Audit?
⚠️ HIGH PRIVILEGE SECURITY AUDIT SKILL Performs comprehensive security auditing for OpenClaw deployments. Requires system-level access for legitimate securit... It is an AI Agent Skill for Claude Code / OpenClaw, with 288 downloads so far.
How do I install OpenClaw Security Audit?
Run "/install security-audit-openclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Security Audit free?
Yes, OpenClaw Security Audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does OpenClaw Security Audit support?
OpenClaw Security Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Security Audit?
It is built and maintained by iaadoa (@iaadoa); the current version is v1.0.2.
More Skills