← Back to Skills Marketplace
553
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-security-check
Description
Security self-check for OpenClaw deployments. Audits openclaw.json config and host security in one pass: gateway exposure, auth mode, token strength, channel...
Usage Guidance
This skill appears to do what it claims (a quick OpenClaw config + host audit) and the bundled script is readable — good signs. Before installing or enabling automated invocation: 1) Review the full scripts/security-check.sh yourself to verify behavior (it is included). 2) Use the script in read-only/reporting mode first (scripts/security-check.sh or --json) to see findings. 3) Do NOT allow the agent to run auto-fix commands without explicit, interactive confirmation; the fixes use sudo, apt, chmod, sed and can lock you out if misapplied. 4) If you plan to schedule checks, schedule only read-only reports; never auto-apply fixes from cron/heartbeat. 5) Backup ~/.openclaw/openclaw.json and ensure you have a second active SSH session before applying SSH/firewall changes. 6) Prefer running the audit in a staging environment first. If you want, restrict the skill so it can only produce reports and not execute remediation steps autonomously.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-security-check
Version: 1.0.0
The skill performs system-level security audits and remediation, including modifying SSH configurations and firewall rules (SKILL.md). While these actions are aligned with its stated purpose, the shell script (scripts/security-check.sh) contains a code injection vulnerability where configuration values from openclaw.json are unsafely interpolated into a python3 command string via the jq_val function. This allows for potential arbitrary code execution if the configuration file contains maliciously crafted channel names or keys.
Capability Assessment
Purpose & Capability
The name/description state a fast OpenClaw config + host security audit; the bundled script reads ~/.openclaw/openclaw.json, inspects firewall/SSH/listening ports, and scans channel policies and file permissions — all consistent with the stated checks. There are no unrelated credentials, binaries, or external endpoints requested.
Instruction Scope
The shipped script is read-only and implements the 10 checks described in SKILL.md. However SKILL.md also documents an 'Auto-Fix Flow' with concrete commands (apt install ufw, chmod, sed edits to /etc/ssh/sshd_config, firewall enable, openclaw gateway restart) that modify system state and require sudo. The documentation says to confirm with the user first, but that is a policy-level instruction — the agent could be asked to run fixes unless you enforce confirmation. Also the SKILL.md suggests adding the script to periodic heartbeat/cron which would make the checks automatic; ensure fixes are not automated without explicit approval.
Install Mechanism
No install spec; this is an instruction-only skill with a bundled shell script. That is low-risk from an installation perspective — nothing is downloaded or written during install.
Credentials
The skill requires no environment variables or external credentials. It reads HOME and system files (/etc/ssh/sshd_config, ~/.openclaw/openclaw.json), which is proportionate to auditing host and config. The auto-fix commands require elevated privileges (sudo) which is expected for the kinds of system changes suggested but increases potential impact if executed without supervision.
Persistence & Privilege
always:false (no forced inclusion) and default autonomous invocation is allowed (disable-model-invocation:false). Autonomous invocation alone is normal, but combined with documented auto-fix recipes increases blast radius: if the agent is permitted to run fixes automatically, it could install packages or modify SSH/firewall settings. Prefer to require explicit user confirmation before any fix actions and avoid scheduling auto-fix via heartbeat/cron unless you trust the environment.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-security-check - After installation, invoke the skill by name or use
/openclaw-security-check - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: 10-point security audit for OpenClaw deployments. Checks gateway bind/auth/token, channel DM/group policies, config permissions, plaintext secrets, host firewall, SSH hardening, and exposed ports. Includes executable bash script with human-readable and JSON output modes, plus auto-fix recipes.
Metadata
Frequently Asked Questions
What is OpenClaw Security Check?
Security self-check for OpenClaw deployments. Audits openclaw.json config and host security in one pass: gateway exposure, auth mode, token strength, channel... It is an AI Agent Skill for Claude Code / OpenClaw, with 553 downloads so far.
How do I install OpenClaw Security Check?
Run "/install openclaw-security-check" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Security Check free?
Yes, OpenClaw Security Check is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw Security Check support?
OpenClaw Security Check is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Security Check?
It is built and maintained by Madoka (@guoqunabc); the current version is v1.0.0.
More Skills