← Back to Skills Marketplace
Security Hardener
by
stevojarvisai-star
· GitHub ↗
· v1.0.0
· MIT-0
90
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install security-hardener
Description
One-command OpenClaw security audit, scoring, and auto-remediation. Addresses CVE-2026-33579 and common misconfigurations. Scans for exposed API keys, weak f...
Usage Guidance
This tool largely does what it says (scan + fix OpenClaw security issues), but it reads and can modify many personal and agent-related files (shell history, .env, SKILL.md files, openclaw.json). Before running 'fix': (1) inspect the full scripts/security-hardener.py yourself or with a trusted reviewer—the provided excerpt is large but truncated; (2) run 'python3 scripts/security-hardener.py audit --json --verbose' and/or a dry-run mode first, and review the proposed changes carefully; (3) create backups (use the --backup-dir option) and/or test in an isolated environment; (4) verify provenance—the package lists 'GetAgentIQ' but the skill's source/homepage is unknown; prefer tools from known sources or signed releases; (5) be aware the script will modify other skills' SKILL.md files and plugin settings, so plan for rollbacks. If you want to proceed safely, request the full script (untruncated) and a checksum/signature from the publisher before allowing auto-remediation.
Capability Analysis
Type: OpenClaw Skill
Name: security-hardener
Version: 1.0.0
The security-hardener skill is a legitimate security auditing and remediation tool for OpenClaw. It scans for exposed API keys, checks authentication and transport configurations, audits plugin permissions, and verifies file system permissions. The script (security-hardener.py) performs these checks locally and provides actionable findings or automatic fixes (with backups) without any evidence of data exfiltration, unauthorized remote access, or malicious intent.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description (security hardener for OpenClaw) matches what the Python script does: scanning OpenClaw config/workspace, searching for secrets, checking permissions, network binding, plugin state, and offering auto-fixes. Requiring no external credentials and no install is plausible for a local hardening tool. Note: the tool claims to 'remove API keys from memory/SKILL.md files' and 'disable unsigned plugins' — those actions legitimately belong to a hardener but will modify other skill files and plugin state (see persistence_privilege).
Instruction Scope
SKILL.md and the script instruct the agent to scan many user paths (configs, workspace, .env files, shell history, git history) and to apply fixes (chmod, edit config, move/remove secrets, change bind address, disable plugins). Scanning shell history and git history and editing SKILL.md files can touch unrelated sensitive data and other installed skills. There's also an inconsistency: SKILL.md says 'Enables auth if disabled' in auto-fix, but the code's auth check marks enabling auth as not auto-fixable (requires user to pick a token). That mismatch affects user expectations about what the 'fix' command will do automatically.
Install Mechanism
No install spec — the skill includes an executable Python script only. This is lower risk than network-based installs. The shipped script will be executed locally; nothing in the provided excerpts shows it downloads and executes external code.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, it will read many local files (config, workspace, .env, shell history, git history). That is expected for secret scanning, but it's a high-sensitivity operation because it may find or touch secrets from unrelated services (AWS, OpenAI, Stripe, etc.). The script's SECRET_PATTERNS explicitly include many providers, so it will detect (and some commands claim to remove/relocate) sensitive credentials without requiring explicit user-supplied tokens.
Persistence & Privilege
The skill will modify local configuration and other skill files: changing openclaw.json, setting file permissions, moving secrets out of SKILL.md files, and disabling unsigned plugins. While these changes are in-scope for a hardener, they constitute modifications to other skills' files and to agent configuration. The skill is not 'always:true' and does not require autonomous invocation to run, but its auto-remediation operations have a real risk of breaking functionality or altering other skills. The user should expect the script to write to and change many files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install security-hardener - After installation, invoke the skill by name or use
/security-hardener - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — One-command OpenClaw security audit, scoring, and auto-remediation
Metadata
Frequently Asked Questions
What is Security Hardener?
One-command OpenClaw security audit, scoring, and auto-remediation. Addresses CVE-2026-33579 and common misconfigurations. Scans for exposed API keys, weak f... It is an AI Agent Skill for Claude Code / OpenClaw, with 90 downloads so far.
How do I install Security Hardener?
Run "/install security-hardener" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Security Hardener free?
Yes, Security Hardener is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Security Hardener support?
Security Hardener is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Security Hardener?
It is built and maintained by stevojarvisai-star (@stevojarvisai-star); the current version is v1.0.0.
More Skills