You Ran openclaw security audit. Here’s the Other 40%.
The built-in OpenClaw security audit is good. Really good, actually. 78 checks across gateway config, file permissions, channel policies, sandbox enforcement, and model hygiene. If you’ve run it and fixed everything it flags, you’re about 60% hardened. Here’s what the other 40% looks like.
Chris Kvamme wrote the definitive walkthrough at stack-junkie.com — every severity level, every check ID, every manual fix. If you haven’t run the audit yet, stop reading and go do that first:
openclaw security audit --deepWhat the built-in audit checks
The built-in audit is focused on configuration correctness. It reads your openclaw.json and state files, checks them against known-good patterns, and flags deviations. The --deep flag adds a live gateway probe to verify your running instance matches your config.
It’s excellent at catching:
- Gateway exposed without auth
- Weak or default tokens
- Overly permissive channel policies
- File permission issues (world-readable config, credentials)
- Dangerous config flags left enabled
- Legacy model configurations
- Missing sandbox enforcement
The --fix flag handles file permissions and group policy tightening automatically. Everything else requires manual changes.
What it doesn’t check
The built-in audit operates entirely within the config boundary. It doesn’t inspect what’s actually installed on your system, doesn’t track changes over time, and doesn’t cross-reference against external threat intelligence.
Here’s the gap, mapped to real attacks:
| Gap | Real-world attack | Impact |
|---|---|---|
| No skill IOC matching | ClawHavoc campaign — 1,184+ malicious skills on ClawHub delivering Atomic Stealer | Malware installed via supply chain. Built-in audit can’t detect it because skills aren’t config. |
| No identity file integrity | SOUL.md injection via prompt manipulation — attacker modifies agent personality to exfiltrate data | Persistent compromise. Agent behaves differently but config looks clean. |
| No MCP server audit | Unpinned MCP server versions — attacker publishes malicious update, your agent auto-pulls it | Supply chain attack via MCP. Config says “use this server” but doesn’t pin what version. |
| No persistence detection | Rogue LaunchAgent or cron job installed by malicious skill — survives skill removal | Attacker maintains access even after you “fix” the problem. |
| No credential protection assessment | API keys hardcoded in openclaw.json leak into LLM context window on every turn (GitHub issue #11202) | Your keys travel through the model provider’s infrastructure in plaintext. See 5 levels of credential protection. |
| No session log analysis | Prompt injection attempts buried in session transcripts — early warning of targeting | You don’t know someone’s probing your agent until after they succeed. |
None of these are criticisms of the built-in audit. It was designed for config checks and it does that well. But config correctness is necessary, not sufficient.
Filling the gap
We built an open-source scanner that covers specifically these blind spots:
npx openclaw-security-dashboardOne command, 30 seconds, zero dependencies. Runs 100% locally — nothing leaves your machine. MIT licensed.
It checks 7 security domains:
1. Gateway Security
Yes, this overlaps with the built-in audit. We include it so you get a single-pane view of all 7 domains in one dashboard. If you’ve already fixed your gateway findings via openclaw security audit --fix, this panel will be green.
2. Skill Supply Chain
Cross-references every installed skill against 1,184+ known malicious skill signatures from ClawHavoc, ClickFix, and CryptoLure campaigns. Sources: Antiy CERT, Koi Security, Bitdefender, and Snyk research. Detects executables in skill directories, suspicious SKILL.md prerequisites patterns (the ClickFix social engineering technique), and blacklisted publishers. Scans multiple directories — ~/.openclaw/skills/, workspace/, and agents/*/skills/.
3. Config Hardening
File permissions, plaintext API keys in config, sandbox enforcement, safeBins allowlist. Also assesses your credential protection level on a scale from L0 (hardcoded keys — most users) to L4 (external vault integration). Note: OpenClaw added openclaw secrets in version 2026.2.26 for native secret management. Our scanner detects your current level and shows the upgrade path.
4. Identity Integrity
Computes SHA-256 hashes of SOUL.md, AGENTS.md, USER.md, TOOLS.md and compares against a stored baseline. First scan creates the baseline. Subsequent scans detect any changes — intentional or not. If your identity files change because you edited them, you accept the new baseline. If they change and you didn’t touch them, you have a problem.
5. Persistence & Cron
Flags LaunchAgents (macOS), systemd services (Linux), cron jobs, and hook scripts that reference OpenClaw. Distinguishes between the official OpenClaw gateway plist (expected) and anything else (investigate). Detects network patterns in hook scripts.
6. Session Analysis
Reviews session logs for injection attempts, credential leaks, and anomalous patterns. This is early-warning detection — if someone is probing your agent with prompt injection, it shows up here before they succeed.
7. MCP Security
Reads mcp.json and flags unpinned server versions (any update could introduce malicious code), excessive server count (large attack surface), and servers running from temporary directories.
Auto-fix goes further too
The built-in --fix handles file permissions and group policies. Our --fix handles those plus:
- Gateway rebind — exposed gateway (0.0.0.0) rebound to loopback
- API key migration — moves plaintext keys from openclaw.json to env var references using OpenClaw’s native
envblock pattern. The key stays in the same file but structurally separated, which prevents it from leaking into the LLM context window - safeBins allowlist — adds a default set of 11 safe commands, restricting what skills can execute
- Malicious skill removal — IOC-matched skills removed with backup (new in v1.4.1)
Creates a timestamped backup before every change. Fully reversible.
What it found on a real deployment
Here’s a real first scan on a Mac Mini running OpenClaw 2026.3.1:
Grade: F (0/100)
- CRITICAL: Skill
solana-wallet-trackermatches known malicious IOC - CRITICAL: Skill
sketch-helperhas ClickFix prerequisites pattern - HIGH: API key hardcoded in openclaw.json (credential level L0)
- HIGH: Sandbox mode off
- HIGH: No safeBins allowlist
- MEDIUM: External URLs in 2 skills need review
- LOW: OpenClaw LaunchAgent detected (expected, informational)
After running --fix:
Grade: B (72/100)
The scanner removed the malicious skills (with backup), migrated the API key to env var references, and added the safeBins allowlist. The remaining findings — sandbox requiring Docker, external URL review — are judgment calls that need a human.
Going from B to A+ requires hardened configs, identity baselines, monitoring scripts, and an incident response plan. That’s what the Security Blueprint is for — but the scanner and the IOC database are free forever.
Run both
The built-in audit and this scanner are complementary:
# Step 1: Built-in config audit
openclaw security audit --deep --fix
# Step 2: Supply chain, identity, persistence, MCP
npx openclaw-security-dashboard --fixTakes about 2 minutes total. Covers the full threat surface.
For always-on monitoring:
npm i -g openclaw-security-dashboard
openclaw-security-dashboard installRe-scans every 30 minutes. Serves a dashboard at localhost:7177. Survives reboot.
Close the other 40%
Run the free security dashboard. See your grade, every gap the built-in audit misses, and auto-fix what it can — in 30 seconds, no account required.
Install the Dashboard → Or get a personalized hardening report — $297 →Links:
- GitHub: openclaw-security-dashboard
- npm: openclaw-security-dashboard
- Credential protection levels (L0–L4): Your OpenClaw API Keys Are Leaking — 5 Levels of Fix
- Built-in audit deep dive: OpenClaw Security Audit: Run It and Fix What It Finds (stack-junkie.com)