openclaw-security-dashboard v1.5: One Command, Full Coverage
When we launched the dashboard last week, it checked 7 security domains. The most common feedback: “This is great, but I still have to run openclaw security audit separately.” Fair point. So we fixed it.
What’s New
Built-in Audit Integration (8th Panel)
The dashboard now runs openclaw security audit --deep automatically and surfaces those 78 config checks as the 8th panel alongside our 7. One command covers the entire threat surface. No more “run both.”
If OpenClaw’s CLI isn’t installed, the panel gracefully shows “OpenClaw CLI not found” instead of failing.
Credential Flow Mapping
This is the feature we’re most excited about. Instead of just checking WHERE your API keys are stored (L0 through L4), the scanner now traces where they can GO:
ANTHROPIC_API_KEY
Storage: L1 (env block) → Agents: 3 → Skills: 6 → Model catalog: EXPOSED
Risk: HIGH — key enters LLM context on every turnFor each key, it maps: which agents can read it, which skills have access, whether it enters the model catalog serialization path (GitHub issue #11202), and whether it appears in logs, memory files, or session transcripts.
Most deployments have at least one key that flows somewhere it shouldn’t.
SSRF Detection
Skills referencing cloud metadata endpoints (169.254.169.254, metadata.google.internal) now flag as CRITICAL. Private IP ranges flag as HIGH. DNS rebinding patterns (.nip.io, .sslip.io) flag as HIGH.
Previously these were all lumped together as MEDIUM “External URL in skill.” Now the severity matches the actual risk.
Sandbox Scoring
The old check was binary: sandbox on or off. Now it’s scored 0–100 based on what’s actually configured:
- Is Docker installed and running?
- Network isolation:
--network=noneor bridged? - Read-only filesystem enabled?
- Resource limits (memory, CPU) set?
- Docker version patched against known escapes?
A sandbox that’s “on” but misconfigured (network exposed, no resource limits) gets a WEAK score, not a clean pass.
Accept Risk
Every security tool needs a way to handle false positives. If you have a legitimate custom skill with an executable file, you can now click “Accept Risk” on that finding.
Exceptions are hash-pinned — the scanner stores a SHA-256 hash of the file alongside the exception. If the file content changes, the exception auto-expires and the finding comes back. This prevents someone from swapping in a malicious file under an already-accepted path.
IOC-matched malicious skills can never be ignored. That’s a hardcoded blocklist.
Capability Drift Detection
The scanner now tracks permission changes between scans. If an agent quietly gains new tool access — exec, filesystem, browser control — you’ll see it immediately:
⚠ Agent "main" gained 2 new tool(s): exec, browser_control
⚠ Agent "social-media" has exec access but hasn't used it in 30 daysThe least-privilege engine goes further: it maps which tools each agent’s installed skills actually require and flags excess permissions. “Agent X has exec + filesystem but only needs web_fetch based on its skills.”
Network Policy Generator
Based on your configured model providers, skills, and MCP servers, the scanner generates recommended firewall rules:
ALLOW: api.anthropic.com, api.openai.com
BLOCK: 169.254.169.254 (metadata), private IP ranges
UFW commands:
sudo ufw default deny outgoing
sudo ufw allow out to api.anthropic.com port 443
...Tamper-Evident Audit Trail
Grade history is now hash-chained. Every scan result includes a SHA-256 hash of the previous entry. Modify any historical scan and the chain breaks, generating a CRITICAL finding.
Identity baselines are HMAC-signed with a machine-derived key. If someone modifies the baseline file directly (bypassing the normal “Accept Changes” flow), the signature check fails.
Memory Expansion
The scanner now checks daily memory notes, session transcripts, agent workspace files, and log files for leaked credentials. 10 API key patterns: Anthropic, OpenAI, Groq, GitHub, Slack, Telegram, Stripe, Google, AWS.
Previously it only checked MEMORY.md.
The Numbers
| Version | Panels | IOC Signatures | Auto-Fix Types | Credential Checks |
|---|---|---|---|---|
| v1.0 (launch) | 6 | 150+ | 5 | Storage only (L0–L4) |
| v1.4 (last week) | 7 | 1,184+ | 7 | Storage + detection |
| v1.5 (today) | 8 | 1,184+ | 7 | Full flow mapping |
Update
npm update -g openclaw-security-dashboardOr fresh scan:
npx openclaw-security-dashboard@latestThe dashboard at localhost:7177 will show the new panels automatically after update.
What’s Next
The v1.5 roadmap was heavily influenced by studying OpenFang’s security architecture — their WASM sandboxing, cryptographic audit chains, and information flow labels set a high bar. We can’t change OpenClaw’s architecture, but we can detect and compensate for its gaps.
Next up: runtime credential monitoring (watching OpenClaw’s outputs for key leaks in real-time), process memory scanning, and deeper MCP server policy enforcement.
The scanner and the full IOC database are MIT licensed. PRs welcome.
Try v1.5 now
One command. 8 security panels. Full coverage of the built-in audit plus everything it misses. Zero dependencies, 100% local.
Install the Dashboard → Or get a personalized hardening report — $297 →Links:
- GitHub: openclaw-security-dashboard
- npm: openclaw-security-dashboard
- Credential protection levels (L0–L4): Your OpenClaw API Keys Are Leaking — 5 Levels of Fix
- What the built-in audit misses: The Other 40%