The 40% Gap: What OpenClaw's Built-In Security Audit Misses

Credit where it's due — openclaw security audit is a solid first step. It covers gateway authentication, basic file permissions, outdated versions, and some configuration checks. That's roughly 60% of your attack surface. This post is about the other 40%.

I'm Peter Kwidzinski — Platform Security Architect with 20+ years in the industry, with deep experience in silicon and platform security. The kind of work where a missed vulnerability means millions of devices are compromised. I've spent my career thinking about trust boundaries, secure boot chains, and what happens when you give untrusted code access to trusted systems.

OpenClaw is the most exciting thing I've seen in a while. But the default security posture has gaps that matter. This isn't criticism — new platforms always prioritize functionality over lockdown. I want to help close the gap before more people get burned.

First: run the built-in audit

Seriously. If you haven't done this yet, stop reading and run it now:

openclaw security audit

Fix everything it flags. That gets you to a baseline. Now let's talk about what it doesn't catch.

What the built-in audit misses

I've been analyzing OpenClaw deployments since launch and cataloging threats from the ClawHavoc campaign (1,184 malicious ClawHub packages), CVE-2026-25253, and real-world incident reports. Here's what falls through the cracks:

1. Multi-directory skill scanning

The built-in audit checks ~/.openclaw/skills/. But skills can live in project-local directories, custom paths set via OPENCLAW_SKILLS_DIR, and — this is the nasty one — skills installed by other skills into non-standard locations.

Check all skill locations:

# Find every SKILL.md on your system
find / -name "SKILL.md" -type f 2>/dev/null | grep -v node_modules

# Compare against what OpenClaw knows about
openclaw skills list --paths

Any SKILL.md that shows up in the first command but not the second is worth investigating.

2. Identity file integrity

Your ~/.openclaw/identity.json contains your agent personas, API routing, and permission grants. If a malicious skill modifies it, they can escalate their own permissions or redirect API calls through a proxy.

Baseline and monitor:

# Create a baseline hash (do this NOW while you trust your config)
sha256sum ~/.openclaw/identity.json > ~/.openclaw/.identity-baseline

# Check it weekly (or after any new skill install)
sha256sum -c ~/.openclaw/.identity-baseline

If the hash doesn't match and you didn't change it, something else did.

3. MCP server auditing

MCP (Model Context Protocol) servers give skills access to external tools. The built-in audit checks if MCP is enabled but doesn't audit what each server can actually do.

Review your MCP configs:

# List all MCP server configurations
cat ~/.openclaw/config.json | grep -A 20 '"mcpServers"'

# For each server, ask:
# - Does this skill need network access?
# - Does this server have write access to the filesystem?
# - Is the server binary/URL from a trusted source?
# - Can you verify the server hasn't been modified?

The ClawHavoc campaign included skills that registered MCP servers which proxied API calls through attacker-controlled endpoints. The skill looked normal — the exfiltration happened at the MCP layer.

4. Persistence mechanisms

Malicious skills that survive uninstallation. We've documented three patterns:

• Cron jobs: Skills that add crontab entries to phone home or reinstall themselves
• Shell profile injection: Appending to .bashrc/.zshrc to reload on terminal open
• Symlinks: Creating symlinks from trusted paths to malicious payloads

Check for all three:

# Crontab entries you didn't create
crontab -l

# Recent changes to shell profiles
ls -la ~/.bashrc ~/.zshrc ~/.bash_profile 2>/dev/null
# Check modification dates — if they changed after a skill install, read them carefully

# Symlinks in skill directories
find ~/.openclaw -type l -ls

5. Skill prerequisite payloads

Some ClawHavoc skills have clean main code but malicious install scripts. The SKILL.md declares a "prerequisite" that runs curl | sh during installation.

Before installing any skill, check for download-and-execute patterns:

# In the skill's directory, look for download-and-execute patterns
grep -riE '(curl|wget|fetch)' SKILL.md
grep -riE '(bash|sh|exec|eval)' SKILL.md

If a skill's prerequisites include piping a remote URL to a shell, that's a red flag regardless of what the skill itself does.

6. Network exfiltration detection

The built-in audit checks your outbound network config, but it doesn't monitor actual traffic. A skill can be configured correctly and still exfiltrate data if it encodes it in legitimate-looking API calls.

Quick DNS check:

# See what domains your OpenClaw process has been talking to
# (requires that you've enabled logging)
openclaw logs --filter network | grep -oE 'https?://[^ ]+' | sort -u

Review every domain. If you see anything that isn't your LLM provider, a configured MCP server, or a service you explicitly set up — investigate.

The "lethal trifecta" — break one leg

Palo Alto's advisory coined this and it's the right mental model. A dangerous agent has all three:

1. Read access to private data (files, API keys, credentials)
2. Network access to send data out
3. Ability to act (send emails, execute code, modify files)

Any two of those is manageable. All three is an exfiltration machine. Your hardening strategy should break at least one leg for every agent.

{
  "permissions": {
    "fileSystem": {
      "read": ["~/projects/my-specific-project"],
      "write": ["~/projects/my-specific-project/output"],
      "deny": ["~/.ssh", "~/.aws", "~/.config", "~/.openclaw/identity.json"]
    },
    "network": {
      "outbound": {
        "default": "deny",
        "allowlist": ["api.anthropic.com", "api.openai.com"]
      }
    }
  }
}

The IOC database

I've compiled indicators of compromise for 1,184+ known malicious ClawHub packages — skill names, publisher accounts, file hashes, and behavioral signatures. This includes all ClawHavoc variants, the AMOS stealer delivery chain, and ClickFix social engineering packages.

If you want to check your installed skills against the database, I built a free scanner that runs right in your browser. No account needed:

→ Run the free scan at bulwarkai.io

It catches the basics. For a detailed breakdown of every gap mapped to real attacks, with the open-source scanner that covers all of them, see: You Ran openclaw security audit. Here's the Other 40%.

For the full 40% gap — all the multi-directory scanning, identity monitoring, MCP auditing, persistence detection, and the complete IOC database — everything is packaged into a drop-in Security Blueprint.