Open-Source Security Scanner
Letter grade A+ through F. Auto-fix for common issues. Zero dependencies.
Nothing leaves your machine.
Or for a quick scan: npx openclaw-security-dashboard@latest
What You Get
Now with 8 security panels in v1.5 — read the changelog.
What It Checks
Validates bind address, authentication enforcement, TLS configuration, and port exposure to catch network-level misconfigurations.
Scans for 102+ named IOCs, 21 pattern rules, C2 IP detection, and publisher blacklist matches across every installed skill.
Checks file permissions, plaintext secrets in config, sandbox enforcement, and other security-critical runtime settings.
Detects SOUL.md tampering, scans for prompt injection patterns, and verifies hash baselines for identity files.
Identifies rogue LaunchAgents, suspicious hooks, and checks MCP version pinning to prevent silent persistence.
Reviews session logs for injection attempts, credential leaks, and anomalous patterns that indicate compromise.
Audits MCP server configurations for unpinned versions, excessive server count, and unauthorized network access patterns.
Runs openclaw security audit --deep and surfaces 78 config checks as the 8th panel. One command, full coverage.
Auto-Remediation
Most scanners stop at telling you what's wrong. This one fixes the mechanical issues for you — in the browser or from the command line.
Exposed gateway (0.0.0.0) rebound to localhost. Closes the most common attack vector.
Config files set to 600 (owner-only). Prevents skills from reading your secrets.
authBypass disabled. Ensures gateway authentication can't be skipped.
Restricts which system commands agents can execute. 11 safe defaults added.
Plaintext keys replaced with env var references. Your secrets stay out of config files.
Timestamped backup created before every fix. Fully reversible. Nothing is ever deleted.
Issues requiring human judgment — skill removal, identity files, network config — are left as findings with remediation guidance. That's where expert help comes in.
Set It & Forget It
Two commands and your OpenClaw deployment is monitored 24/7. Starts on login, restarts on crash, re-scans every 30 minutes.
Re-scans every 30 minutes. Catches new issues as your config changes. Configurable interval.
Every scan logged to grade-history.jsonl. Track your security posture over time.
macOS LaunchAgent or Linux systemd. Starts on login, restarts on crash. Zero maintenance.
Status command checks for new versions. Stay current with the latest IOCs and security checks.
Shows current grade, watch interval, next scan time, and available updates.
Why It's Different
Built-in audits tell you "you have warnings." This scanner tells you what they mean, how critical they are, and what to do about each one.
| Capability | Built-in Audit | openclaw-security-dashboard |
|---|---|---|
| Security grade (A+ to F) | ✗ | ✓ |
| Malicious skill IOC database | ✗ | ✓ 102+ IOCs |
| C2 IP / domain detection | ✗ | ✓ |
| SOUL.md integrity check | ✗ | ✓ |
| Prompt injection scanning | ✗ | ✓ |
| Session log analysis | ✗ | ✓ |
| Persistence / LaunchAgent detection | ✗ | ✓ |
| Actionable remediation steps | Partial | ✓ Per finding |
| One-click auto-fix | ✗ | ✓ 7 fix types |
| Always-on background monitoring | ✗ | ✓ Re-scans every 30m |
| Built-in audit integration | ✗ | ✓ Runs as 8th panel |
| Accept risk (false positives) | ✗ | ✓ Hash-pinned |
| SSRF detection | ✗ | ✓ Tiered severity |
| Credential flow mapping | ✗ | ✓ Per-key tracing |
| Capability drift detection | ✗ | ✓ Between scans |
| Tamper-evident audit trail | ✗ | ✓ SHA-256 chain |
| Network policy generation | ✗ | ✓ Auto UFW rules |
| 100% local execution | ✓ | ✓ |
| Zero dependencies | ✓ | ✓ |
What To Do With Your Grade
Critical exposures. Run --fix first to handle mechanical issues, then get expert help for the rest.
Major gaps in supply chain or config. You're running default settings that attackers target first.
Good baseline, but missing hardened configs and IOC monitoring. Close the remaining gaps yourself.
Fully hardened. Keep it that way — subscribe for IOC updates and new threat advisories.
For Developers
openclaw-security-dashboard install # install as background service
openclaw-security-dashboard status # check grade + service state
openclaw-security-dashboard uninstall # stop and remove service
openclaw-security-dashboard --fix # scan + auto-fix + dashboard
openclaw-security-dashboard --watch # re-scan every 30m (foreground)
openclaw-security-dashboard --watch-interval 15 # custom interval
openclaw-security-dashboard --json # JSON output + exit
openclaw-security-dashboard --fix --json # fix + JSON output
npx openclaw-security-dashboard@latest # quick one-off scan via npxPass --json to get machine-readable output for dashboards and integrations:
npx openclaw-security-dashboard --jsonReturns a structured report with overall grade, per-domain scores, findings array, and remediation steps:
{
"grade": "C",
"score": 58,
"domains": {
"gateway": { "score": 40, "findings": [...] },
"supply_chain": { "score": 65, "findings": [...] },
"config": { "score": 70, "findings": [...] },
"identity": { "score": 45, "findings": [...] },
"persistence": { "score": 80, "findings": [...] },
"sessions": { "score": 50, "findings": [...] }
},
"timestamp": "2026-03-03T00:00:00Z"
}Add to your GitHub Actions workflow to fail builds below a threshold:
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npx openclaw-security-dashboard --json --min-grade B
# Exits with code 1 if grade is below BDisplay your security grade on your project README or internal dashboard. The scanner generates a local SVG badge after each run:
npx openclaw-security-dashboard --badge ./security-badge.svgImport as a module for custom tooling:
import { scan } from 'openclaw-security-dashboard';
const report = await scan({ path: '/path/to/openclaw' });
console.log(report.grade); // "B"
console.log(report.findings.filter(f => f.severity === 'critical'));Get Started
Two commands. Always-on monitoring. Scan, auto-fix, and track your grade over time.