OpenClaw Security Hardening
A comprehensive security toolkit for protecting OpenClaw installations from attacks via malicious skill files, prompt injection, data exfiltration, and workspace tampering.
Threat Model
This skill protects against:
| Threat | Description | Tool |
|---|
| Prompt Injection | Malicious skills containing instructions to override system prompts, ignore safety rules, or manipulate agent behavior | INLINECODE0 |
| Data Exfiltration |
Skills that instruct the agent to send sensitive data (credentials, memory, config) to external endpoints |
audit-outbound.sh |
|
Skill Tampering | Unauthorized modification of installed skills after initial review |
integrity-check.sh |
|
Workspace Exposure | Sensitive files with wrong permissions, missing .gitignore rules, insecure gateway config |
harden-workspace.sh |
|
Supply Chain | Installing a new skill that contains hidden malicious patterns |
install-guard.sh |
Quick Start
CODEBLOCK0
Tools
1. scan-skills.sh — Skill File Scanner
Scans all installed skill files for malicious patterns including prompt injection, data exfiltration attempts, suspicious URLs, hidden unicode, obfuscated commands, and social engineering.
Usage:
�CODEBLOCK1
What it detects:
- - Prompt injection patterns (override instructions, new system prompts, admin overrides)
- Data exfiltration (curl/wget to external URLs, sending file contents)
- Suspicious URLs (webhooks, pastebin, requestbin, ngrok, etc.)
- Base64-encoded content that could hide instructions
- Hidden unicode characters (zero-width spaces, RTL override, homoglyphs)
- References to sensitive files (.env, credentials, API keys, tokens)
- Instructions to modify system files (AGENTS.md, SOUL.md)
- Obfuscated commands (hex encoded, unicode escaped)
- Social engineering ("don't tell the user", "secretly", "without mentioning")
Severity levels:
- - 🔴 CRITICAL — Likely malicious, immediate action needed
- 🟡 WARNING — Suspicious, review manually
- 🔵 INFO — Noteworthy but probably benign
2. integrity-check.sh — Skill Integrity Monitor
Creates SHA256 hash baselines of all skill files and detects unauthorized modifications.
Usage:
�CODEBLOCK2
Reports:
- - ✅ Unchanged files
- ⚠️ Modified files (hash mismatch)
- 🆕 New files (not in baseline)
- ❌ Removed files (in baseline but missing)
Automation: Add to your heartbeat or cron to run daily:
# In HEARTBEAT.md or cron
0 8 * * * /path/to/scripts/integrity-check.sh 2>&1 | grep -E '(MODIFIED|NEW|REMOVED)'
3. audit-outbound.sh — Outbound Data Flow Auditor
Scans skill files for patterns that could cause data to leave your machine.
Usage:
�CODEBLOCK4
Detects:
- - HTTP/HTTPS URLs embedded in skill instructions
- References to curl, wget, fetch, web_fetch, browser navigate
- Email/message/webhook sending instructions
- Raw IP addresses in instructions
- Non-whitelisted external domains
4. harden-workspace.sh — Workspace Hardener
Checks and fixes common security misconfigurations in your OpenClaw workspace.
Usage:
�CODEBLOCK5
Checks:
- - File permissions on sensitive files (MEMORY.md, USER.md, SOUL.md, credentials)
- .gitignore coverage for sensitive patterns
- Gateway auth configuration
- DM policy settings
- Sensitive content in version-controlled files
5. install-guard.sh — Pre-Install Security Gate
Run before installing any new skill to check for malicious content.
Usage:
�CODEBLOCK6
Checks:
- - All patterns from scan-skills.sh
- Dangerous shell patterns in scripts (rm -rf, curl|bash, eval, etc.)
- Suspicious npm dependencies (if package.json exists)
- Exit code 0 = safe, 1 = suspicious (for CI/automation)
Security Rules Template
Copy assets/security-rules-template.md into your AGENTS.md to add runtime security rules for your agent. These rules instruct the agent to refuse prompt injection attempts and protect sensitive data.
CODEBLOCK7
Recommended Setup
- 1. Initial setup:
�CODEBLOCK8
- 2. Add security rules to AGENTS.md from the template
- 3. Before installing new skills:
�CODEBLOCK9
- 4. Periodic checks (add to heartbeat or cron):
�CODEBLOCK10
技能名称:openclaw-security-hardening
详细描述:
OpenClaw 安全加固
一套全面的安全工具包,用于保护 OpenClaw 安装免受恶意技能文件、提示注入、数据泄露和工作区篡改等攻击。
威胁模型
该技能可防御以下威胁:
| 威胁 | 描述 | 工具 |
|---|
| 提示注入 | 包含覆盖系统提示、忽略安全规则或操纵代理行为指令的恶意技能 | scan-skills.sh |
| 数据泄露 |
指示代理将敏感数据(凭证、记忆、配置)发送到外部端点的技能 | audit-outbound.sh |
|
技能篡改 | 初始审查后对已安装技能进行未经授权的修改 | integrity-check.sh |
|
工作区暴露 | 权限错误的敏感文件、缺失的 .gitignore 规则、不安全的网关配置 | harden-workspace.sh |
|
供应链 | 安装包含隐藏恶意模式的新技能 | install-guard.sh |
快速开始
bash
对所有已安装技能进行完整安全扫描
./scripts/scan-skills.sh
审计出站数据流模式
./scripts/audit-outbound.sh
初始化完整性基线
./scripts/integrity-check.sh --init
加固您的工作区
./scripts/harden-workspace.sh --fix
安装前检查新技能
./scripts/install-guard.sh /path/to/new-skill/
工具
1. scan-skills.sh — 技能文件扫描器
扫描所有已安装的技能文件,查找恶意模式,包括提示注入、数据泄露尝试、可疑URL、隐藏Unicode、混淆命令和社会工程学攻击。
用法:
bash
扫描所有技能目录
./scripts/scan-skills.sh
仅扫描特定目录
./scripts/scan-skills.sh --path /path/to/skills/
以JSON格式输出,便于自动化
./scripts/scan-skills.sh --json
显示帮助
./scripts/scan-skills.sh --help
检测内容:
- - 提示注入模式(覆盖指令、新系统提示、管理员覆盖)
- 数据泄露(curl/wget到外部URL、发送文件内容)
- 可疑URL(webhooks、pastebin、requestbin、ngrok等)
- 可能隐藏指令的Base64编码内容
- 隐藏的Unicode字符(零宽空格、RTL覆盖、同形异码)
- 对敏感文件的引用(.env、凭证、API密钥、令牌)
- 修改系统文件的指令(AGENTS.md、SOUL.md)
- 混淆命令(十六进制编码、Unicode转义)
- 社会工程学攻击(不要告诉用户、秘密地、不要提及)
严重级别:
- - 🔴 严重 — 可能为恶意,需要立即处理
- 🟡 警告 — 可疑,需手动审查
- 🔵 信息 — 值得注意但可能无害
2. integrity-check.sh — 技能完整性监控器
创建所有技能文件的SHA256哈希基线,并检测未经授权的修改。
用法:
bash
初始化基线(首次运行)
./scripts/integrity-check.sh --init
检查更改(定期运行)
./scripts/integrity-check.sh
审查更改后更新基线
./scripts/integrity-check.sh --update
检查特定目录
./scripts/integrity-check.sh --path /path/to/skills/
显示帮助
./scripts/integrity-check.sh --help
报告:
- - ✅ 未更改的文件
- ⚠️ 已修改的文件(哈希不匹配)
- 🆕 新文件(不在基线中)
- ❌ 已删除的文件(在基线中但缺失)
自动化: 添加到您的心跳或cron任务中,每日运行:
bash
在 HEARTBEAT.md 或 cron 中
0 8
* /path/to/scripts/integrity-check.sh 2>&1 | grep -E (MODIFIED|NEW|REMOVED)
3. audit-outbound.sh — 出站数据流审计器
扫描技能文件中可能导致数据离开您机器的模式。
用法:
bash
审计所有技能
./scripts/audit-outbound.sh
审计特定目录
./scripts/audit-outbound.sh --path /path/to/skills/
显示白名单域名
./scripts/audit-outbound.sh --show-whitelist
将域名添加到白名单
./scripts/audit-outbound.sh --whitelist example.com
显示帮助
./scripts/audit-outbound.sh --help
检测内容:
- - 嵌入在技能指令中的HTTP/HTTPS URL
- 对curl、wget、fetch、web_fetch、浏览器导航的引用
- 电子邮件/消息/webhook发送指令
- 指令中的原始IP地址
- 非白名单的外部域名
4. harden-workspace.sh — 工作区加固器
检查并修复OpenClaw工作区中常见的安全配置错误。
用法:
bash
仅检查(报告问题)
./scripts/harden-workspace.sh
自动修复安全的问题
./scripts/harden-workspace.sh --fix
显示帮助
./scripts/harden-workspace.sh --help
检查项:
- - 敏感文件的权限(MEMORY.md、USER.md、SOUL.md、凭证)
- 敏感模式的.gitignore覆盖范围
- 网关认证配置
- DM策略设置
- 版本控制文件中的敏感内容
5. install-guard.sh — 安装前安全门控
在安装任何新技能之前运行,检查恶意内容。
用法:
bash
安装前检查技能
./scripts/install-guard.sh /path/to/new-skill/
严格模式(警告也视为失败)
./scripts/install-guard.sh --strict /path/to/new-skill/
显示帮助
./scripts/install-guard.sh --help
检查项:
- - scan-skills.sh中的所有模式
- 脚本中的危险Shell模式(rm -rf、curl|bash、eval等)
- 可疑的npm依赖项(如果存在package.json)
- 退出码0 = 安全,1 = 可疑(用于CI/自动化)
安全规则模板
将 assets/security-rules-template.md 复制到您的 AGENTS.md 中,为您的代理添加运行时安全规则。这些规则指示代理拒绝提示注入尝试并保护敏感数据。
bash
cat assets/security-rules-template.md >> /path/to/AGENTS.md
推荐设置
- 1. 初始设置:
bash
./scripts/scan-skills.sh # 扫描现有技能
./scripts/audit-outbound.sh # 审计出站模式
./scripts/integrity-check.sh --init # 创建基线
./scripts/harden-workspace.sh --fix # 修复工作区问题
- 2. 从模板向AGENTS.md添加安全规则
- 3. 安装新技能前:
bash
./scripts/install-guard.sh /path/to/new-skill/
- 4. 定期检查(添加到心跳或cron任务):
bash
./scripts/integrity-check.sh # 检测篡改
./scripts/scan-skills.sh # 重新扫描新模式
