Security Scanner
Run a local security assessment on any OpenClaw installation.
Usage
The skill provides a bash script that scans your OpenClaw setup and reports findings with severity levels.
Quick scan (read-only)
CODEBLOCK0
Auto-fix issues
CODEBLOCK1
Save a report
CODEBLOCK2
JSON output
CODEBLOCK3
What It Checks
- - OpenClaw Configuration — bind address, token strength, config permissions, exec security mode
- Network Exposure — listening ports, firewall status, public interface exposure
- Credential Hygiene — plaintext secrets, file permissions, .gitignore patterns
- OS Hardening — disk encryption, auto-updates, OS version, root usage
- Agent Guardrails — RULES.md, memory file permissions, safety constraints
Output
Color-coded terminal output with severity levels:
- - 🔴 CRITICAL — immediate action required
- 🟡 WARNING — should be addressed
- 🟢 PASS — looks good
- ⚪ INFO — informational
Ends with a security score out of 100 (A-F grade).
Security Philosophy
- - Local only — zero external network calls, nothing phones home
- Read-only by default — only modifies files when
--fix is explicitly passed - Owner-operated — designed to be run by the OpenClaw owner on their own machine
- No dependencies — standard unix tools + openclaw CLI only
安全扫描器
对任何OpenClaw安装执行本地安全评估。
使用方法
该技能提供一个bash脚本,用于扫描您的OpenClaw配置,并按严重级别报告发现的问题。
快速扫描(只读)
bash
bash $(dirname $0)/oc-security-scan.sh
自动修复问题
bash
bash $(dirname $0)/oc-security-scan.sh --fix
保存报告
bash
bash $(dirname $0)/oc-security-scan.sh --report
JSON输出
bash
bash $(dirname $0)/oc-security-scan.sh --json
检查内容
- - OpenClaw配置 — 绑定地址、令牌强度、配置文件权限、执行安全模式
- 网络暴露 — 监听端口、防火墙状态、公共接口暴露
- 凭证卫生 — 明文密钥、文件权限、.gitignore模式
- 操作系统加固 — 磁盘加密、自动更新、操作系统版本、root使用情况
- 代理防护栏 — RULES.md、内存文件权限、安全约束
输出
带有严重级别的彩色终端输出:
- - 🔴 严重 — 需要立即处理
- 🟡 警告 — 应予以解决
- 🟢 通过 — 状态良好
- ⚪ 信息 — 仅供参考
最终以百分制安全评分(A-F等级)结束。
安全理念
- - 仅本地运行 — 零外部网络调用,不向任何地方回传数据
- 默认只读 — 仅在明确传入--fix参数时修改文件
- 所有者操作 — 设计由OpenClaw所有者在自己的机器上运行
- 无依赖 — 仅使用标准Unix工具和OpenClaw CLI
