Security Hardener
VerifiedAudit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permiss...
$ Add to .claude/skills/ About This Skill
# Security Hardener
Audit your OpenClaw configuration and apply security best practices automatically.
Quick Start
```bash # Full security audit (read-only, no changes) python scripts/hardener.py audit
# Audit a specific config file python scripts/hardener.py audit --config /path/to/openclaw.json
# Audit with JSON output python scripts/hardener.py audit -f json
# Auto-fix issues (creates backup first) python scripts/hardener.py fix
# Fix specific issues only python scripts/hardener.py fix --only gateway,permissions
# Scan for exposed credentials in config python scripts/hardener.py scan-secrets
# Generate a security report python scripts/hardener.py report -o security-report.md
# Check file permissions python scripts/hardener.py check-perms ```
Commands
| Command | Args | Description | |---------|------|-------------| | `audit` | `[--config PATH] [-f FORMAT]` | Full security audit (read-only) | | `fix` | `[--config PATH] [--only CHECKS]` | Auto-fix issues (with backup) | | `scan-secrets` | `[--config PATH]` | Scan for exposed API keys/tokens | | `report` | `[-o FILE]` | Generate detailed security report | | `check-perms` | `[--config-dir PATH]` | Check file permissions |
Security Checks
| Check | Severity | Description | |-------|----------|-------------| | `gateway-bind` | CRITICAL | Gateway not bound to loopback | | `exposed-keys` | CRITICAL | API keys in config instead of .env | | `insecure-auth` | HIGH | `allowInsecureAuth` or `dangerouslyDisableDeviceAuth` enabled | | `exec-sandbox` | HIGH | exec sandbox mode not set to restricted | | `file-perms` | HIGH | Config files readable by others (not 600) | | `agent-allow-all` | MEDIUM | `agentToAgent.allow: ["*"]` is overly permissive | | `no-heartbeat` | MEDIUM | No heartbeat configured (can't detect outages) | | `no-session-reset` | MEDIUM | No session reset policy (memory leak risk) | | `no-pruning` | LOW | No context pruning (cost and performance impact) | | `no-memory-flush` | LOW | Memory flush disabled (context loss on pruning) |
Scoring
- The audit produces a security score from 0-100:
- 90-100: Excellent — production-ready
- 70-89: Good — minor improvements recommended
- 50-69: Fair — several issues to address
- 0-49: Poor — critical issues require immediate attention
Example Output
``` ╔══════════════════════════════════════════════════╗ ║ OPENCLAW SECURITY AUDIT ║ ╠══════════════════════════════════════════════════╣ ║ Score: 75/100 (Good) ║ ║ ║ ║ ✅ Gateway bound to loopback ║ ║ ✅ No exposed API keys in config ║ ║ ⚠️ exec sandbox mode: unrestricted ║ ║ ⚠️ agentToAgent allow: * (too permissive) ║ ║ ❌ File permissions too open (644 → should be 600) ║ ║ ✅ Heartbeat configured ║ ║ ✅ Session reset policy active ║ ║ ⚠️ No context pruning configured ║ ╚══════════════════════════════════════════════════╝ ```
Use Cases
- Audit OpenClaw configuration files for security vulnerabilities with a scored report
- Auto-fix insecure settings like exposed API keys, loose file permissions, and permissive agent rules
- Scan openclaw.json for hardcoded credentials and API tokens that should be in .env files
- Generate detailed security reports in Markdown format for team review
- Check file permissions to ensure config files are not world-readable
Pros & Cons
Pros
- +Quantified security scoring (0-100) makes it easy to track improvement over time
- +Auto-fix mode creates backups before making changes, reducing risk of breaking configs
- +Covers both critical (exposed keys, gateway binding) and operational (heartbeat, pruning) security aspects
Cons
- -OpenClaw-specific — not applicable to other AI agent platforms or general security auditing
- -Python-based script requires Python runtime on the host machine
FAQ
What does Security Hardener do?
What platforms support Security Hardener?
What are the use cases for Security Hardener?
100+ free AI tools
Writing, PDF, image, and developer tools — all in your browser.
Next Step
Use the skill detail page to evaluate fit and install steps. For a direct browser workflow, move into a focused tool route instead of staying in broader support surfaces.