security-hardener
Audit and harden OpenClaw configuration for security. Scans openclaw.json for vulnerabilities, exposed credentials, insecure gateway settings, overly permissive exec rules, and missing security best practices. Use when asked to audit security, harden configuration, check for vulnerabilities, or secure an OpenClaw deployment.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/mariusfit/oc-security-hardenerSecurity Hardener
Audit your OpenClaw configuration and apply security best practices automatically.
Quick Start
# Full security audit (read-only, no changes)
python scripts/hardener.py audit
# Audit a specific config file
python scripts/hardener.py audit --config /path/to/openclaw.json
# Audit with JSON output
python scripts/hardener.py audit -f json
# Auto-fix issues (creates backup first)
python scripts/hardener.py fix
# Fix specific issues only
python scripts/hardener.py fix --only gateway,permissions
# Scan for exposed credentials in config
python scripts/hardener.py scan-secrets
# Generate a security report
python scripts/hardener.py report -o security-report.md
# Check file permissions
python scripts/hardener.py check-perms
Commands
| Command | Args | Description |
|---|---|---|
audit | [--config PATH] [-f FORMAT] | Full security audit (read-only) |
fix | [--config PATH] [--only CHECKS] | Auto-fix issues (with backup) |
scan-secrets | [--config PATH] | Scan for exposed API keys/tokens |
report | [-o FILE] | Generate detailed security report |
check-perms | [--config-dir PATH] | Check file permissions |
Security Checks
| Check | Severity | Description |
|---|---|---|
gateway-bind | CRITICAL | Gateway not bound to loopback |
exposed-keys | CRITICAL | API keys in config instead of .env |
insecure-auth | HIGH | allowInsecureAuth or dangerouslyDisableDeviceAuth enabled |
exec-sandbox | HIGH | exec sandbox mode not set to restricted |
file-perms | HIGH | Config files readable by others (not 600) |
agent-allow-all | MEDIUM | agentToAgent.allow: ["*"] is overly permissive |
no-heartbeat | MEDIUM | No heartbeat configured (can't detect outages) |
no-session-reset | MEDIUM | No session reset policy (memory leak risk) |
no-pruning | LOW | No context pruning (cost and performance impact) |
no-memory-flush | LOW | Memory flush disabled (context loss on pruning) |
Scoring
The audit produces a security score from 0-100:
- 90-100: Excellent — production-ready
- 70-89: Good — minor improvements recommended
- 50-69: Fair — several issues to address
- 0-49: Poor — critical issues require immediate attention
Example Output
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-mariusfit-oc-security-hardener": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
content-repurposer
Repurpose any blog post or article into multiple social media formats. Input a URL or text, get X/Twitter thread, LinkedIn post, Instagram caption, email snippet, and summary. Use when asked to repurpose content, create social posts from an article, turn a blog into tweets, or generate multi-platform content.
whatsapp-faq-bot
Build and query a FAQ knowledge base from markdown files. Use when asked to create a FAQ bot, set up automatic answers, build a knowledge base, add FAQ entries, search FAQs, or answer common questions from a knowledge base. Perfect for WhatsApp business bots.
smart-web-scraper
Extract structured data from any web page. Supports CSS selectors, auto-detection of tables and lists, JSON/CSV output formats. Use when asked to scrape a website, extract data from a page, pull product info, gather contact details, or collect listings from a URL.
daily-business-report
Generate daily business briefings from multiple data sources. Aggregates weather, crypto prices, news headlines, system health, and calendar events into a formatted morning report. Use when asked to create a daily report, morning briefing, business summary, or status dashboard.