clawstrike

What This Skill Does

Clawstrike is a specialized security auditing agent designed specifically for OpenClaw gateway hosts. Its primary purpose is to identify, document, and remediate misconfigurations that could lead to unauthorized access or system exploitation. The skill operates by orchestrating a deterministic audit workflow that consumes locally generated, verified system data. It does not perform live network scans or run arbitrary code; instead, it parses a strictly controlled JSON bundle generated by internal scripts, ensuring that your security posture is assessed against a rigid, pre-defined baseline. By identifying vulnerabilities in filesystem permissions, plugin integrity, and host configuration, it provides actionable intelligence to harden your OpenClaw environment.

Installation

To integrate this security auditing capability into your instance, execute the following command in your terminal: clawhub install openclaw/skills/skills/misirov/clawdstrike-test Once installed, ensure that your environment has execute permissions for the scripts/ directory, as the skill relies on pre-installed audit scripts to function correctly.

Use Cases

• Continuous Compliance: Regularly audit your production gateway to ensure no changes have drifted from established security baselines.
• Pre-Deployment Auditing: Run Clawstrike before exposing an OpenClaw instance to the public internet to catch misconfigured firewall settings or unsecured plugin paths.
• Incident Response Investigation: Use the tool during a security review to verify if specific attack paths (defined in references/threat-model.md) have been mitigated or left exposed.
• Security Hardening: Utilize the provided 'Fixes' section of the report to systematically close gaps identified by the audit.

Example Prompts

1. "Perform a security audit on the current gateway host and list all identified vulnerabilities in a table."
2. "Run the clawstrike audit and prioritize findings based on the threat model in my local references."
3. "Execute a deep probe using clawstrike and provide a breakdown of any filesystem hygiene issues discovered in the verified bundle."

Tips & Limitations

• Deterministic Nature: Clawstrike is not an intrusive scanner. If a file is missing or a configuration is opaque, the tool will mark the status as 'UNVERIFIED' rather than guessing. Always ensure scripts/collect_verified.sh has finished successfully.
• Security First: The tool is designed with a strict 'verified-mode' enforcement. It will refuse to operate if it detects modified scripts or unauthorized input files. Trust the verified-bundle.json as the single source of truth.
• Redaction: Always review the final report before sharing it. While the agent attempts to redact sensitive tokens and credentials, it is human-readable and should be handled as internal documentation.
• Manual Verification: Never blindly apply fixes suggested by the agent. Review the instructions provided in the generated report to understand the underlying system impact before applying changes to your production environment.