Skip to content

fusae/openclaw-doctor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
claw-doctor
claw-doctor
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

OpenClaw Doctor

Security audit and hardening skill for OpenClaw installations, covering network exposure, permissions, sandboxing, plugins, and host-level risks.

What It Does

claw-doctor is an OpenClaw skill bundle that inspects a local or self-hosted OpenClaw installation and produces a prioritized hardening report.

It combines:

  • Official openclaw security audit findings when available
  • Host-level checks that the official audit may not fully cover
  • Concrete remediation guidance for reducing exposure

What It Checks

  • OpenClaw installation, version, config file, and state directory
  • openclaw security audit --deep --json
  • openclaw secrets audit --json
  • openclaw plugins list --json
  • Gateway bind mode, auth mode, and port exposure
  • mDNS / Bonjour discovery posture
  • Sandbox mode and workspace access
  • Elevated exec and broad tool profiles
  • Live listening sockets and Docker-published ports
  • State directory, config, credentials, approvals, and session file permissions
  • Reverse proxy / TLS terminator heuristics
  • Tailscale / SSH tunnel / cloudflared-style private access heuristics
  • Host firewall activity heuristics
  • Auto-start persistence when higher-risk findings are present
  • Plaintext API keys or OpenClaw secrets in shell startup files

Repository Layout

claw-doctor/
  SKILL.md
  references/remediation-matrix.md
  scripts/audit_openclaw_host.py

Install

Local install

Copy the claw-doctor folder into your OpenClaw skills directory:

cp -R claw-doctor ~/.openclaw/skills/

Or place it in a workspace-specific skills/ directory:

mkdir -p ./skills
cp -R claw-doctor ./skills/

OpenClaw picks up skills from ~/.openclaw/skills and <workspace>/skills.

ClawHub install

After publishing to ClawHub, users can install it with:

clawhub install claw-doctor

Publish

Publish this skill bundle to ClawHub:

clawhub publish ./claw-doctor --slug claw-doctor --name "Claw Doctor" --version 0.1.0 --tags latest

Use

From OpenClaw, invoke the skill by name or ask for an OpenClaw security review.

You can also run the bundled audit script directly:

python3 ./claw-doctor/scripts/audit_openclaw_host.py

JSON output:

python3 ./claw-doctor/scripts/audit_openclaw_host.py --format json

Output

The audit reports:

  1. Detection summary
  2. Findings ordered by severity
  3. Concrete hardening recommendations
  4. Commands that would mutate the host, when relevant

Design Rules

  • Read-only inspection first
  • No automatic --fix execution
  • Prioritize blast-radius reduction
  • Avoid duplicating official audit findings unless host evidence adds value

Limits

  • Reverse proxy, tunnel, and firewall checks are heuristics
  • The skill does not auto-remediate unless explicitly asked
  • Some checks depend on the local platform and available commands

About

Security audit and hardening skill for OpenClaw installations, covering network exposure, permissions, sandboxing, plugins, and host-level risks.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages