Skip to content

henrygg08/clawguard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

🛡️ ClawGuard

Security scanner that audits OpenClaw installations for vulnerabilities, misconfigurations, and malicious skills.

Why

  • 17,500+ OpenClaw instances exposed on the public internet
  • CVE-2026-25253 (CVSS 8.8) — one-click RCE via crafted skill payload
  • CVE-2026-26322 (CVSS 7.5) — WebSocket hijack via localhost binding
  • ~900 malicious skills spotted in ClawHub
  • Most users don't know they're vulnerable

ClawGuard gives you a full security audit in one command.

Install

npm install -g clawguard

Or run without installing:

npx clawguard scan

Usage

Full scan

clawguard scan

JSON output (for CI/CD)

clawguard scan --json

Run specific checks

clawguard scan --check version config
clawguard scan --check ports skills

CI/CD integration

ClawGuard exits with code 1 if any FAIL findings are detected:

# GitHub Actions example
- name: Security scan
  run: npx clawguard scan

What it checks

Check What it does
Version Detects your OpenClaw version and checks against known CVEs
Config Scans config files for exposed tokens, weak auth, insecure bindings
Ports Checks if OpenClaw ports (3000, 443, 80, etc.) are publicly exposed
Skills Scans installed skills for suspicious patterns, obfuscated code, known-bad skills

Every finding includes a remediation step — not just "you're vulnerable" but "here's how to fix it."

Example output

  🛡️  ClawGuard v0.1.0 — OpenClaw Security Scanner
  ─────────────────────────────────────────────

  ▸ Version Check
    ✔ PASS  OpenClaw version detected: 2.5.1
    ✔ PASS  Not affected by CVE-2026-25253
    ✔ PASS  Not affected by CVE-2026-26322

  ▸ Config Audit
    ✔ PASS  Config found: /home/user/.openclaw/config.json
    ✗ FAIL  Exposed OpenAI API key in config
    ✗ FAIL  Authentication is not enabled

  ▸ Port Exposure
    ✗ FAIL  Port 3000 (OpenClaw Gateway) — exposed on all interfaces
    ✔ PASS  Port 443 (HTTPS) — not listening

  ▸ Skill Scan
    ⚠ WARN  Skill "custom-tool" — 2 suspicious pattern(s)
    ✔ PASS  Scanned 12 skill(s), 1 with issues

  ─────────────────────────────────────────────
  Summary: 6 passed  1 warnings  3 failed  (1.2s)

  📋 Remediation Steps:

    ✗ Exposed OpenAI API key in config
      → Move secrets to environment variables or a .env file.

    ✗ Authentication is not enabled
      → Enable auth: openclaw config set auth.enabled true

    ✗ Port 3000 (OpenClaw Gateway) — exposed on all interfaces
      → Bind to localhost: openclaw config set gateway.bind 127.0.0.1

Requirements

  • Node.js 18+
  • OpenClaw installed (for version detection)

License

MIT

About

Security scanner that audits OpenClaw installations for vulnerabilities, misconfigurations, and malicious skills

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages