Oc Security Hardener

mariusfit/oc-security-hardener

Installation

clawhub install mariusfit/oc-security-hardener

Summary

Audit your OpenClaw configuration and apply security best practices automatically.

SKILL.md

Security Hardener

Audit your OpenClaw configuration and apply security best practices automatically.

Quick Start

bash
# Full security audit (read-only, no changes)
python scripts/hardener.py audit

# Audit a specific config file
python scripts/hardener.py audit --config /path/to/openclaw.json

# Audit with JSON output
python scripts/hardener.py audit -f json

# Auto-fix issues (creates backup first)
python scripts/hardener.py fix

# Fix specific issues only
python scripts/hardener.py fix --only gateway,permissions

# Scan for exposed credentials in config
python scripts/hardener.py scan-secrets

# Generate a security report
python scripts/hardener.py report -o security-report.md

# Check file permissions
python scripts/hardener.py check-perms

Commands

CommandArgsDescription
audit[--config PATH] [-f FORMAT]Full security audit (read-only)
fix[--config PATH] [--only CHECKS]Auto-fix issues (with backup)
scan-secrets[--config PATH]Scan for exposed API keys/tokens
report[-o FILE]Generate detailed security report
check-perms[--config-dir PATH]Check file permissions

Security Checks

CheckSeverityDescription
gateway-bindCRITICALGateway not bound to loopback
exposed-keysCRITICALAPI keys in config instead of .env
insecure-authHIGHallowInsecureAuth or dangerouslyDisableDeviceAuth enabled
exec-sandboxHIGHexec sandbox mode not set to restricted
file-permsHIGHConfig files readable by others (not 600)
agent-allow-allMEDIUMagentToAgent.allow: ["*"] is overly permissive
no-heartbeatMEDIUMNo heartbeat configured (can't detect outages)
no-session-resetMEDIUMNo session reset policy (memory leak risk)
no-pruningLOWNo context pruning (cost and performance impact)
no-memory-flushLOWMemory flush disabled (context loss on pruning)

Scoring

The audit produces a security score from 0-100:

  • 90-100: Excellent — production-ready
  • 70-89: Good — minor improvements recommended
  • 50-69: Fair — several issues to address
  • 0-49: Poor — critical issues require immediate attention

Example Output

text
╔══════════════════════════════════════════════════╗
║  OPENCLAW SECURITY AUDIT                         ║
╠══════════════════════════════════════════════════╣
║  Score: 75/100 (Good)                            ║
║                                                  ║
║  ✅ Gateway bound to loopback                    ║
║  ✅ No exposed API keys in config                ║
║  ⚠️  exec sandbox mode: unrestricted             ║
║  ⚠️  agentToAgent allow: * (too permissive)      ║
║  ❌ File permissions too open (644 → should be 600) ║
║  ✅ Heartbeat configured                         ║
║  ✅ Session reset policy active                   ║
║  ⚠️  No context pruning configured               ║
╚══════════════════════════════════════════════════╝

Recommended skills

Browse all →