Security scanner for OpenClaw AI agent installations
Project description
ClawGuard
Security scanner for OpenClaw AI agent installations.
OpenClaw ships with dangerous defaults: sandbox disabled, plaintext API keys in config files, gateway exposed to LAN, and a skills marketplace with 341 known malicious packages. CVE-2026-25253 allows 1-click remote code execution on unpatched installations.
ClawGuard scans your local OpenClaw setup, flags every vulnerability with severity ratings, and auto-fixes the most common issues. Think npm audit for your AI agent.
Why ClawGuard?
A default OpenClaw install scores 0/100 on our security checks:
- Sandbox mode is OFF - agents execute commands directly on your host
- API keys are stored in plaintext in
~/.openclaw/openclaw.json - Gateway binds to LAN instead of loopback
- No exec allowlisting - any tool call runs unrestricted
- Skills from ClawHub run with whatever permissions they request
- Session transcripts can leak credentials into
.jsonllogs
Most users don't know this. ClawGuard tells them exactly what's wrong and how to fix it.
Install
pip install clawguard
Or with pipx (recommended for CLI tools):
pipx install clawguard
Quick Start
# Scan your OpenClaw installation (auto-detects ~/.openclaw/)
clawguard scan
# Auto-fix common security issues
clawguard fix
# Verify fixes
clawguard scan
Example Output
ClawGuard v0.1.0 - OpenClaw Security Scanner
Scanning /home/user/.openclaw/ ...
CRITICAL Plaintext API keys found in configuration
openclaw.json: Anthropic API key (sk-ant-...) on line 14
openclaw.json: OpenAI API key (sk-proj-...) on line 18
credentials/profiles.json: Telegram bot token on line 7
Fix: Use environment variables: "apiKey": "${ANTHROPIC_API_KEY}"
CRITICAL Sandbox mode is disabled
agents.defaults.sandbox.mode = "off"
Fix: Set sandbox.mode to "all" in openclaw.json
CRITICAL Gateway bound to LAN
gateway.bind = "lan" (should be "loopback")
Fix: Set gateway.bind to "loopback" in openclaw.json
HIGH Weak gateway auth token
Token length: 4 characters (minimum: 32)
Fix: openssl rand -hex 32
HIGH Commands execute on host, not in sandbox
tools.exec.host = "gateway"
Fix: Set to "sandbox" in openclaw.json
MEDIUM Log redaction not enabled
Fix: Set logging.redactSensitive to "tools" in openclaw.json
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Score: 0/100 CRITICAL RISK
Found: 3 critical, 2 high, 1 medium, 0 info
Run clawguard fix to auto-fix 6 issues
After running clawguard fix:
Score: 85/100 GOOD
Found: 0 critical, 0 high, 0 medium, 3 info
CLI Reference
# Full scan (auto-detects ~/.openclaw/, ~/.clawdbot/, ~/.moltbot/)
clawguard scan
# Scan a specific directory
clawguard scan --path /path/to/openclaw
# JSON output for CI/CD pipelines
clawguard scan --format json
# Run only specific check categories
clawguard scan --check credentials --check gateway --check sandbox
# Auto-fix common issues
clawguard fix
clawguard fix --path /path/to/openclaw
# Show version
clawguard version
Available Check Categories
credentials gateway sandbox permissions version skills memory
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Scan passed, no critical issues |
| 1 | Error (path not found, invalid args) |
| 2 | Critical issues found |
Security Checks
25+ checks across 7 categories:
| Category | Checks | Severity |
|---|---|---|
| Credentials | Plaintext API keys in config, .env, .bak files, session transcripts, log redaction settings |
CRITICAL |
| Gateway | Bind address (loopback vs LAN), auth token strength, port exposure on 0.0.0.0 | CRITICAL |
| Sandbox | Sandbox mode, Docker availability, network isolation, exec host, exec allowlisting | CRITICAL |
| Version | OpenClaw version against CVE-2026-25253 (RCE) and CVE-2026-21636, Node.js version | CRITICAL |
| Skills | Malicious patterns, C2 IPs, typosquatted publishers, permission analysis, suspicious binaries | CRITICAL |
| Permissions | Directory (700) and file (600) permissions on sensitive configs and credentials | HIGH |
| Memory | SOUL.md/MEMORY.md injection detection, credential leaks in daily logs | HIGH |
Credential Patterns
Detects 17+ key formats: sk-ant- (Anthropic), sk-proj- (OpenAI), gsk_ (Groq), xai- (xAI), AKIA (AWS), ghp_/gho_ (GitHub), glpat- (GitLab), xoxb-/xoxp- (Slack), Telegram bot tokens, Discord tokens, sk_live_ (Stripe), OpenRouter, Google AI, and generic Bearer tokens.
Malicious Skill Detection
- Remote code execution patterns (
curl | sh,wget | bash) - Base64-encoded payloads over 50 characters
- Known C2 IP addresses from the ClawHavoc campaign
- References to paste services (glot.io, pastebin.com, hastebin)
- Typosquatted ClawHub publisher names
- Suspicious binary requirements (
nc,ncat,netcat,nmap,socat) - Excessive permission requests (exec + sensitive_data + filesystem write)
- Password-protected archive downloads
Auto-Fix
clawguard fix remediates these issues automatically:
| Issue | Fix Applied |
|---|---|
| Wrong file permissions | chmod 700 dirs, chmod 600 config files |
| Sandbox disabled | Sets sandbox.mode to "all" |
| No Docker network isolation | Sets docker.network to "none" |
| Exec runs on host | Sets tools.exec.host to "sandbox" |
| Log redaction off | Sets logging.redactSensitive to "tools" |
| Weak gateway token | Generates 64-character hex token |
.bak files with old creds |
Deletes backup files |
CI/CD Integration
ClawGuard returns exit code 2 when critical issues are found:
# GitHub Actions
- name: OpenClaw security scan
run: |
pip install clawguard
clawguard scan --format json > security-report.json
clawguard scan
# GitLab CI
security_scan:
script:
- pip install clawguard
- clawguard scan --format json --path $OPENCLAW_DIR
allow_failure: false
Scoring
Starts at 100, deducted per finding:
| Severity | Points Deducted |
|---|---|
| CRITICAL | -20 |
| HIGH | -10 |
| MEDIUM | -5 |
| INFO | 0 |
| Score Range | Rating |
|---|---|
| 81-100 | Good |
| 61-80 | Fair |
| 31-60 | Poor |
| 0-30 | Critical Risk |
Development
git clone https://github.com/vman7250/clawguard.git
cd clawguard
pip install -e .
# Test against insecure fixture
clawguard scan --path tests/fixtures/
# Test against secure fixture
clawguard scan --path tests/fixtures/secure_config.json
Contributing
Contributions welcome. Please open an issue first to discuss what you'd like to change.
- Fork the repo
- Create a feature branch (
git checkout -b feature/new-check) - Add tests for new checks in
tests/ - Submit a PR
Security
If you find a security vulnerability in ClawGuard itself, please report it privately via GitHub Security Advisories instead of opening a public issue.
License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file clawguard-0.1.0.tar.gz.
File metadata
- Download URL: clawguard-0.1.0.tar.gz
- Upload date:
- Size: 17.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: Hatch/1.16.3 cpython/3.12.7 HTTPX/0.28.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0e59b8ceb35f3402f1ee89efba0fc15124361aeb442db12baeadd89c81485e11
|
|
| MD5 |
fb12a1972821b54c706588293c33eec2
|
|
| BLAKE2b-256 |
d438d92781be215273d53671a97296eda338a5bbf41ff4a99d4aa6e24e39cdb5
|
File details
Details for the file clawguard-0.1.0-py3-none-any.whl.
File metadata
- Download URL: clawguard-0.1.0-py3-none-any.whl
- Upload date:
- Size: 22.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: Hatch/1.16.3 cpython/3.12.7 HTTPX/0.28.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2aaff5aa2248f3b1b0089510eef48c5a4f9ae8776f19e37d26e26293dbbfc9b2
|
|
| MD5 |
f150ff09785ac2b6f02e484a8b5b92ce
|
|
| BLAKE2b-256 |
73bd6cecdd22e34fd5a83098235dc8ef2c0cc677febb86c4c15c908415fa6340
|
