clawdbot-security-checkPerform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Install via ClawdBot CLI:
clawdbot install TheSethRose/clawdbot-security-checkInstall security audit skill:
Install security audit skillThis skill empowers Clawdbot to audit its own security posture using first-principles reasoning. Rather than relying on a static script, Clawdbot learns the framework and applies it dynamically to detect vulnerabilities, understand their impact, and recommend specific remediations.
"Security through transparency and self-awareness." — Inspired by ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ
Clawdbot should know its own attack surface. This skill embeds that knowledge directly.
Running an AI agent with shell access requires caution. Focus on three areas:
Start with the smallest access possible and widen it as you gain confidence.
Apply appropriate trust levels based on role:
| Level | Entity | Trust Model |
|-------|--------|-------------|
| 1 | Owner | Full trust — has all access |
| 2 | AI | Trust but verify — sandboxed, logged |
| 3 | Allowlists | Limited trust — only specified users |
| 4 | Strangers | No trust — blocked by default |
Use these commands to run security audits:
clawdbot security audit — Standard audit of common issuesclawdbot security audit --deep — Comprehensive audit with all checksclawdbot security audit --fix — Apply guardrail remediationsWhen auditing Clawdbot, systematically evaluate these domains:
What to check:
gateway.bind)gateway.auth_token or CLAWDBOT_GATEWAY_TOKEN env var)How to detect:
cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
env | grep CLAWDBOT_GATEWAY_TOKENVulnerability: Binding to 0.0.0.0 or lan without auth allows network access.
Remediation:
# Generate gateway token
clawdbot doctor --generate-gateway-token
export CLAWDBOT_GATEWAY_TOKEN="$(openssl rand -hex 32)"What to check:
dm_policy set to?allowlist, who is explicitly allowed via allowFrom?How to detect:
cat ~/.clawdbot/clawdbot.json | grep -E '"dm_policy|"allowFrom"'Vulnerability: Setting to allow or open means any user can DM Clawdbot.
Remediation:
{
"channels": {
"telegram": {
"dmPolicy": "allowlist",
"allowFrom": ["@trusteduser1", "@trusteduser2"]
}
}
}What to check:
groupPolicy set to?How to detect:
cat ~/.clawdbot/clawdbot.json | grep -E '"groupPolicy"|"groups"'
cat ~/.clawdbot/clawdbot.json | grep -i "mention"Vulnerability: Open group policy allows anyone in the room to trigger commands.
Remediation:
{
"channels": {
"telegram": {
"groupPolicy": "allowlist",
"groups": {
"-100123456789": true
}
}
}
}What to check:
Credential Storage Map:
| Platform | Path |
|----------|------|
| WhatsApp | ~/.clawdbot/credentials/whatsapp/{accountId}/creds.json |
| Telegram | ~/.clawdbot/clawdbot.json or env |
| Discord | ~/.clawdbot/clawdbot.json or env |
| Slack | ~/.clawdbot/clawdbot.json or env |
| Pairing allowlists | ~/.clawdbot/credentials/channel-allowFrom.json |
| Auth profiles | ~/.clawdbot/agents/{agentId}/auth-profiles.json |
| Legacy OAuth | ~/.clawdbot/credentials/oauth.json |
How to detect:
ls -la ~/.clawdbot/credentials/
ls -la ~/.clawdbot/agents/*/auth-profiles.json 2>/dev/null
stat -c "%a" ~/.clawdbot/credentials/oauth.json 2>/dev/nullVulnerability: Plaintext credentials with loose permissions can be read by any process.
Remediation:
chmod 700 ~/.clawdbot
chmod 600 ~/.clawdbot/credentials/oauth.json
chmod 600 ~/.clawdbot/clawdbot.jsonWhat to check:
How to detect:
cat ~/.clawdbot/clawdbot.json | grep -A5 '"browser"'
cat ~/.clawdbot/clawdbot.json | grep -i "controlUi|insecureAuth"
ls -la ~/.clawdbot/browser/Vulnerability: Exposed browser control without auth allows remote UI takeover. Browser access allows the model to use logged-in sessions.
Remediation:
{
"browser": {
"remoteControlUrl": "https://...",
"remoteControlToken": "...",
"dedicatedProfile": true,
"disableHostControl": true
},
"gateway": {
"controlUi": {
"allowInsecureAuth": false
}
}
}Security Note: Treat browser control URLs as admin APIs.
What to check:
gateway.bind set to?How to detect:
cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
cat ~/.clawdbot/clawdbot.json | grep '"tailscale"'Vulnerability: Public binding without auth allows internet access to gateway.
Remediation:
{
"gateway": {
"bind": "127.0.0.1",
"mode": "local",
"trustedProxies": ["127.0.0.1", "10.0.0.0/8"],
"tailscale": {
"mode": "off"
}
}
}What to check:
restrict_tools or mcp_tools configured?workspaceAccess set to?How to detect:
cat ~/.clawdbot/clawdbot.json | grep -i "restrict|mcp|elevated"
cat ~/.clawdbot/clawdbot.json | grep -i "workspaceAccess|sandbox"
cat ~/.clawdbot/clawdbot.json | grep -i "openRoom"Workspace Access Levels:
| Mode | Description |
|------|-------------|
| none | Workspace is off limits |
| ro | Workspace mounted read-only |
| rw | Workspace mounted read-write |
Vulnerability: Broad tool access means more blast radius if compromised. Smaller models are more susceptible to tool misuse.
Remediation:
{
"restrict_tools": true,
"mcp_tools": {
"allowed": ["read", "write", "bash"],
"blocked": ["exec", "gateway"]
},
"workspaceAccess": "ro",
"sandbox": "all"
}Model Guidance: Use latest generation models for agents with filesystem or network access. If using small models, disable web search and browser tools.
What to check:
How to detect:
stat -c "%a" ~/.clawdbot
ls -la ~/.clawdbot/*.jsonVulnerability: Loose permissions allow other users to read sensitive configs.
Remediation:
chmod 700 ~/.clawdbot
chmod 600 ~/.clawdbot/clawdbot.json
chmod 600 ~/.clawdbot/credentials/*What to check:
How to detect:
cat ~/.clawdbot/clawdbot.json | grep -i "plugin|allowlist"
cat ~/.clawdbot/clawdbot.json | grep -i "model|anthropic"Vulnerability: Untrusted plugins can execute code. Legacy models may lack modern safety.
Remediation:
{
"plugins": {
"allowlist": ["trusted-plugin-1", "trusted-plugin-2"]
},
"agents": {
"defaults": {
"model": {
"primary": "minimax/MiniMax-M2.1"
}
}
}
}What is logging.redactSensitive set to?
tools to redact sensitive tool outputoff, credentials may leak in logsHow to detect:
cat ~/.clawdbot/clawdbot.json | grep -i "logging|redact"
ls -la ~/.clawdbot/logs/Remediation:
{
"logging": {
"redactSensitive": "tools",
"path": "~/.clawdbot/logs/"
}
}What to check:
wrap_untrusted_content or untrusted_content_wrapper enabled?How to detect:
cat ~/.clawdbot/clawdbot.json | grep -i "untrusted|wrap"Prompt Injection Mitigation Strategies:
pairing or allowlistsVulnerability: Untrusted content (web fetches, sandbox output) can inject malicious prompts.
Remediation:
{
"wrap_untrusted_content": true,
"untrusted_content_wrapper": "<untrusted>",
"treatLinksAsHostile": true,
"mentionGate": true
}What to check:
blocked_commands?rm -rf, curl |, git push --force, mkfs, fork bombs?How to detect:
cat ~/.clawdbot/clawdbot.json | grep -A10 '"blocked_commands"'Vulnerability: Without blocking, a malicious prompt could destroy data or exfiltrate credentials.
Remediation:
{
"blocked_commands": [
"rm -rf",
"curl |",
"git push --force",
"mkfs",
":(){:|:&}"
]
}What to check:
.secrets.baseline file?How to detect:
ls -la .secrets.baseline 2>/dev/null
which detect-secrets 2>/dev/nullSecret Scanning (CI):
# Find candidates
detect-secrets scan --baseline .secrets.baseline
# Review findings
detect-secrets audit
# Update baseline after rotating secrets or marking false positives
detect-secrets scan --baseline .secrets.baseline --updateVulnerability: Leaked credentials in the codebase can lead to compromise.
The --fix flag applies these guardrails:
groupPolicy from open to allowlist for common channelslogging.redactSensitive from off to tools.clawdbot directory to 700, config files to 600Treat findings in this priority order:
| Mode | Description |
|------|-------------|
| pairing | Default - unknown senders must be approved via code |
| allowlist | Unknown senders blocked without handshake |
| open | Public access - requires explicit asterisk in allowlist |
| disabled | All inbound DMs ignored |
Slash commands are only available to authorized senders based on channel allowlists. The /exec command is a session convenience for operators and does not modify global config.
| Risk | Mitigation |
|------|------------|
| Execution of shell commands | blocked_commands, restrict_tools |
| File and network access | sandbox, workspaceAccess: none/ro |
| Social engineering and prompt injection | wrap_untrusted_content, mentionGate |
| Browser session hijacking | Dedicated profile, token auth, HTTPS |
| Credential leakage | logging.redactSensitive: tools, env vars |
If a compromise is suspected, follow these steps:
clawdbot daemon stop"bind": "127.0.0.1"disabledclawdbot doctor --generate-gateway-token~/.clawdbot/logs/clawdbot security audit --deepReport security issues to: security@clawd.bot
Do not post vulnerabilities publicly until they have been fixed.
When running a security audit, follow this sequence:
CONFIG_PATHS=(
"$HOME/.clawdbot/clawdbot.json"
"$HOME/.clawdbot/config.yaml"
"$HOME/.clawdbot/.clawdbotrc"
".clawdbotrc"
)
for path in "${CONFIG_PATHS[@]}"; do
if [ -f "$path" ]; then
echo "Found config: $path"
cat "$path"
break
fi
doneFor each of the 13 domains above:
Format findings by severity:
🔴 CRITICAL: [vulnerability] - [impact]
🟠 HIGH: [vulnerability] - [impact]
🟡 MEDIUM: [vulnerability] - [impact]
✅ PASSED: [check name]For each finding, output:
═══════════════════════════════════════════════════════════════
🔒 CLAWDBOT SECURITY AUDIT
═══════════════════════════════════════════════════════════════
Timestamp: $(date -Iseconds)
┌─ SUMMARY ───────────────────────────────────────────────
│ 🔴 Critical: $CRITICAL_COUNT
│ 🟠 High: $HIGH_COUNT
│ 🟡 Medium: $MEDIUM_COUNT
│ ✅ Passed: $PASSED_COUNT
└────────────────────────────────────────────────────────
┌─ FINDINGS ──────────────────────────────────────────────
│ 🔴 [CRITICAL] $VULN_NAME
│ Finding: $DESCRIPTION
│ → Fix: $REMEDIATION
│
│ 🟠 [HIGH] $VULN_NAME
│ ...
└────────────────────────────────────────────────────────
This audit was performed by Clawdbot's self-security framework.
No changes were made to your configuration.To add new security checks:
## 14. SSH Agent Forwarding 🟡 Medium
**What to check:** Is SSH_AUTH_SOCK exposed to containers?
**Detection:**env | grep SSH_AUTH_SOCK
**Vulnerability:** Container escape via SSH agent hijacking.
**Severity:** MediumWhen auditing, ask:
Remember: This skill exists to make Clawdbot self-aware of its security posture. Use it regularly, extend it as needed, and never skip the audit.
Generated Mar 1, 2026
An AI development team deploys Clawdbot for customer support automation and needs to ensure its configuration is secure before exposing it to external users. They use this skill to audit gateway exposure, DM policies, and credential storage, identifying that the gateway is bound to 0.0.0.0 without authentication, which could allow unauthorized network access. The audit provides remediation steps like generating a gateway token and tightening file permissions.
A financial institution integrates Clawdbot into its internal systems for data analysis and reporting, requiring adherence to strict security standards. The skill audits group access control and credential security, detecting that group policies are set to 'open' and credentials are stored with loose permissions, posing risks of unauthorized command execution and data breaches. Remediations include configuring allowlists and applying chmod restrictions to secure sensitive files.
An educational technology company uses Clawdbot in online learning platforms to assist students and teachers. They run a security audit to check for vulnerabilities like browser control exposure and misconfigured DM policies, finding that browser remote control lacks authentication, potentially allowing UI takeover. The skill recommends enabling HTTPS and setting up authentication tokens to prevent unauthorized access and protect user interactions.
A healthcare provider deploys Clawdbot for administrative tasks and patient data processing, needing to comply with regulations like HIPAA. The audit focuses on credential security and trust hierarchy, identifying plaintext credentials in accessible locations and insufficient DM restrictions. Remediation involves encrypting credentials, setting DM policies to allowlist, and implementing logging to monitor AI actions, ensuring patient data remains confidential and secure.
An e-commerce business integrates Clawdbot into its customer service channels to handle inquiries and order tracking. They use the skill to audit security domains such as gateway exposure and group access, discovering that the gateway port is exposed without proper authentication and group policies are overly permissive. The audit suggests binding to localhost, generating tokens, and configuring mention gates to limit access, reducing the risk of malicious exploitation.
Offer a subscription-based service where businesses pay a monthly fee to regularly audit their AI agent configurations using this skill. It includes automated scans, detailed reports, and prioritized remediation guidance, helping clients maintain compliance and reduce security risks over time. Revenue is generated through tiered pricing based on the number of agents audited and the depth of checks performed.
Provide consulting services to organizations needing hands-on help to secure their AI deployments. This involves using the skill to conduct initial audits, customize checks for specific environments, and implement recommended remediations, with revenue from project-based fees or hourly rates. It targets industries with high security requirements, such as finance and healthcare, ensuring tailored solutions.
Distribute the skill as a free open-source tool for basic security audits, attracting users from small businesses and developers. Monetize by offering premium features like advanced deep audits, automated fixes, and integration with security dashboards, with revenue from one-time purchases or upgrade fees. This model encourages widespread adoption while generating income from power users needing enhanced capabilities.
💬 Integration Tip
Integrate this skill into existing CI/CD pipelines to automate security checks during deployment, ensuring vulnerabilities are caught early. Use it alongside monitoring tools to track configuration changes and trigger audits when anomalies are detected.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.
Safe command execution for OpenClaw Agents with automatic danger pattern detection, risk assessment, user approval workflow, and audit logging. Use when agen...