openclaw-security-monitorProactive security monitoring, threat scanning, and auto-remediation for OpenClaw deployments
Install via ClawdBot CLI:
clawdbot install adibirzu/openclaw-security-monitorReal-time security monitoring with threat intelligence from ClawHavoc research, daily automated scans, web dashboard, and Telegram alerting for OpenClaw.
Note: Replace openclaw-security-monitor or security-monitor).
Run a comprehensive 32-point security scan:
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/scan.shExit codes: 0=SECURE, 1=WARNINGS, 2=COMPROMISED
Display a security overview with process trees via witr.
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/dashboard.shMonitor network connections and check against IOC database.
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/network-check.shScan-driven remediation: runs scan.sh, skips CLEAN checks, and executes per-check remediation scripts for each WARNING/CRITICAL finding. Includes 32 individual scripts covering file permissions, exfiltration domain blocking, tool deny lists, gateway hardening, sandbox configuration, credential auditing, and more.
# Full scan + remediate (interactive)
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh
# Auto-approve all fixes
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh --yes
# Dry run (preview)
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh --dry-run
# Remediate a single check
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh --check 7 --dry-run
# Run all 32 remediation scripts (skip scan)
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/remediate.sh --allFlags:
--yes / -y — Skip confirmation prompts (auto-approve all fixes)--dry-run — Show what would be fixed without making changes--check N — Run remediation for check N only (skip scan)--all — Run all 32 remediation scripts without scanning firstExit codes: 0=fixes applied, 1=some fixes failed, 2=nothing to fix
Register a Telegram chat for daily security alerts.
bash ~/.openclaw/workspace/skills/<skill-dir>/scripts/telegram-setup.sh [chat_id]URL: http://
Dark-themed browser dashboard with auto-refresh, on-demand scanning, donut charts, process tree visualization, network monitoring, and scan history timeline.
launchctl list | grep security-dashboard
launchctl unload ~/Library/LaunchAgents/com.openclaw.security-dashboard.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.security-dashboard.plistThreat intelligence files in ioc/:
c2-ips.txt - Known command & control IP addressesmalicious-domains.txt - Payload hosting and exfiltration domainsfile-hashes.txt - Known malicious file SHA-256 hashesmalicious-publishers.txt - Known malicious ClawHub publishersmalicious-skill-patterns.txt - Malicious skill naming patternsCron job at 06:00 UTC with Telegram alerts. Install:
crontab -l | { cat; echo "0 6 * * * $HOME/.openclaw/workspace/skills/<skill-dir>/scripts/daily-scan-cron.sh"; } | crontab -Based on research from 40+ security sources including:
# From GitHub
git clone https://github.com/adibirzu/openclaw-security-monitor.git \
~/.openclaw/workspace/skills/<skill-dir>
chmod +x ~/.openclaw/workspace/skills/<skill-dir>/scripts/*.shThe OpenClaw agent auto-discovers skills from ~/.openclaw/workspace/skills/ via SKILL.md frontmatter. After cloning, the /security-scan, /security-remediate, /security-dashboard, /security-network, and /security-setup-telegram commands will be available in the agent.
Generated Mar 1, 2026
This scenario involves using the skill to continuously monitor OpenClaw deployments for security threats, such as malware, unauthorized access, and configuration vulnerabilities. It includes daily automated scans and real-time alerts via Telegram, enabling organizations to detect and respond to incidents before they cause significant damage, particularly in environments handling sensitive data.
In this scenario, the skill is employed to perform comprehensive security audits on cloud-based OpenClaw setups, checking for compliance with industry standards like PCI-DSS or HIPAA. It scans for issues like improper file permissions, credential leaks, and insecure network configurations, helping businesses meet regulatory requirements and reduce risk exposure in sectors like finance or healthcare.
This scenario focuses on using the skill to quickly identify and remediate security breaches in OpenClaw environments, such as those caused by malicious skills or C2 attacks. The remediation scripts allow for automated fixes, like blocking exfiltration domains or adjusting permissions, enabling IT teams to restore security and minimize downtime in critical operations.
Here, the skill is used by development teams to scan their OpenClaw skills for vulnerabilities, such as shell injection or malicious patterns, before deployment. It serves as a training tool to educate developers on secure coding practices and ensure skill integrity through hash verification, fostering a security-first culture in software development projects.
This scenario involves leveraging the skill's network monitoring capabilities to track connections and compare them against an IOC database of known threats. It helps security analysts detect anomalies, such as unauthorized external communications, and integrate threat intelligence for proactive defense in network-centric environments like data centers or MSPs.
Offer this skill as part of a monthly or annual subscription service, providing continuous security monitoring, automated scans, and alerting for OpenClaw users. Revenue is generated through tiered pricing based on deployment size or scan frequency, with upsells for premium features like custom IOC updates or dedicated support.
Sell the skill as a one-time purchase license, including access to all features and a set period of updates and technical support. Revenue comes from initial sales, with optional add-ons for extended support or advanced remediation scripts, targeting businesses seeking a fixed-cost security solution.
Provide a free version of the skill with basic scanning and dashboard access, while charging for advanced features like automated remediation, Telegram alerts, or priority threat intelligence updates. Revenue is driven by conversions to paid plans, appealing to a broad user base from hobbyists to enterprises.
💬 Integration Tip
Ensure bash and curl are installed, and regularly update the IOC database to maintain threat coverage; use the web dashboard for visual monitoring and integrate daily scans via cron jobs for automated security.
Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed.
Full desktop computer use for headless Linux servers. Xvfb + XFCE virtual desktop with xdotool automation. 17 actions (click, type, scroll, screenshot, drag,...
Essential Docker commands and workflows for container management, image operations, and debugging.
Tool discovery and shell one-liner reference for sysadmin, DevOps, and security tasks. AUTO-CONSULT this skill when the user is: troubleshooting network issues, debugging processes, analyzing logs, working with SSL/TLS, managing DNS, testing HTTP endpoints, auditing security, working with containers, writing shell scripts, or asks 'what tool should I use for X'. Source: github.com/trimstray/the-book-of-secret-knowledge
Deploy applications and manage projects with complete CLI reference. Commands for deployments, projects, domains, environment variables, and live documentation access.
Monitor topics of interest and proactively alert when important developments occur. Use when user wants automated monitoring of specific subjects (e.g., product releases, price changes, news topics, technology updates). Supports scheduled web searches, AI-powered importance scoring, smart alerts vs weekly digests, and memory-aware contextual summaries.