secucheck - OpenClaw Security Audit

Comprehensive security audit skill for OpenClaw deployments. Analyzes configuration, permissions, exposure risks, and runtime environment with context-aware recommendations.

Summary

secucheck performs read-only security audits of your OpenClaw setup:

• 7 audit domains: Runtime, Channels, Agents, Cron Jobs, Skills, Sessions, Network
• 3 expertise levels: Beginner (analogies), Intermediate (technical), Expert (attack vectors)
• Context-aware: Considers VPN, single-user, self-hosted scenarios
• Runtime checks: Live system state (network exposure, containers, privileges)
• Dashboard: Visual HTML report with security score
• Localized output: Final report matches user's language

Quick Start

Installation

clawhub install secucheck

Usage

• "security audit"
• "secucheck"
• "run security check"

Expertise Levels

• Beginner - Simple analogies, no jargon
• Intermediate - Technical details, config examples
• Expert - Attack vectors, edge cases, CVEs

Dashboard

"show dashboard" / "visual report"

Example Output

🔒 Security Audit Results

🟡 Needs Attention

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 0 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |

### 🟡 Agent "molty": exec + external content processing
...

Features

• 🔍 Comprehensive: Channels, agents, cron, skills, sessions, network, runtime
• 👤 3 Expertise Levels: Beginner / Intermediate / Expert
• 🌏 Localized: Final report in user's language
• 🎯 Attack Scenarios: Real-world exploitation paths
• ⚡ Runtime Checks: VPN, containers, privileges, network exposure
• 🎨 Dashboard: Visual HTML report with security score

Agent Instructions

Everything below is for the agent executing this skill.

When to Use

Trigger this skill when:

• User requests security checkup/audit
• Auto-trigger: Installing skills, creating/modifying agents, adding/modifying cron jobs
• Periodic review (recommended: weekly)

Expertise Levels

Execution Flow

Step 1: Ask Level (before running anything)

Present options in user's language. Example (English):

What level of technical detail do you prefer?

1. 🌱 Beginner - I'll explain simply with analogies
2. 💻 Intermediate - Technical details and config examples
3. 🔐 Expert - Include attack vectors and edge cases

📌 All levels run the same checks—only explanation depth varies.

STOP HERE. Wait for user response.

Step 2: Run Audit

bash ~/.openclaw/skills/secucheck/scripts/full_audit.sh

Returns JSON with findings categorized by severity.

Step 3: Format Output

Parse JSON output and format based on user's expertise level. Final report must be in user's language.

#### Report Structure (Organize by Category)

🔒 Security Audit Results

📊 Summary Table
| Severity | Count |
|----------|-------|
| 🔴 Critical | X |
| ...

⚡ Runtime
- [findings related to RUNTIME category]

🤖 Agents  
- [findings related to AGENT category]

📁 Workspace
- [findings related to WORKSPACE category]

🧩 Skills
- [findings related to SKILL category]

📢 Channels
- [findings related to CHANNEL category]

🌐 Network
- [findings related to NETWORK category]

Group findings by their category field, not just severity. Within each category, show severity icon and explain.

Step 4: Auto-Open Dashboard

After text report, automatically generate and serve dashboard:

bash ~/.openclaw/skills/secucheck/scripts/serve_dashboard.sh

The script returns JSON with url (LAN IP) and local_url (localhost). Use the url field (not localhost) when telling the user — they may access from another device.

Example:

📊 대시보드도 열었어요: http://192.168.1.200:8766/secucheck-report.html

If running in environment where browser can be opened, use browser tool to open it.

Cross-Platform Support

Scripts run on Linux, macOS, and WSL. Check the JSON output for platform info:

{
  "os": "linux",
  "os_variant": "ubuntu",
  "in_wsl": false,
  "in_dsm": false,
  "failed_checks": ["external_ip"]
}

Platform Detection

Handling Failed Checks

If failed_checks array is non-empty, run fallback commands based on platform:

#### Network Info Fallbacks

Windows Native Support

If os is windows and scripts fail completely:

• Use PowerShell commands directly:

# Network exposure
Get-NetTCPConnection -LocalPort 18789 -State Listen

# File permissions
Get-Acl "$env:USERPROFILE\.openclaw"

# Process info
Get-Process | Where-Object {$_.Name -like "*openclaw*"}

• Report what you can check and note Windows-specific limitations.

Minimal Environments (Docker, DSM)

Some environments lack tools. Check output and supplement:

Agent Decision Flow

1. Run full_audit.sh
2. Check "failed_checks" in output
3. For each failed check:
   a. Identify platform from os/os_variant
   b. Run platform-specific fallback command
   c. Incorporate results into report
4. Note any checks that couldn't complete

Dashboard Generation

When user requests visual report:

bash ~/.openclaw/skills/secucheck/scripts/serve_dashboard.sh

Returns:

{
  "status": "ok",
  "url": "http://localhost:8766/secucheck-report.html",
  "pid": 12345
}

Provide URL directly to user.

Detailed Check References

Read these only when deep explanation needed:

Attack Scenario Templates

Use these for expert-level explanations:

Risk Levels

🔴 Critical - Immediate action required. Active exploitation possible.
🟠 High     - Significant risk. Should fix soon.
🟡 Medium   - Notable concern. Plan to address.
🟢 Low      - Minor issue or best practice recommendation.
⚪ Info     - Not a risk, but worth noting.

Risk Matrix

Tool Permissions
              Minimal       Full
         ┌──────────┬──────────┐
Exposure │   🟢     │   🟡     │
  Low    │  Safe    │  Caution │
         ├──────────┼──────────┤
         │   🟡     │   🔴     │
  High   │ Caution  │ Critical │
         └──────────┴──────────┘

Exposure = Who can talk to the bot (DM policy, group access, public channels)
Tool Permissions = What the bot can do (exec, file access, messaging, browser)

Context-Aware Exceptions

Don't just pattern match. Consider context:

Applying Fixes

CRITICAL RULES:

• Never auto-apply fixes. Always show suggestions first.
• Warn about functional impact. If a fix might break something, say so.
• Get explicit user confirmation before any config changes.

Agent: "Changing this setting will disable exec in #dev channel.
        If you're using code execution there, it will stop working.
        Apply this fix?"
User: "yes"
Agent: [apply fix via gateway config.patch]

Language Rules

• Internal processing: Always English
• Thinking/reasoning: Always English
• Final user-facing report: Match user's language
• Technical terms: Keep in English (exec, cron, gateway, etc.)

Auto-Review Triggers

Invoke automatically when:

• Skill installation: clawhub install or manual addition
• Agent creation/modification: New agent or tool changes
• Cron job creation/modification: New or modified scheduled tasks

Quick Commands

Trust Hierarchy

Apply appropriate trust levels:

Incident Response Reference

If compromise suspected:

Containment

• Stop gateway process
• Set gateway.bind to loopback (127.0.0.1)
• Disable risky DM/group policies

Rotation

• Regenerate gateway auth token
• Rotate browser control tokens
• Revoke and rotate API keys

Review

• Check gateway logs and session transcripts
• Review recent config changes
• Re-run full security audit

Files Reference

~/.openclaw/skills/secucheck/
├── SKILL.md              # This file
├── skill.json            # Package metadata
├── README.md             # User documentation
├── scripts/
│   ├── full_audit.sh     # Complete audit (JSON output)
│   ├── runtime_check.sh  # Live system checks
│   ├── gather_config.sh  # Config extraction (redacted)
│   ├── gather_skills.sh  # Skill security scan
│   ├── gather_agents.sh  # Agent configurations
│   ├── serve_dashboard.sh # Generate + serve HTML report
│   └── generate_dashboard.sh
├── dashboard/
│   └── template.html     # Dashboard template
├── checks/
│   ├── runtime.md        # Runtime interpretation
│   ├── channels.md       # Channel policy checks
│   ├── agents.md         # Agent permission checks
│   ├── cron.md           # Cron job checks
│   ├── skills.md         # Skill safety checks
│   ├── sessions.md       # Session isolation
│   └── network.md        # Network exposure
├── scenarios/
│   ├── prompt-injection.md
│   ├── session-leak.md
│   ├── privilege-escalation.md
│   ├── credential-exposure.md
│   └── unauthorized-access.md
└── templates/
    ├── report.md         # Full report template
    ├── finding.md        # Single finding template
    └── summary.md        # Quick summary template

Security Assessment Questions

When auditing, consider:

• Exposure: What network interfaces can reach this agent?
• Authentication: What verification does each access point require?
• Isolation: What boundaries exist between agent and host?
• Trust: What content sources are considered "trusted"?
• Auditability: What evidence exists of agent's actions?
• Least Privilege: Does agent have only necessary permissions?

Remember: This skill exists to make OpenClaw self-aware of its security posture. Use regularly, extend as needed, never skip the audit.