End-to-End security paltform for OpenClaw AI agents.
Audit, Hardening and Runtine Security for Openclaw.
Developed by Adversa AI -- Agentic AI Security and Red Teaming Pioneers.
51 audit checks. 15 behavioral rules. 9 scripts. 4 pattern databases. 5 security frameworks mapped.
10/10 OWASP ASI | 10/14 MITRE ATLAS | 4/4 MITRE OpenClaw Cases | 3/3 CoSAI Principles | CSA Singapore
SecureClaw is a 360-degree security plugin and skills tahat audits your OpenClaw installation for misconfigurations and known vulnerabilities, applies automated hardening fixes, and gives your agent behavioral security rules that protect against prompt injection, credential theft, supply chain attacks, and privacy leaks.
1️⃣ Full OWASP Agentic Security Top 10 coverage. Static and runtime. We're the first and only OpenClaw security tool to formally map every control to the ASI framework. 10/10 categories.
2️⃣ Every known incident. Every known CVE up untill now. All 8 documented threat classes from the OpenClaw Security 101 research have specific countermeasures. Not generic "be careful" advice — actual detection and hardening for each one.
3️⃣ Plugin + Skill layered defense. The plugin runs as code — gateway hardening, permission lockdown, credential scanning. The skill runs as LLM directives — injection awareness, PII scanning, integrity monitoring. Two layers. Each catches the failures of the other.
4️⃣ Ultra-lean ~1,230 token skill. Most security skills dump thousands of tokens into context, competing with your actual conversations. Ours is 15 rules and a set of bash scripts. All detection logic runs as bash — zero LLM tokens. Your agent stays fast, stays focused, stays protected.
graph TB
subgraph SecureClaw["SecureClaw Defense Layers"]
L1["Layer 1: Audit
51 checks · 8 categories
OWASP ASI mapped"]
L2["Layer 2: Hardening
5 modules · auto-fix
backup + rollback"]
L3["Layer 3: Behavioral Rules
15 LLM directives · ~1,230 tokens
runtime protection"]
end
Agent["OpenClaw Agent"] --> L3
L3 --> L2
L2 --> L1
L1 --> Infra["Infrastructure
Gateway · Files · Credentials"]
flowchart LR
Install["Install"] --> Audit["Audit
51 checks"]
Audit --> Report["Report
findings"]
Report --> Harden["Harden
auto-fix"]
Harden --> Monitor["Monitor
runtime"]
Monitor --> Respond["Respond
incidents"]
AI agents with access to your files, credentials, email, and the internet are a fundamentally different security surface than traditional software. An agent that can read your .env file and send HTTP requests can exfiltrate your API keys in a single tool call. An agent that trusts instructions embedded in a web page or email can be hijacked to act against your interests.
SecureClaw addresses this by operating on three layers:
Layer 1 -- Audit. 51 automated checks across 8 categories scan your OpenClaw installation for known misconfigurations: exposed gateway ports, weak file permissions, missing authentication, plaintext credentials outside .env, disabled sandboxing, and more.
Layer 2 -- Hardening. Automated fixes for the most critical findings: binding the gateway to localhost, locking down file permissions, adding privacy and injection-awareness directives to your agent's core identity file, and creating cryptographic baselines for tamper detection.
Layer 3 -- Behavioral rules. 15 rules loaded into your agent's context that govern how it handles external content, credentials, destructive commands, privacy, and inter-agent communication. These rules cost approximately 1,230 tokens of context window and provide defense against prompt injection, data exfiltration, and social engineering -- attacks that cannot be prevented by infrastructure configuration alone.
SecureClaw has two independently useful components:
A full OpenClaw plugin with 51 audit checks, 5 hardening modules, 3 background monitors, and CLI integration. Requires Node.js 18+ and installs via openclaw plugins install.
A standalone security skill that works without the plugin. It consists of:
The skill is designed to be lightweight. All detection logic runs as external bash processes that consume zero LLM tokens. The agent only carries the 15 rules in its context window; everything else executes outside the model.
secureclaw/
src/ TypeScript plugin source
index.ts Plugin entry point, CLI commands
auditor.ts 51-check audit engine
hardener.ts Backup/rollback hardening
types.ts All TypeScript interfaces
hardening/ 5 hardening modules
monitors/ 3 background monitors
reporters/ Console + JSON output formatters
utils/ IOC database, crypto, hashing
skill/ Standalone security skill
SKILL.md 15 behavioral rules
skill.json Metadata + OWASP ASI mapping
checksums.json SHA256 hashes for all skill files
configs/ 4 JSON pattern databases
scripts/ 9 bash scripts
openclaw.plugin.json Plugin manifest
package.json npm package metadata
SecureClaw supports three OpenClaw-compatible agents:
| Agent | Config Directory | Config File |
|---|---|---|
| OpenClaw | ~/.openclaw |
openclaw.json |
| Moltbot | ~/.moltbot |
moltbot.json |
| Clawdbot | ~/.clawdbot |
clawdbot.json |
All scripts auto-detect which agent is installed by checking these directories in order. The ~/clawd directory is also checked as a fallback.
The fastest way to get SecureClaw running. No Node.js, no build step — just bash and standard Unix tools:
git clone https://github.com/adversa-ai/secureclaw.git
bash secureclaw/secureclaw/skill/scripts/install.sh
This installs the 15 behavioral rules, 9 scripts, and 4 pattern databases to your agent's skills directory. If a workspace directory exists (~/.openclaw/workspace/), the installer also copies the skill there and registers it in AGENTS.md and TOOLS.md for automatic agent discovery.
For the full TypeScript plugin with 51 audit checks, background monitors, and CLI integration:
git clone https://github.com/adversa-ai/secureclaw.git
cd secureclaw/secureclaw
npm install
npm run build
npx openclaw plugins install -l .
The plugin includes the skill. After installing, run npx openclaw secureclaw skill install to deploy the skill files to your agent's workspace.
Install the skill directly from ClawHub:
~/.openclaw, ~/.moltbot, ~/.clawdbot, or ~/clawd)skill.jsonsecureclaw.bak.<timestamp>)~/.openclaw/skills/secureclaw/~/.openclaw/workspace/skills/secureclaw/secureclaw-advisor directory if present (legacy name)TOOLS.md and AGENTS.md if not already presentThe installer is idempotent. Running it again performs an update. If the source and destination are the same directory (e.g., running from an already-installed location), the copy step is skipped automatically.
After installation, three commands give you a complete security baseline:
Step 1: Audit your installation.
bash ~/.openclaw/skills/secureclaw/scripts/quick-audit.sh
This runs all checks and outputs a scored report. Each finding shows its severity (CRITICAL, HIGH, MEDIUM), its OWASP ASI reference code, and what to do about it.
Step 2: Apply automated fixes.
bash ~/.openclaw/skills/secureclaw/scripts/quick-harden.sh
This fixes the most common issues: binds the gateway to localhost, locks down file permissions, adds privacy and injection-awareness directives to your SOUL.md, and creates cryptographic baselines for your cognitive files.
Step 3: Verify the fix.
bash ~/.openclaw/skills/secureclaw/scripts/quick-audit.sh
Run the audit again. Your score should be significantly higher. Any remaining findings require manual attention.
Step 4: Set up ongoing monitoring.
Tell your agent to run the audit daily and the integrity check every 12 hours. The SKILL.md rules (loaded automatically when the skill is installed) instruct the agent to do this, but you can also add it to a cron job:
# Daily audit at 9 AM
0 9 * * * bash ~/.openclaw/skills/secureclaw/scripts/quick-audit.sh
# Integrity check every 12 hours
0 */12 * * * bash ~/.openclaw/skills/secureclaw/scripts/check-integrity.sh
The standalone bash audit checks your installation against both the OWASP Agentic Security Initiative (ASI) Top 10 and the OpenClaw Security 101 threat categories.
What it checks:
| Area | What It Looks For |
|---|---|
| Version (CVE) | OpenClaw versions vulnerable to CVE-2026-25253 (1-click RCE) |
| Gateway bind | Whether the gateway is bound to 0.0.0.0 (exposed to the network) vs 127.0.0.1 (local only) |
| Authentication | Presence of an auth token in the gateway config |
| Reverse proxy | Detects nginx/caddy without auth -- all connections bypass authentication |
| File permissions | .env file (needs 600), installation directory (needs 700) |
| Credential exposure | Scans for API key patterns (sk-ant-, sk-proj-, xoxb-, ghp_, AKIA) outside .env |
| Sandbox mode | Whether command execution is sandboxed |
| Approval mode | Whether the agent requires human approval before executing commands |
| Browser relay | Checks if port 18790 is active (session theft risk) |
| Supply chain | Scans installed skills for dangerous patterns (curl\|sh, eval(), webhook.site) |
| Memory integrity | Verifies cognitive file baselines exist |
| DM policy | Whether the agent accepts unsolicited messages from other agents |
| Privacy | Whether SOUL.md contains privacy directives |
| Cost limits | Whether spending limits are configured |
| Kill switch | Whether the SecureClaw plugin is installed (provides runtime enforcement) |
Output format:
Each check produces one line:
PASS [ASI03] Gateway authentication
CRIT [ASI03] Gateway bind -- Bound to 0.0.0.0 -- exposed to network
HIGH [ASI05] Sandbox mode -- Not enabled -- commands run on host
MED [ASI06] Cognitive file baselines -- No baselines -- run quick-harden.sh
The final summary shows a score from 0 to 100 calculated as: (passed / total) * 100.
Exit codes:
| Code | Meaning |
|---|---|
| 0 | No critical issues |
| 2 | One or more critical issues found |
The full TypeScript plugin audit covers everything the skill audit does, plus:
| Category | Check IDs | Count | Additional Coverage |
|---|---|---|---|
| Gateway & Network | SC-GW-001 -- 010 | 10 | TLS, mDNS, trusted proxies, control UI, browser relay isolation |
| Credentials | SC-CRED-001 -- 008 | 8 | OAuth tokens, AWS keys, GitHub tokens, encryption at rest |
| Execution & Sandbox | SC-EXEC-001 -- 007 | 7 | Docker isolation, LD_PRELOAD injection, NODE_OPTIONS injection, shell escapes |
| Access Control | SC-AC-001 -- 005 | 5 | Session allowlists, channel allowlists, overprivileged access |
| Supply Chain | SC-SKILL-001 -- 006 | 6 | Typosquat detection, IOC hash matching, ClawHavoc campaign signatures |
| Memory Integrity | SC-MEM-001 -- 005 | 5 | Base64 obfuscation, Unicode hidden characters, memory file permissions |
| Cost Exposure | SC-COST-001 -- 004 | 4 | Spending limits, alert thresholds, cron frequency |
| Threat Intelligence | SC-IOC-000 -- 005 | 6 | C2 IP detection, malicious domains, infostealer artifacts, file hashes |
Scoring:
| Severity | Po
$ claude mcp add secureclaw \
-- python -m otcore.mcp_server <graph>