MCPcopy Index your code
hub / github.com/adversa-ai/secureclaw

github.com/adversa-ai/secureclaw @v2.1.0-mvp

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.1.0-mvp ↗ · + Follow
233 symbols 550 edges 39 files 2 documented · 1% updated 2mo agov2.1.0-mvp · 2026-02-17★ 3495 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

SecureClaw

End-to-End security paltform for OpenClaw AI agents.

Audit, Hardening and Runtine Security for Openclaw.

Developed by Adversa AI -- Agentic AI Security and Red Teaming Pioneers.

51 audit checks. 15 behavioral rules. 9 scripts. 4 pattern databases. 5 security frameworks mapped.

10/10 OWASP ASI | 10/14 MITRE ATLAS | 4/4 MITRE OpenClaw Cases | 3/3 CoSAI Principles | CSA Singapore

SecureClaw is a 360-degree security plugin and skills tahat audits your OpenClaw installation for misconfigurations and known vulnerabilities, applies automated hardening fixes, and gives your agent behavioral security rules that protect against prompt injection, credential theft, supply chain attacks, and privacy leaks.

1️⃣ Full OWASP Agentic Security Top 10 coverage. Static and runtime. We're the first and only OpenClaw security tool to formally map every control to the ASI framework. 10/10 categories.

2️⃣ Every known incident. Every known CVE up untill now. All 8 documented threat classes from the OpenClaw Security 101 research have specific countermeasures. Not generic "be careful" advice — actual detection and hardening for each one.

3️⃣ Plugin + Skill layered defense. The plugin runs as code — gateway hardening, permission lockdown, credential scanning. The skill runs as LLM directives — injection awareness, PII scanning, integrity monitoring. Two layers. Each catches the failures of the other.

4️⃣ Ultra-lean ~1,230 token skill. Most security skills dump thousands of tokens into context, competing with your actual conversations. Ours is 15 rules and a set of bash scripts. All detection logic runs as bash — zero LLM tokens. Your agent stays fast, stays focused, stays protected.

graph TB
    subgraph SecureClaw["SecureClaw Defense Layers"]
        L1["Layer 1: Audit

51 checks · 8 categories

OWASP ASI mapped"]
        L2["Layer 2: Hardening

5 modules · auto-fix

backup + rollback"]
        L3["Layer 3: Behavioral Rules

15 LLM directives · ~1,230 tokens

runtime protection"]
    end

    Agent["OpenClaw Agent"] --> L3
    L3 --> L2
    L2 --> L1
    L1 --> Infra["Infrastructure

Gateway · Files · Credentials"]
flowchart LR
    Install["Install"] --> Audit["Audit

51 checks"]
    Audit --> Report["Report

findings"]
    Report --> Harden["Harden

auto-fix"]
    Harden --> Monitor["Monitor

runtime"]
    Monitor --> Respond["Respond

incidents"]

Table of Contents

  1. What Problem Does SecureClaw Solve
  2. Architecture Overview
  3. Installation
  4. Getting Started in 5 Minutes
  5. The Security Audit
  6. Automated Hardening
  7. Scripts Reference
  8. Pattern Databases
  9. The 15 Agent Rules
  10. OWASP ASI Coverage Map
  11. Multi-Framework Coverage
  12. Plugin CLI Reference
  13. Configuration
  14. Background Monitors
  15. Incident Response
  16. Uninstalling
  17. Frequently Asked Questions
  18. Threat Model
  19. Development

1. What Problem Does SecureClaw Solve

AI agents with access to your files, credentials, email, and the internet are a fundamentally different security surface than traditional software. An agent that can read your .env file and send HTTP requests can exfiltrate your API keys in a single tool call. An agent that trusts instructions embedded in a web page or email can be hijacked to act against your interests.

SecureClaw addresses this by operating on three layers:

Layer 1 -- Audit. 51 automated checks across 8 categories scan your OpenClaw installation for known misconfigurations: exposed gateway ports, weak file permissions, missing authentication, plaintext credentials outside .env, disabled sandboxing, and more.

Layer 2 -- Hardening. Automated fixes for the most critical findings: binding the gateway to localhost, locking down file permissions, adding privacy and injection-awareness directives to your agent's core identity file, and creating cryptographic baselines for tamper detection.

Layer 3 -- Behavioral rules. 15 rules loaded into your agent's context that govern how it handles external content, credentials, destructive commands, privacy, and inter-agent communication. These rules cost approximately 1,230 tokens of context window and provide defense against prompt injection, data exfiltration, and social engineering -- attacks that cannot be prevented by infrastructure configuration alone.


2. Architecture Overview

SecureClaw has two independently useful components:

The Plugin (TypeScript)

A full OpenClaw plugin with 51 audit checks, 5 hardening modules, 3 background monitors, and CLI integration. Requires Node.js 18+ and installs via openclaw plugins install.

The Skill (Bash + JSON)

A standalone security skill that works without the plugin. It consists of:

  • SKILL.md -- 15 behavioral rules loaded into the agent's context (~1,230 tokens)
  • 9 bash scripts -- audit, harden, scan, integrity check, privacy check, advisory feed, emergency response, install, uninstall
  • 4 JSON pattern databases -- injection patterns, dangerous commands, privacy rules, supply chain indicators

The skill is designed to be lightweight. All detection logic runs as external bash processes that consume zero LLM tokens. The agent only carries the 15 rules in its context window; everything else executes outside the model.

Directory Structure

secureclaw/
  src/                          TypeScript plugin source
    index.ts                    Plugin entry point, CLI commands
    auditor.ts                  51-check audit engine
    hardener.ts                 Backup/rollback hardening
    types.ts                    All TypeScript interfaces
    hardening/                  5 hardening modules
    monitors/                   3 background monitors
    reporters/                  Console + JSON output formatters
    utils/                      IOC database, crypto, hashing
  skill/                        Standalone security skill
    SKILL.md                    15 behavioral rules
    skill.json                  Metadata + OWASP ASI mapping
    checksums.json              SHA256 hashes for all skill files
    configs/                    4 JSON pattern databases
    scripts/                    9 bash scripts
  openclaw.plugin.json          Plugin manifest
  package.json                  npm package metadata

Compatibility

SecureClaw supports three OpenClaw-compatible agents:

Agent Config Directory Config File
OpenClaw ~/.openclaw openclaw.json
Moltbot ~/.moltbot moltbot.json
Clawdbot ~/.clawdbot clawdbot.json

All scripts auto-detect which agent is installed by checking these directories in order. The ~/clawd directory is also checked as a fallback.


3. Installation

Option A: Skill only (recommended)

The fastest way to get SecureClaw running. No Node.js, no build step — just bash and standard Unix tools:

git clone https://github.com/adversa-ai/secureclaw.git
bash secureclaw/secureclaw/skill/scripts/install.sh

This installs the 15 behavioral rules, 9 scripts, and 4 pattern databases to your agent's skills directory. If a workspace directory exists (~/.openclaw/workspace/), the installer also copies the skill there and registers it in AGENTS.md and TOOLS.md for automatic agent discovery.

Option B: Plugin from source

For the full TypeScript plugin with 51 audit checks, background monitors, and CLI integration:

git clone https://github.com/adversa-ai/secureclaw.git
cd secureclaw/secureclaw
npm install
npm run build
npx openclaw plugins install -l .

The plugin includes the skill. After installing, run npx openclaw secureclaw skill install to deploy the skill files to your agent's workspace.

Option C: ClawHub

Install the skill directly from ClawHub:

  1. Search for SecureClaw on ClawHub
  2. Click Install
  3. The skill is automatically deployed to your agent's workspace

What the Installer Does

  1. Locates your OpenClaw installation directory (~/.openclaw, ~/.moltbot, ~/.clawdbot, or ~/clawd)
  2. Reads the skill version from skill.json
  3. If a previous version exists, creates a timestamped backup (secureclaw.bak.<timestamp>)
  4. Copies all skill files to ~/.openclaw/skills/secureclaw/
  5. Sets executable permissions on all scripts
  6. If a workspace exists, also copies to ~/.openclaw/workspace/skills/secureclaw/
  7. Removes old secureclaw-advisor directory if present (legacy name)
  8. Registers SecureClaw in TOOLS.md and AGENTS.md if not already present

The installer is idempotent. Running it again performs an update. If the source and destination are the same directory (e.g., running from an already-installed location), the copy step is skipped automatically.


4. Getting Started in 5 Minutes

After installation, three commands give you a complete security baseline:

Step 1: Audit your installation.

bash ~/.openclaw/skills/secureclaw/scripts/quick-audit.sh

This runs all checks and outputs a scored report. Each finding shows its severity (CRITICAL, HIGH, MEDIUM), its OWASP ASI reference code, and what to do about it.

Step 2: Apply automated fixes.

bash ~/.openclaw/skills/secureclaw/scripts/quick-harden.sh

This fixes the most common issues: binds the gateway to localhost, locks down file permissions, adds privacy and injection-awareness directives to your SOUL.md, and creates cryptographic baselines for your cognitive files.

Step 3: Verify the fix.

bash ~/.openclaw/skills/secureclaw/scripts/quick-audit.sh

Run the audit again. Your score should be significantly higher. Any remaining findings require manual attention.

Step 4: Set up ongoing monitoring.

Tell your agent to run the audit daily and the integrity check every 12 hours. The SKILL.md rules (loaded automatically when the skill is installed) instruct the agent to do this, but you can also add it to a cron job:

# Daily audit at 9 AM
0 9 * * * bash ~/.openclaw/skills/secureclaw/scripts/quick-audit.sh

# Integrity check every 12 hours
0 */12 * * * bash ~/.openclaw/skills/secureclaw/scripts/check-integrity.sh

5. The Security Audit

Skill Audit (quick-audit.sh)

The standalone bash audit checks your installation against both the OWASP Agentic Security Initiative (ASI) Top 10 and the OpenClaw Security 101 threat categories.

What it checks:

Area What It Looks For
Version (CVE) OpenClaw versions vulnerable to CVE-2026-25253 (1-click RCE)
Gateway bind Whether the gateway is bound to 0.0.0.0 (exposed to the network) vs 127.0.0.1 (local only)
Authentication Presence of an auth token in the gateway config
Reverse proxy Detects nginx/caddy without auth -- all connections bypass authentication
File permissions .env file (needs 600), installation directory (needs 700)
Credential exposure Scans for API key patterns (sk-ant-, sk-proj-, xoxb-, ghp_, AKIA) outside .env
Sandbox mode Whether command execution is sandboxed
Approval mode Whether the agent requires human approval before executing commands
Browser relay Checks if port 18790 is active (session theft risk)
Supply chain Scans installed skills for dangerous patterns (curl\|sh, eval(), webhook.site)
Memory integrity Verifies cognitive file baselines exist
DM policy Whether the agent accepts unsolicited messages from other agents
Privacy Whether SOUL.md contains privacy directives
Cost limits Whether spending limits are configured
Kill switch Whether the SecureClaw plugin is installed (provides runtime enforcement)

Output format:

Each check produces one line:

PASS  [ASI03] Gateway authentication
CRIT  [ASI03] Gateway bind -- Bound to 0.0.0.0 -- exposed to network
HIGH  [ASI05] Sandbox mode -- Not enabled -- commands run on host
MED   [ASI06] Cognitive file baselines -- No baselines -- run quick-harden.sh

The final summary shows a score from 0 to 100 calculated as: (passed / total) * 100.

Exit codes:

Code Meaning
0 No critical issues
2 One or more critical issues found

Plugin Audit (51 checks)

The full TypeScript plugin audit covers everything the skill audit does, plus:

Category Check IDs Count Additional Coverage
Gateway & Network SC-GW-001 -- 010 10 TLS, mDNS, trusted proxies, control UI, browser relay isolation
Credentials SC-CRED-001 -- 008 8 OAuth tokens, AWS keys, GitHub tokens, encryption at rest
Execution & Sandbox SC-EXEC-001 -- 007 7 Docker isolation, LD_PRELOAD injection, NODE_OPTIONS injection, shell escapes
Access Control SC-AC-001 -- 005 5 Session allowlists, channel allowlists, overprivileged access
Supply Chain SC-SKILL-001 -- 006 6 Typosquat detection, IOC hash matching, ClawHavoc campaign signatures
Memory Integrity SC-MEM-001 -- 005 5 Base64 obfuscation, Unicode hidden characters, memory file permissions
Cost Exposure SC-COST-001 -- 004 4 Spending limits, alert thresholds, cron frequency
Threat Intelligence SC-IOC-000 -- 005 6 C2 IP detection, malicious domains, infostealer artifacts, file hashes

Scoring:

| Severity | Po

Extension points exported contracts — how you extend this code

PluginServiceContext (Interface)
(no doc)
secureclaw/src/index.ts
PluginCliContext (Interface)
(no doc)
secureclaw/src/index.ts
PluginLogger (Interface)
(no doc)
secureclaw/src/index.ts
PluginApi (Interface)
(no doc)
secureclaw/src/index.ts
AuditFinding (Interface)
(no doc)
secureclaw/src/types.ts

Core symbols most depended-on inside this repo

createAuditContext
called by 36
secureclaw/src/index.ts
runAudit
called by 29
secureclaw/src/auditor.ts
setLimits
called by 22
secureclaw/src/monitors/cost-monitor.ts
scanContent
called by 21
secureclaw/src/monitors/skill-scanner.ts
harden
called by 19
secureclaw/src/hardener.ts
hashString
called by 18
secureclaw/src/utils/hash.ts
auditGateway
called by 17
secureclaw/src/auditor.ts
checkLimits
called by 17
secureclaw/src/monitors/cost-monitor.ts

Shape

Function 189
Interface 38
Method 6

Languages

TypeScript100%

Modules by API surface

secureclaw/src/types.ts34 symbols
secureclaw/src/index.ts29 symbols
secureclaw/src/auditor.ts16 symbols
secureclaw/src/monitors/cost-monitor.ts14 symbols
secureclaw/src/monitors/memory-integrity.ts11 symbols
secureclaw/src/utils/ioc-db.ts9 symbols
secureclaw/src/utils/hash.ts8 symbols
secureclaw/src/utils/crypto.ts8 symbols
secureclaw/demo.ts8 symbols
secureclaw/src/integration.test.ts7 symbols
secureclaw/src/auditor.test.ts7 symbols
secureclaw/src/monitors/credential-monitor.ts6 symbols

For agents

$ claude mcp add secureclaw \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page