openclaw-hardener

Review·Scanned 2/19/2026

This skill hardens an OpenClaw installation by running the openclaw CLI audit, workspace hygiene checks, and generating/applying config.patch plans. It executes subprocesses (openclaw, bash, git), reads/writes ~/.openclaw/** and <repo>/**, and performs gateway RPCs (openclaw gateway call) which grant network and credential access.

from clawhub.ai·v17d42d1·20.4 KB·0 installs
Scanned from 0.1.2 at 17d42d1 · Transparency log ↗
$ vett add clawhub.ai/virtaava/openclaw-hardenerReview findings below

OpenClaw Hardener

This skill provides a user-choice hardening tool that can:

  • Run OpenClaw’s built-in security audit (openclaw security audit --deep / --fix).
  • Run workspace hygiene checks (exec bits, stray .env, unsafe serialization patterns, etc.).
  • Apply safe mechanical fixes only when explicitly requested.
  • Generate (and optionally apply) a Gateway config.patch plan to tighten runtime policy.

Run the tool

Script:

  • skills_live/openclaw-hardener/scripts/hardener.py

Examples:

# Read-only checks (recommended default)
python3 skills_live/openclaw-hardener/scripts/hardener.py check --all

# Only run OpenClaw built-in audit (deep)
python3 skills_live/openclaw-hardener/scripts/hardener.py check --openclaw

# Only run workspace checks
python3 skills_live/openclaw-hardener/scripts/hardener.py check --workspace

# Apply safe fixes (chmod/exec-bit cleanup + optionally openclaw audit --fix)
python3 skills_live/openclaw-hardener/scripts/hardener.py fix --all

# Generate a config.patch plan (prints JSON5 patch)
python3 skills_live/openclaw-hardener/scripts/hardener.py plan-config

# Apply the plan (requires a running gateway; uses `openclaw gateway call`)
python3 skills_live/openclaw-hardener/scripts/hardener.py apply-config

Design rules (do not violate)

  • Default = check-only. No file/config changes unless user runs fix or apply-config.
  • No secrets in output. If a check reads sensitive paths, it must redact likely tokens.
  • Patch plans must be explicit. Always show the patch before applying.

What it checks / fixes

OpenClaw built-in security audit

  • Runs openclaw security audit --deep (and --fix in fix mode).

Workspace hygiene (scope: workspace + ~/.openclaw)

  • Permissions sanity under ~/.openclaw (basic checks).
  • Unexpected executable bits in non-executable filetypes.
  • Stray .env files (warn) and tracked .env (fail).
  • Risky deserialization / unsafe patterns in our scripts (heuristics).

Config hardening (optional plan)

Generates a conservative config.patch template focusing on:

  • Tightening inbound access defaults (pairing/allowlist, mention gating) only if you opt-in.
  • Ensuring sensitive log redaction is enabled.

(Exact keys depend on your config; the plan is best-effort and should be reviewed.)