OpenClaw Security Hardening

A comprehensive security toolkit for protecting OpenClaw installations from attacks via malicious skill files, prompt injection, data exfiltration, and workspace tampering.

Threat Model

This skill protects against:

Threat	Description	Tool
Prompt Injection	Malicious skills containing instructions to override system prompts, ignore safety rules, or manipulate agent behavior	`scan-skills.sh`
Data Exfiltration	Skills that instruct the agent to send sensitive data (credentials, memory, config) to external endpoints	`audit-outbound.sh`
Skill Tampering	Unauthorized modification of installed skills after initial review	`integrity-check.sh`
Workspace Exposure	Sensitive files with wrong permissions, missing .gitignore rules, insecure gateway config	`harden-workspace.sh`
Supply Chain	Installing a new skill that contains hidden malicious patterns	`install-guard.sh`

Quick Start

# Run a full security scan of all installed skills
./scripts/scan-skills.sh
Audit outbound data flow patterns
./scripts/audit-outbound.sh
Initialize integrity baseline
./scripts/integrity-check.sh --init
Harden your workspace
./scripts/harden-workspace.sh --fix
Check a new skill before installing

./scripts/install-guard.sh /path/to/new-skill/

Tools

scan-skills.sh

— Skill File Scanner

Scans all installed skill files for malicious patterns including prompt injection, data exfiltration attempts, suspicious URLs, hidden unicode, obfuscated commands, and social engineering.

Usage:

# Scan all skill directories
./scripts/scan-skills.sh
Scan a specific directory only
./scripts/scan-skills.sh --path /path/to/skills/
Output as JSON for automation
./scripts/scan-skills.sh --json
Show help

./scripts/scan-skills.sh --help

What it detects:

Prompt injection patterns (override instructions, new system prompts, admin overrides)
Data exfiltration (curl/wget to external URLs, sending file contents)
Suspicious URLs (webhooks, pastebin, requestbin, ngrok, etc.)
Base64-encoded content that could hide instructions
Hidden unicode characters (zero-width spaces, RTL override, homoglyphs)
References to sensitive files (.env, credentials, API keys, tokens)
Instructions to modify system files (AGENTS.md, SOUL.md)
Obfuscated commands (hex encoded, unicode escaped)
Social engineering ("don't tell the user", "secretly", "without mentioning")

Severity levels:

🔴 CRITICAL — Likely malicious, immediate action needed
🟡 WARNING — Suspicious, review manually
🔵 INFO — Noteworthy but probably benign

integrity-check.sh

— Skill Integrity Monitor

Creates SHA256 hash baselines of all skill files and detects unauthorized modifications.

Usage:

# Initialize baseline (first run)
./scripts/integrity-check.sh --init
Check for changes (run periodically)
./scripts/integrity-check.sh
Update baseline after reviewing changes
./scripts/integrity-check.sh --update
Check specific directory
./scripts/integrity-check.sh --path /path/to/skills/
Show help

./scripts/integrity-check.sh --help

Reports:

✅ Unchanged files
⚠️ Modified files (hash mismatch)
🆕 New files (not in baseline)
❌ Removed files (in baseline but missing)

Automation: Add to your heartbeat or cron to run daily:

# In HEARTBEAT.md or cron
0 8 * * * /path/to/scripts/integrity-check.sh 2>&1 | grep -E '(MODIFIED|NEW|REMOVED)'

audit-outbound.sh

— Outbound Data Flow Auditor

Scans skill files for patterns that could cause data to leave your machine.

Usage:

# Audit all skills
./scripts/audit-outbound.sh
Audit specific directory
./scripts/audit-outbound.sh --path /path/to/skills/
Show whitelisted domains
./scripts/audit-outbound.sh --show-whitelist
Add domain to whitelist
./scripts/audit-outbound.sh --whitelist example.com
Show help

./scripts/audit-outbound.sh --help

Detects:

HTTP/HTTPS URLs embedded in skill instructions
References to curl, wget, fetch, web_fetch, browser navigate
Email/message/webhook sending instructions
Raw IP addresses in instructions
Non-whitelisted external domains

harden-workspace.sh

— Workspace Hardener

Checks and fixes common security misconfigurations in your OpenClaw workspace.

Usage:

# Check only (report issues)
./scripts/harden-workspace.sh
Auto-fix safe issues
./scripts/harden-workspace.sh --fix
Show help

./scripts/harden-workspace.sh --help

Checks:

File permissions on sensitive files (MEMORY.md, USER.md, SOUL.md, credentials)
.gitignore coverage for sensitive patterns
Gateway auth configuration
DM policy settings
Sensitive content in version-controlled files

install-guard.sh

— Pre-Install Security Gate

Run before installing any new skill to check for malicious content.

Usage:

# Check a skill before installing
./scripts/install-guard.sh /path/to/new-skill/
Strict mode (fail on warnings too)
./scripts/install-guard.sh --strict /path/to/new-skill/
Show help

./scripts/install-guard.sh --help

Checks:

All patterns from scan-skills.sh
Dangerous shell patterns in scripts (rm -rf, curl|bash, eval, etc.)
Suspicious npm dependencies (if package.json exists)
Exit code 0 = safe, 1 = suspicious (for CI/automation)

Security Rules Template

Copy

assets/security-rules-template.md

into your

AGENTS.md

to add runtime security rules for your agent. These rules instruct the agent to refuse prompt injection attempts and protect sensitive data.

cat assets/security-rules-template.md >> /path/to/AGENTS.md

Recommended Setup

Initial setup:

./scripts/scan-skills.sh              # Scan existing skills
./scripts/audit-outbound.sh           # Audit outbound patterns
./scripts/integrity-check.sh --init   # Create baseline
./scripts/harden-workspace.sh --fix   # Fix workspace issues

Add security rules to AGENTS.md from the template

Before installing new skills:

./scripts/install-guard.sh /path/to/new-skill/

Periodic checks (add to heartbeat or cron):

./scripts/integrity-check.sh          # Detect tampering
./scripts/scan-skills.sh              # Re-scan for new patterns

OpenClaw Security Hardening

AI Skill Market Insights

Be Part of the 0+ Developer Community