OpenClaw Security Audit Checklist

Use this comprehensive checklist to audit your OpenClaw security configuration. We recommend running this audit:

• Weekly for development environments
• Before production deployments
• After any configuration changes
• When adding new team members
• After migrating from Moltbot/Clawdbot

Pro tip: Run openclaw security audit for automated checks that complement this manual review.

---

1. Inbound Access Audit

Control who can send messages to your agent.

DM Policies

• DM policies enabled - dmPolicies.enabled: true
• Deny by default active - dmPolicies.denyByDefault: true
• Allowlist reviewed - Only current team members listed
• No wildcard entries - Specific emails, no *@domain.com

Group Allowlists

• Group policies enabled - groupPolicies.enabled: true
• Allowed groups minimal - Only necessary groups
• Mention gating active - mentionGating: true

Verification Command

openclaw config show --section=access
# Review output for unexpected allowlist entries

---

2. Tool Blast Radius

Limit potential damage from compromised sessions.

Elevated Tools Inventory

Check if these high-risk tools are enabled and properly restricted:

• Bash execution - Is bash tool limited?
• Computer control - Is computer tool sandboxed?
• MCP tools - Are MCP servers vetted?
• File system access - Are paths restricted?

Sandbox Configuration

• Sandbox enabled - Running in isolated environment
• Resource limits set - CPU, memory, disk quotas
• Network isolation - Outbound connections limited

Tool Allowlist Review

openclaw tools list --elevated
# Should show only necessary elevated permissions

---

3. Network Exposure Audit

Minimize attack surface from network access.

Gateway Binding

• Local binding - Gateway bound to 127.0.0.1
• No 0.0.0.0 binding - Never expose to all interfaces
• Port is non-standard - Not using obvious ports like 80, 443

Authentication (CRITICAL)

• Auth mode configured - Using token or password mode
• Token is strong - At least 256-bit random token
• Token rotated recently - Within rotation policy period
• Token not in code - Using environment variables

Remote Node Audit

• Remote nodes inventoried - Know all connected nodes
• Unused nodes removed - No stale connections
• Secure tunnel used - Tailscale or similar, not public ports

Verification Commands

# Check binding
netstat -tlnp | grep openclaw

# Verify no public exposure
nmap -p YOUR_PORT YOUR_PUBLIC_IP
# Should show filtered/closed

# List remote nodes
openclaw nodes list

---

4. Browser Control Audit

If your agent has browser access, verify these controls.

Remote Access Review

• Browser access justified - Needed for actual tasks
• Read-only when possible - Use read-only browser tools
• URL restrictions - Allowlist of permitted domains

Download Directory Configuration

• Downloads restricted - Specific directory, not ~/
• Directory is sandboxed - Isolated from sensitive files
• Auto-execute disabled - No automatic file execution

Verification

openclaw config show --section=browser
# Check download paths and restrictions

---

5. Disk Hygiene

Protect sensitive files from agent access.

Permission Verification

# Check config file permissions (should be 600)
stat -c "%a %n" ~/.openclaw/*

# Check directory permissions (should be 700)
stat -c "%a %n" ~/.openclaw/

• Config files: 600 - Owner read/write only
• Directories: 700 - Owner access only
• No world-readable files - Nothing with group/other access

Sensitive File Scan

• No secrets in config - Tokens use env vars
• No credentials cached - Clear old auth data
• .gitignore updated - Config excluded from repos

Symlink Check

# Find all symlinks in OpenClaw directories
find ~/.openclaw -type l -ls
find ~/.local/share/openclaw -type l -ls
# Should return empty or expected links only

• No suspicious symlinks - All links are expected
• Symlink following disabled - followSymlinks: false

---

6. Plugin Review

Third-party plugins are a common attack vector.

Installed Extensions List

openclaw plugins list

• All plugins recognized - No unknown plugins
• Unused plugins removed - Minimal plugin set
• Plugins from trusted sources - Verified publishers
• Using @openclaw/ scope* - Not legacy @moltbot/* packages

Trust Assessment

For each installed plugin:

Plugin	Source	Last Updated	Trusted?
core	official	current	✅
git	official	current	✅
…	…	…	…

• Trust level set correctly - verified-only recommended
• No deprecated plugins - All actively maintained

---

7. Model Hygiene

The AI model choice affects security posture.

Current Model Check

openclaw config show --section=model

• Using recommended model - Opus 4.5 for complex tasks
• Not using small models - Avoid for sensitive operations
• Model version current - Latest patches applied

Prompt Injection Resistance

Different models have varying resistance to prompt injection:

Model	Injection Resistance	Recommendation
Opus 4.5	⭐⭐⭐⭐⭐	Production
Sonnet 4.5	⭐⭐⭐⭐	Development
Haiku 4	⭐⭐	Quick tasks only

• Production uses Opus 4.5 - Best instruction-following
• Fallback model configured - Safe defaults if primary fails

---

8. Migration Check (New)

If you migrated from Moltbot/Clawdbot:

• Old packages removed - npm uninstall -g moltbot
• Old config backed up - ~/.config/moltbot.backup/
• New config in place - ~/.openclaw/openclaw.json
• Old systemd/launchd services removed
• New daemon installed - openclaw onboard --install-daemon

---

Audit Results Summary

After completing this checklist:

Score Your Audit

Section	Items Checked	Items Passed	Score
Inbound Access	7	_	_%
Tool Blast Radius	7	_	_%
Network Exposure	10	_	_%
Browser Control	6	_	_%
Disk Hygiene	7	_	_%
Plugin Review	6	_	_%
Model Hygiene	5	_	_%
Migration Check	5	_	_%
Total	53	_	_%

Risk Levels

• 90-100%: Excellent - Production ready
• 70-89%: Good - Address gaps before production
• 50-69%: Fair - Significant improvements needed
• Below 50%: Critical - Do not deploy until addressed

---

Automated Audit Script

Save time with this automated verification:

#!/bin/bash
# openclaw-audit.sh

echo "=== OpenClaw Security Audit ==="
echo ""

# Check file permissions
echo "1. Checking file permissions..."
if [ "$(stat -c %a ~/.openclaw/openclaw.json 2>/dev/null)" == "600" ]; then
    echo "   ✅ Config file permissions correct"
else
    echo "   ❌ Config file permissions incorrect"
fi

# Check gateway binding
echo "2. Checking gateway binding..."
if netstat -tlnp 2>/dev/null | grep openclaw | grep -q "127.0.0.1"; then
    echo "   ✅ Gateway bound to localhost"
else
    echo "   ⚠️  Gateway may be publicly exposed"
fi

# Check for symlinks
echo "3. Checking for symlinks..."
SYMLINKS=$(find ~/.openclaw -type l 2>/dev/null | wc -l)
if [ "$SYMLINKS" -eq 0 ]; then
    echo "   ✅ No symlinks found"
else
    echo "   ⚠️  Found $SYMLINKS symlinks - review manually"
fi

# Check for old Moltbot installation
echo "4. Checking for legacy installations..."
if command -v moltbot &> /dev/null; then
    echo "   ⚠️  Moltbot still installed - run: npm uninstall -g moltbot"
else
    echo "   ✅ No legacy installations found"
fi

# Run built-in audit
echo "5. Running built-in security audit..."
openclaw security audit

echo ""
echo "=== Audit Complete ==="

---

Next Steps

• Failed items? See our Gateway Hardening Guide for fixes
• Coming from Moltbot? See our Migration Guide
• Need monitoring? Check our Security Tools recommendations
• Questions? Review Prompt Injection Defense

---

Schedule this audit regularly. Security threats evolve—your defenses should too.