skills$openclaw/openclaw-hardener

5.1k★

openclaw-hardener – OpenClaw Skill

Name: openclaw-hardener
Author: virtaava

openclaw-hardener is an OpenClaw Skills integration for security workflows. Harden OpenClaw (workspace + ~/.openclaw): run openclaw security audit, catch prompt-injection/exfil risks, scan for secrets, and apply safe fixes (chmod/exec-bit cleanup). Includes optional config.patch planning to reduce attack surface.

5.1k stars4.9k forksSecurity L1

Updated Feb 7, 2026Created Feb 7, 2026security

Skill Snapshot

name	openclaw-hardener
description	Harden OpenClaw (workspace + ~/.openclaw): run openclaw security audit, catch prompt-injection/exfil risks, scan for secrets, and apply safe fixes (chmod/exec-bit cleanup). Includes optional config.patch planning to reduce attack surface. OpenClaw Skills integration.
owner	virtaava
repository	virtaava/openclaw-hardener
language	Markdown
license	MIT
topics
security	L1
install	openclaw add @virtaava/openclaw-hardener
last updated	Feb 7, 2026

Maintainer

virtaava

Maintains openclaw-hardener in the OpenClaw Skills directory.

View GitHub profile

File Explorer

5 files

scripts

hardener.py

16.9 KB

_meta.json

466 B

openclaw-skill.json

1.0 KB

SKILL.md

2.6 KB

SKILL.md

name: openclaw-hardener description: "Harden OpenClaw (workspace + ~/.openclaw): run openclaw security audit, catch prompt-injection/exfil risks, scan for secrets, and apply safe fixes (chmod/exec-bit cleanup). Includes optional config.patch planning to reduce attack surface."

OpenClaw Hardener

This skill provides a user-choice hardening tool that can:

Run OpenClaw’s built-in security audit (openclaw security audit --deep / --fix).
Run workspace hygiene checks (exec bits, stray .env, unsafe serialization patterns, etc.).
Apply safe mechanical fixes only when explicitly requested.
Generate (and optionally apply) a Gateway config.patch plan to tighten runtime policy.

Run the tool

Script:

skills_live/openclaw-hardener/scripts/hardener.py

Examples:

# Read-only checks (recommended default)
python3 skills_live/openclaw-hardener/scripts/hardener.py check --all

# Only run OpenClaw built-in audit (deep)
python3 skills_live/openclaw-hardener/scripts/hardener.py check --openclaw

# Only run workspace checks
python3 skills_live/openclaw-hardener/scripts/hardener.py check --workspace

# Apply safe fixes (chmod/exec-bit cleanup + optionally openclaw audit --fix)
python3 skills_live/openclaw-hardener/scripts/hardener.py fix --all

# Generate a config.patch plan (prints JSON5 patch)
python3 skills_live/openclaw-hardener/scripts/hardener.py plan-config

# Apply the plan (requires a running gateway; uses `openclaw gateway call`)
python3 skills_live/openclaw-hardener/scripts/hardener.py apply-config

Design rules (do not violate)

Default = check-only. No file/config changes unless user runs fix or apply-config.
No secrets in output. If a check reads sensitive paths, it must redact likely tokens.
Patch plans must be explicit. Always show the patch before applying.

What it checks / fixes

OpenClaw built-in security audit

Runs openclaw security audit --deep (and --fix in fix mode).

Workspace hygiene (scope: workspace + ~/.openclaw)

Permissions sanity under ~/.openclaw (basic checks).
Unexpected executable bits in non-executable filetypes.
Stray .env files (warn) and tracked .env (fail).
Risky deserialization / unsafe patterns in our scripts (heuristics).

Config hardening (optional plan)

Generates a conservative config.patch template focusing on:

Tightening inbound access defaults (pairing/allowlist, mention gating) only if you opt-in.
Ensuring sensitive log redaction is enabled.

(Exact keys depend on your config; the plan is best-effort and should be reviewed.)

README.md

No README available.

Permissions & Security

Security level L1: Low-risk skills with minimal permissions. Review inputs and outputs before running in production.

Requirements

OpenClaw CLI installed and configured.
Language: Markdown
License: MIT
Topics:

Configuration

Generates a conservative `config.patch` template focusing on: - Tightening inbound access defaults (pairing/allowlist, mention gating) **only if you opt-in**. - Ensuring sensitive log redaction is enabled. (Exact keys depend on your config; the plan is best-effort and should be reviewed.)

FAQ

How do I install openclaw-hardener?

Run openclaw add @virtaava/openclaw-hardener in your terminal. This installs openclaw-hardener into your OpenClaw Skills catalog.

Does this skill run locally or in the cloud?

OpenClaw Skills execute locally by default. Review the SKILL.md and permissions before running any skill.

Where can I verify the source code?

The source repository is available at https://github.com/openclaw/skills/tree/main/skills/virtaava/openclaw-hardener. Review commits and README documentation before installing.