Harden OpenClaw (workspace + ~/.openclaw): run openclaw security audit, catch prompt-injection/exfil risks, scan for secrets, and apply safe fixes (chmod/exec-bit cleanup). Includes optional config.patch planning to reduce attack surface.
This skill provides a user-choice hardening tool that can:
openclaw security audit --deep / --fix)..env, unsafe serialization patterns, etc.).config.patch plan to tighten runtime policy.Script:
skills_live/openclaw-hardener/scripts/hardener.pyExamples:
# Read-only checks (recommended default)
python3 skills_live/openclaw-hardener/scripts/hardener.py check --all
# Only run OpenClaw built-in audit (deep)
python3 skills_live/openclaw-hardener/scripts/hardener.py check --openclaw
# Only run workspace checks
python3 skills_live/openclaw-hardener/scripts/hardener.py check --workspace
# Apply safe fixes (chmod/exec-bit cleanup + optionally openclaw audit --fix)
python3 skills_live/openclaw-hardener/scripts/hardener.py fix --all
# Generate a config.patch plan (prints JSON5 patch)
python3 skills_live/openclaw-hardener/scripts/hardener.py plan-config
# Apply the plan (requires a running gateway; uses `openclaw gateway call`)
python3 skills_live/openclaw-hardener/scripts/hardener.py apply-config
fix or apply-config.openclaw security audit --deep (and --fix in fix mode).~/.openclaw (basic checks)..env files (warn) and tracked .env (fail).Generates a conservative config.patch template focusing on:
(Exact keys depend on your config; the plan is best-effort and should be reviewed.)