Home Tutorials Categories Skills About
ZH EN JA KO
Security-Ops

openclaw security: Security Audit Command Guide

· 11 min read

Command Overview

The openclaw security command provides comprehensive security auditing and management features to help you identify and fix security risks in your OpenClaw deployment.

Security Scan

openclaw security scan

Security Scan Report
====================

Overall Score: 85/100 (Good)

Critical (0):
  No critical issues found.

High (1):
  ⚠ Gateway exposed without authentication
    → Enable API key authentication in security.auth config

Medium (2):
  ⚠ CORS configured with wildcard origin (*)
    → Restrict to specific domains
  ⚠ Rate limiting not configured for channel: discord-dev
    → Add rate limit configuration

Low (3):
  ℹ HTTP access log not enabled
    → Enable access logging for audit trail
  ℹ Secrets file permissions: 644 (recommend: 600)
    → Run: chmod 600 ~/.openclaw/secrets.enc
  ℹ No IP whitelist configured
    → Consider restricting access by IP

Passed (12):
  ✓ TLS enabled for external connections
  ✓ API keys stored in encrypted secrets
  ✓ Sandbox enabled for code execution
  ✓ Content filter active
  ...

Run 'openclaw security fix' to auto-fix applicable issues.

Auto-Fix

openclaw security fix

Applying security fixes:
  ✓ Fixed secrets file permissions (644 → 600)
  ✓ Enabled access logging
  ✗ Cannot auto-fix: Gateway authentication (manual config required)
  ✗ Cannot auto-fix: CORS restriction (manual config required)

Fixed 2 of 4 issues. 2 require manual attention.

Audit Log

View Audit Log

openclaw security audit
openclaw security audit --since "24h"
openclaw security audit --type auth

Audit Log:
  [2026-03-20 10:30:01] AUTH_SUCCESS  user:admin  ip:192.168.1.10
  [2026-03-20 10:28:15] AUTH_FAILURE  user:unknown ip:203.0.113.50
  [2026-03-20 10:25:33] CONFIG_CHANGE user:admin  key:models.main
  [2026-03-20 10:20:01] RATE_LIMITED  user:user5  channel:telegram
  [2026-03-20 09:15:00] SECRET_ACCESS user:admin  key:OPENAI_API_KEY

Audit Event Types

  • AUTH_SUCCESS / AUTH_FAILURE: Authentication success/failure
  • CONFIG_CHANGE: Configuration modification
  • SECRET_ACCESS: Secret access
  • RATE_LIMITED: Rate limit triggered
  • CONTENT_BLOCKED: Content filtered
  • SANDBOX_VIOLATION: Sandbox security violation
  • CHANNEL_CONNECT / CHANNEL_DISCONNECT: Channel connected/disconnected

User Access Audit

openclaw security users

User Access Report:
  User          Channel         Last Active   Messages  Blocked
  ─────────────────────────────────────────────────────────────
  user001       telegram-main   5 min ago     1,250     No
  user002       telegram-main   1 hour ago    380       No
  user003       discord-dev     2 hours ago   120       No
  banned_user   telegram-main   3 days ago    50        Yes

Content Filtering

Configure and manage content security policies:

# View current filter rules
openclaw security filters list

# Add filter rules
openclaw security filters add --pattern "password.*is" --action block
openclaw security filters add --pattern "credit card number" --action warn

{
  "security": {
    "contentFilter": {
      "enabled": true,
      "rules": [
        {"pattern": "password.*is", "action": "block", "message": "Sensitive information request detected"},
        {"pattern": "\\b\\d{16}\\b", "action": "redact", "message": "Credit card number redacted"}
      ]
    }
  }
}

Secret Security Check

openclaw security check-secrets

Secrets Security Check:
  ✓ OPENAI_API_KEY: encrypted, rotated 15 days ago
  ⚠ TELEGRAM_BOT_TOKEN: encrypted, not rotated in 120 days
  ✓ ANTHROPIC_API_KEY: encrypted, rotated 30 days ago
  ✗ No secrets appear in log files
  ✗ No secrets appear in config file (plaintext)

Dependency Security Check

openclaw security deps

Dependency Security Scan:
  ✓ No known vulnerabilities in direct dependencies
  ⚠ 2 moderate vulnerabilities in transitive dependencies
    - [email protected]: Prototype Pollution (CVE-2024-xxxx)
    - [email protected]: Path Traversal (CVE-2024-yyyy)

  Run 'openclaw security deps --fix' to update

Generate Compliance Reports

openclaw security report --format pdf --output security-report.pdf
openclaw security report --format json --output security-report.json

Real-Time Security Monitoring

openclaw security monitor

Displays security events in real time, ideal for running in a dedicated terminal.

Security Recommendations

openclaw security recommendations

Security Recommendations:
  1. [HIGH] Enable Gateway authentication
  2. [MEDIUM] Configure CORS with specific origins
  3. [MEDIUM] Add rate limiting to all channels
  4. [LOW] Enable IP whitelist for admin API
  5. [LOW] Set up automated security scanning (cron)
  6. [LOW] Configure alert notifications for auth failures

Summary

openclaw security is a comprehensive toolset for ensuring OpenClaw runs securely. Regularly running security scans, reviewing audit logs, and checking secret security are best practices for maintaining AI assistant service security.

OpenClaw is a free, open-source personal AI assistant that supports WhatsApp, Telegram, Discord, and many more platforms
More Tutorials Download Skills

Related Tutorials

Secrets Management In-Depth Guide
Gateway Authentication Mechanisms Explained
Health Check API Explained