Security Audit Pro
OpenClaw-specific security scanner targeting the March 2026 CVE batch and known agent attack vectors.
Commands
Run via: python3 scripts/security-audit-pro.py
Commands
scan— Full security scan (all checks). Default command.cve— Check for specific CVEs (March 2026 batch: CVE-2026-28460 through CVE-2026-28468)gateway— Audit gateway auth configuration (token exposure, bind address, CORS)skills— Scan installed skills for prompt injection and exfiltration patternsmemory— Check memory files for sensitive data exposure and permission issuesfix— Auto-remediate common security issues (interactive confirmation)report— Generate formatted security report (text/json/markdown)
Options
--workspace PATH— Workspace path (default: current directory or~/.openclaw/workspace)--config PATH— OpenClaw config path (default: auto-detect)--format text|json|markdown— Output format (default: text)--fix— Auto-fix issues where safe to do so--severity low|medium|high|critical— Minimum severity to report--output PATH— Save report to file--verbose— Show detailed findings with code snippets
Security Score
Generates an A-F security score based on weighted categories:
- Gateway Security (30%) — Auth tokens, bind address, CORS, TLS
- CVE Exposure (25%) — Known vulnerability patterns
- Skill Trust (20%) — Installed skill code safety
- File Permissions (15%) — Memory/config file access controls
- Data Protection (10%) — Sensitive data in plaintext, .gitignore coverage
CVE Database
See references/cve-database.md for the full list of tracked CVEs and their detection patterns.
Integration
Works alongside healthcheck (host-level) and skill-security-scanner (skill-level). This skill focuses on OpenClaw-specific attack vectors that neither of those cover.