Metadata-Version: 2.4
Name: clawaudit
Version: 0.3.0a4
Summary: OpenClaw security audit tool
Author-email: Shuai Yang <yannis.pku@gmail.com>
License: Proprietary
Requires-Python: >=3.9
Requires-Dist: click>=8.0
Requires-Dist: packaging>=21.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: requests>=2.28
Requires-Dist: rich>=13.0
Description-Content-Type: text/markdown

# Foresight ClawAudit

Security audit tool for OpenClaw instances. Scans runtime configuration, system environment, Skill plugins, supply chain integrity, and known CVEs — covering 31 check points across 8 categories.

### OpenClaw Directories and Configuration

The main configuration file `openclaw.json` may contain sensitive credentials such as API keys and Gateway tokens. The workspace directory stores agent personas, memory documents, and Skill plugins. Scheduled tasks are configured in the cron directory. The Gateway daemon runs as a system service in the background. If you have used pre-rename versions, `~/.clawdbot/` and `~/.moltbot/` may still contain legacy configuration data.

| Type | Path | Description |
|------|------|-------------|
| Main config | `~/.openclaw/openclaw.json` | API keys, tokens, and other sensitive credentials |
| Workspace | `~/.openclaw/workspace/` | AGENTS.md, SOUL.md, MEMORY.md, memory/*.md, Skill plugins |
| Memory index | `~/.openclaw/memory/{agentId}.sqlite` | Vector + BM25 full-text search index |
| Scheduled tasks | `~/.openclaw/cron/jobs.json` | Cron job persistent configuration |
| System service | LaunchAgent (macOS) / systemd (Linux) | Gateway daemon, runs 24/7 |
| Legacy dirs | `~/.clawdbot/`, `~/.moltbot/` | Pre-rename configs (Clawdbot → Moltbot → OpenClaw) |

---

### Features

Foresight ClawAudit currently scans 8 security categories with 31 check points, and includes 271 built-in OpenClaw vulnerabilities (continuously updated). Coverage includes network port exposure and TLS configuration, weak credentials and auth bypass, dangerous configuration flags, command injection and code self-modification, Skill supply chain integrity, API key exposure, anomalous scheduled tasks and SSH brute force, and real-time matching against 44 active threat indicators (e.g., ClawHavoc, GhostSocks).

No root required. Supports both local and remote scan modes. Reports can be output as colored terminal output, JSON, SARIF 2.1.0, or Markdown. All scanning is performed locally — no data is uploaded.

| Category | Count | Check ID | Description |
|----------|-------|----------|-------------|
| NET Network Exposure | 4 | PA-NET01 | Gateway port 18789 bound to 0.0.0.0 |
| | | PA-NET02 | TLS/HTTPS not configured |
| | | PA-NET03 | Anonymous remote access (no authentication) |
| | | PA-NET04 | Network IOC detection (outbound C2 connection matching) |
| AUTH Authentication | 2 | PA-AUTH01 | Default/weak credentials |
| | | PA-AUTH02 | Console UI authentication bypass |
| CONF Configuration | 4 | PA-CONF01 | Config file permissions too broad |
| | | PA-CONF02 | Dangerous configuration flags enabled |
| | | PA-CONF03 | Shell command allowlist (safeBins) not configured |
| | | PA-CONF04 | Configuration baseline drift |
| EXEC Execution Sandbox | 8 | PA-EXEC01 | Command injection (unfiltered input) |
| | | PA-EXEC02 | Sandbox/container isolation not detected |
| | | PA-EXEC03 | Unsafe code execution (eval/exec/os.system) |
| | | PA-EXEC04 | SQL injection (string concatenation) |
| | | PA-EXEC05 | Tool output directly injected into prompt |
| | | PA-EXEC06 | System prompt injection (user input enters SystemMessage) |
| | | PA-EXEC07 | Missing circuit breaker / max iteration limit |
| | | PA-EXEC08 | Plugin code self-modification risk |
| SC Supply Chain | 3 | PA-SC01 | Third-party Skill source not verified |
| | | PA-SC02 | Skill/MCP file integrity deviation |
| | | PA-SC03 | Tool description contains hidden instructions |
| DATA Data Security | 4 | PA-DATA01 | API key exposed in plaintext |
| | | PA-DATA02 | Private key or mnemonic in plaintext |
| | | PA-DATA03 | Sensitive data in log output |
| | | PA-DATA04 | Suspected data exfiltration chain (file read + network request) |
| SYS System Security | 6 | PA-SYS01 | OpenClaw process running as root |
| | | PA-SYS02 | System critical file permission anomaly |
| | | PA-SYS03 | Sensitive directory modified within 24 hours |
| | | PA-SYS04 | Anomalous scheduled tasks (cron/systemd) |
| | | PA-SYS05 | SSH brute force attempts within 24 hours |
| | | PA-SYS06 | Node.js version has known vulnerability (CVE-2026-21636) |
| CVE Known Vulnerabilities | Dynamic | PA-CVE* | Version matching against 271 built-in OpenClaw advisories |

### Use Cases

For individual users, run a local scan immediately after deploying OpenClaw to verify whether default configurations pose security risks. For operations teams, use remote mode to probe internal or public-facing assets and quickly map the exposure surface.

### Quick Start

Supports Linux/macOS. Windows users must run under WSL. Minimal setup — a single command completes the scan with no additional configuration.

```bash
# Run directly without install (if you don't have uv, first run: curl -LsSf https://astral.sh/uv/install.sh | sh)
uvx clawaudit scan --mode local

# Or install via pip
pip install clawaudit
clawaudit scan --mode local                            # Full local scan
clawaudit scan --mode local --fix                      # Scan and auto-fix
clawaudit scan --mode remote --target <IP>             # Remote probe
clawaudit scan --mode local --format json -o report.json  # JSON output
clawaudit cvedb update                                 # Update CVE database
```

## License

Proprietary. For personal and internal use only. Redistribution and modification are not permitted.

## About

Developed by [Beijing Institute of AI Safety and Governance (Beijing-AISI)](https://beijing-aisi.ac.cn). Beijing-AISI focuses on safe development, safety and security assessment, and governance of AI.

## Contact

- Email: shuai.yang@beijing-aisi.ac.cn
- Website: https://beijing-aisi.ac.cn
