Metadata-Version: 2.4
Name: clawaudit
Version: 0.4.2a2
Summary: OpenClaw security audit tool
Author-email: Shuai Yang <yannis.pku@gmail.com>
License: Proprietary
Keywords: agent-security,ai-safety,audit,cve,openclaw,sarif,scanner,security,vulnerability
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: End Users/Desktop
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: Science/Research
Classifier: Intended Audience :: System Administrators
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Security
Requires-Python: >=3.9
Requires-Dist: click>=8.0
Requires-Dist: packaging>=21.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: requests>=2.28
Requires-Dist: rich>=13.0
Description-Content-Type: text/markdown

# Foresight ClawAudit

Foresight ClawAudit, a collaborative project by the Beijing Institute of AI Safety and Governance and the Beijing Key Lab of AI Safety and Superalignment, provides risk detection and security guardrails for AI agents. This version focuses on OpenClaw security, delivering comprehensive security audits and critical vulnerability fixes. It is designed to help users establish and maintain a robust security baseline when deploying OpenClaw.

### Features

Foresight ClawAudit currently scans 8 security categories with 32 checkpoints, and includes 295 built-in OpenClaw vulnerability signatures (continuously updated). Coverage includes network port exposure and TLS configuration, weak credentials and auth bypass, dangerous configuration flags, command injection and code self-modification, Skill supply chain integrity, API key exposure, anomalous scheduled tasks and SSH brute force, and real-time matching against 44 active threat indicators (e.g., ClawHavoc, GhostSocks).

Foresight ClawAudit features a `--fix` option to remediate detected issues. For explicit cybersecurity risks—such as network exposure, weak passwords, and dangerous configurations—the tool can apply automated fixes. For potential risks tied to specific user requirements, such as shell tools or skills, it provides recommendations while keeping users in full control. Furthermore, the scanning process is entirely local.

| Category | Count | Check ID | Severity | Description |
|----------|-------|----------|----------|-------------|
| NET Network Exposure | 5 | PA-NET01 | CRITICAL | Gateway port 18789 bound to 0.0.0.0 |
| | | PA-NET02 | WARNING | TLS/HTTPS not configured |
| | | PA-NET03 | CRITICAL | Anonymous remote access (no authentication) |
| | | PA-NET04 | HIGH | Network IOC detection (outbound C2 connection matching) |
| | | PA-NET05 | HIGH | LiteLLM proxy vulnerable version detection |
| AUTH Authentication | 2 | PA-AUTH01 | CRITICAL | Default/weak credentials |
| | | PA-AUTH02 | CRITICAL | Control UI auth bypass |
| CONF Configuration | 4 | PA-CONF01 | CRITICAL | Config file permissions too broad |
| | | PA-CONF02 | HIGH | Dangerous configuration flags enabled |
| | | PA-CONF03 | CRITICAL | Shell command allowlist (safeBins) not configured |
| | | PA-CONF04 | HIGH | Configuration baseline drift |
| EXEC Execution Sandbox | 8 | PA-EXEC01 | CRITICAL | Command injection (unfiltered input) |
| | | PA-EXEC02 | WARNING | Sandbox/container isolation not detected |
| | | PA-EXEC03 | CRITICAL | Unsafe code execution (eval/exec/os.system) |
| | | PA-EXEC04 | CRITICAL | SQL injection (string interpolation) |
| | | PA-EXEC05 | HIGH | Tool output directly injected into prompt |
| | | PA-EXEC06 | CRITICAL | System prompt injection (user input enters SystemMessage) |
| | | PA-EXEC07 | HIGH | Missing circuit breaker / max iteration limit |
| | | PA-EXEC08 | CRITICAL | Plugin code self-modification risk |
| SC Supply Chain | 3 | PA-SC01 | HIGH | Third-party Skill source not verified |
| | | PA-SC02 | HIGH | Skill file integrity deviation |
| | | PA-SC03 | HIGH | Skill description contains hidden instructions |
| DATA Data Security | 4 | PA-DATA01 | CRITICAL | API key exposed in plaintext |
| | | PA-DATA02 | CRITICAL | Private key or mnemonic in plaintext |
| | | PA-DATA03 | HIGH | Sensitive data in log output |
| | | PA-DATA04 | HIGH | Suspected data exfiltration chain (file read + network request) |
| SYS System Security | 6 | PA-SYS01 | CRITICAL | OpenClaw process running as root |
| | | PA-SYS02 | HIGH | System critical file permission anomaly |
| | | PA-SYS03 | HIGH | Sensitive directory modified within 24 hours |
| | | PA-SYS04 | HIGH | Anomalous scheduled tasks (cron/systemd) |
| | | PA-SYS05 | HIGH | SSH brute force attempts within 24 hours |
| | | PA-SYS06 | CRITICAL | Node.js version has known vulnerability (CVE-2026-21636) |
| CVE Known Vulnerabilities | Dynamic | PA-CVE* | — | Version matching against 295 built-in OpenClaw advisories |

### Use Cases

For individual users, run a local scan immediately after deploying OpenClaw to verify whether default configurations pose security risks. For operations teams, use remote mode to probe internal or public-facing assets and quickly map the exposure surface.

### Quick Start

Supports Linux/macOS. Windows users must run under WSL. Minimal setup — a single command completes the scan with no additional configuration.

```bash
# Run directly without install (if you don't have uv, first run: curl -LsSf https://astral.sh/uv/install.sh | sh)
uvx clawaudit scan --mode local --fix

# Or install via pip
pip install clawaudit
clawaudit scan --mode local                            # Full local scan
clawaudit scan --mode local --fix                      # Scan and auto-fix
clawaudit scan --mode local --deep                     # Include OpenClaw native deep audit
clawaudit scan --mode remote --target <IP>             # Remote probe
clawaudit scan --mode local --format json -o report.json  # JSON output
clawaudit cvedb update                                 # Update CVE database
```

## License

Proprietary. For personal and internal use only. Redistribution and modification are not permitted.

This software is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement. The authors and maintainers shall not be liable for any claim, damages, or other liability — whether in contract, tort, or otherwise — arising from, out of, or in connection with the software or the use or other dealings in the software.

## Disclaimer

While Foresight ClawAudit will continuously expand its detection types and coverage for agent frameworks like OpenClaw, it is important to acknowledge the inherent uncertainties across network security, agent skills, agent runtimes, and the underlying base models. No security tool can eliminate all vulnerabilities; they are designed to mitigate risks as much as possible.

Given the complexity and customizability of agent frameworks like OpenClaw, both enterprise and individual users are encouraged to take proactive security measures. Beyond utilizing detection tools and patching vulnerabilities, users should:

- Enable firewalls and antivirus software.

- Maintain up-to-date software versions.

- Restrict unnecessary permission grants.

- Avoid providing sensitive information to agents.

- Refrain from delegating final decision-making authority to agents.

- Maintain consistent monitoring of agent behavior.

## Contact

- Email: shuai.yang@beijing-aisi.ac.cn
- Website: https://beijing-aisi.ac.cn
