技能库 / 创意写作 / Clawdbot 安全自检

全部分类开发编程创意写作商业办公教育学习效率工具数据分析技术集成通用语言翻译文档生成

Clawdbot 安全自检

Clawdbot / OpenClaw 部署的安全自检与加固提示；具体检查项以包内为准。

v1.0.0 thesethrose

作者 / 来源

skillhub

在来源站打开

登录后收藏登录后加入合集

安装方式

CLI 安装（推荐）

claw install shub-clawdbot-security-check

需要安装 CLAW CLI

手动下载安装

下载 ZIP 后解压到技能目录即可安装。若在桌面客户端 WebView中直接下载出现异常，本站会改为提示页 + 原始链接，请按页内说明操作。

下载 ZIP (shub-clawdbot-security-check-v1.0.0.zip)

触发指令

/clawdbot-self-security-a

跨平台安装指引

该技能声明兼容以下 1 个平台，将 ZIP 解压到对应目录即可被识别。

支持矩阵

Claude Code Coding Agent

macOS / Linux：~/.claude/skills/

Windows：%USERPROFILE%\.claude\skills\

unzip shub-clawdbot-security-check-v1.0.0.zip -d ~/.claude/skills/

目录不存在时请先 mkdir -p 创建；启用 Skill 后请重启对应 Agent 让配置生效。

使用指南

Clawdbot 安全自检

围绕 Clawdbot 安全自检：Clawdbot / OpenClaw 部署的安全自检与加固提示；具体检查项以包内为准。无需在每次任务前把零散英文说明手工拼进上下文，也减少与客户端默认行为脱节的试错；具体命令、钩子与 JSON 参数仍以 ZIP 包内 SKILL.md 为权威。下文结构与站内 MCP CLI 类专题稿相同：何时用、前置、流程、速查与故障。

何时使用

Clawdbot / OpenClaw 部署的安全自检与加固提示
具体检查项以包内为准
已获取本技能 ZIP，并准备在 Claude Code / OpenClaw 中按 SKILL.md 挂载。
希望用中文专题稿快速判断「该不该启用」，再深入英文 SKILL 查参数与边界。
需要与团队对齐同一套触发方式、目录约定或回调格式时。

前置条件

通用：可运行 Claude Code 或文档要求的客户端；有可读写的项目工作区（或 SKILL.md 指定的沙箱目录）。
权威细节：API Key / OAuth、钩子路径、环境变量以 ZIP 内 SKILL.md 为准。

典型流程

从 ClawHub / 站内分发获取技能 ZIP，校验版本与校验和（若提供）。
阅读 SKILL.md 的安装段落：目录落点、客户端类型（Claude Code / OpenClaw / 脚本）。
用文档中的最小示例完成第一次调用（单文件修改、单次查询或单次委派）。
确认工作目录、权限边界与输出路径后，再处理多文件或长耗时任务。
需要回调 / Webhook / 通知时，按 SKILL.md 配置端点并在测试环境先验通。

与 ZIP / SKILL.md 的关系

站内专题稿与 MCP CLI 类 oss 稿同样：概括何时用、怎么接、怎么排错；命令模板、钩子名、JSON 字段、版本矩阵一律以 ZIP 内 SKILL.md 与 ClawHub 上游为准。

命令示例（摘自包内 SKILL.md）

以下为从上游 SKILL.md（或入库正文）自动抽取的终端/脚本片段；路径、环境变量与参数以当前 ZIP 与官方说明为准。

ClawHub slug：clawdbot-security-check（安装命令以 SKILL.md / claw CLI 为准）。

cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
env | grep CLAWDBOT_GATEWAY_TOKEN

# Generate gateway token
clawdbot doctor --generate-gateway-token
export CLAWDBOT_GATEWAY_TOKEN="$(openssl rand -hex 32)"

cat ~/.clawdbot/clawdbot.json | grep -E '"dm_policy|"allowFrom"'

cat ~/.clawdbot/clawdbot.json | grep -E '"groupPolicy"|"groups"' 
cat ~/.clawdbot/clawdbot.json | grep -i "mention"

ls -la ~/.clawdbot/credentials/
ls -la ~/.clawdbot/agents/*/auth-profiles.json 2>/dev/null
stat -c "%a" ~/.clawdbot/credentials/oauth.json 2>/dev/null

chmod 700 ~/.clawdbot
chmod 600 ~/.clawdbot/credentials/oauth.json
chmod 600 ~/.clawdbot/clawdbot.json

cat ~/.clawdbot/clawdbot.json | grep -A5 '"browser"'
cat ~/.clawdbot/clawdbot.json | grep -i "controlUi|insecureAuth"
ls -la ~/.clawdbot/browser/

cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
cat ~/.clawdbot/clawdbot.json | grep '"tailscale"'

cat ~/.clawdbot/clawdbot.json | grep -i "restrict|mcp|elevated"
cat ~/.clawdbot/clawdbot.json | grep -i "workspaceAccess|sandbox"
cat ~/.clawdbot/clawdbot.json | grep -i "openRoom"

stat -c "%a" ~/.clawdbot
ls -la ~/.clawdbot/*.json

站内入库时的触发命令（完整语义见 ZIP）：

# 使用本技能时可在对话中引用或执行上述指令；完整参数与示例见下载包内 SKILL.md。
/clawdbot-self-security-a

最佳实践

先 SKILL.md 再猜参数；站内专题稿不替代 schema 与必填字段说明。
委派任务时写清验收标准（命令、文件路径、测试命令），减少来回追问。
长任务用文档推荐的回调 / 日志落盘代替高频轮询，省 Token 也省机器负载。
多技能同时启用时，注意钩子加载顺序与重复工具调用（以 SKILL.md 冲突说明为准）。

调试与排错

打开 stderr 与客户端日志；PTY/tmux 场景同时看面板最后几十行输出。
参数错误时对照 SKILL.md 中的 JSON/CLI 示例（引号、转义、工作目录）。
网络类失败：查代理、防火墙、MCP 传输方式（stdio / HTTP / SSE）。

速查

| 动作 | 说明 | |------|------| | 获取技能包 | ClawHub / 站内 ZIP，核对版本 | | 权威步骤 | 优先阅读 ZIP 内 SKILL.md | | 首次试跑 | 使用 SKILL.md 最小示例 | | 验收 | 对照路径、测试命令或回调负载 |

常见故障

无输出或立即退出 → 工作目录错误、依赖未装、或 Claude Code 未登录；按 SKILL.md 自检清单执行。
权限被拒绝 → 检查沙箱路径、--permission-mode 与工具白名单。
与简介不符 → 以英文 SKILL 与上游仓库为准，站内稿仅作结构化导读。

# Clawdbot Self-Security Audit Framework

This skill empowers Clawdbot to audit its own security posture using first-principles reasoning. Rather than relying on a static script, Clawdbot learns the framework and applies it dynamically to detect vulnerabilities, understand their impact, and recommend specific remediations.

## Core Philosophy

> "Security through transparency and self-awareness." — Inspired by ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ

Clawdbot should know its own attack surface. This skill embeds that knowledge directly.

## Security Principles

Running an AI agent with shell access requires caution. Focus on three areas:

1. **Who can talk to the bot** — DM policies, group allowlists, channel restrictions
2. **Where the bot is allowed to act** — Network exposure, gateway binding, proxy configs
3. **What the bot can touch** — Tool access, file permissions, credential storage

Start with the smallest access possible and widen it as you gain confidence.

## Trust Hierarchy

Apply appropriate trust levels based on role:

| Level | Entity | Trust Model |
|-------|--------|-------------|
| 1 | **Owner** | Full trust — has all access |
| 2 | **AI** | Trust but verify — sandboxed, logged |
| 3 | **Allowlists** | Limited trust — only specified users |
| 4 | **Strangers** | No trust — blocked by default |

## Audit Commands

Use these commands to run security audits:

- `clawdbot security audit` — Standard audit of common issues
- `clawdbot security audit --deep` — Comprehensive audit with all checks
- `clawdbot security audit --fix` — Apply guardrail remediations

## The 12 Security Domains

When auditing Clawdbot, systematically evaluate these domains:

### 1. Gateway Exposure 🔴 Critical

**What to check:**
- Where is the gateway binding? (`gateway.bind`)
- Is authentication configured? (`gateway.auth_token` or `CLAWDBOT_GATEWAY_TOKEN` env var)
- What port is exposed? (default: 18789)
- Is WebSocket auth enabled?

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
env | grep CLAWDBOT_GATEWAY_TOKEN
```

**Vulnerability:** Binding to `0.0.0.0` or `lan` without auth allows network access.

**Remediation:**
```bash
# Generate gateway token
clawdbot doctor --generate-gateway-token
export CLAWDBOT_GATEWAY_TOKEN="$(openssl rand -hex 32)"
```

---

### 2. DM Policy Configuration 🟠 High

**What to check:**
- What is `dm_policy` set to?
- If `allowlist`, who is explicitly allowed via `allowFrom`?

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -E '"dm_policy|"allowFrom"'
```

**Vulnerability:** Setting to `allow` or `open` means any user can DM Clawdbot.

**Remediation:**
```json
{
  "channels": {
    "telegram": {
      "dmPolicy": "allowlist",
      "allowFrom": ["@trusteduser1", "@trusteduser2"]
    }
  }
}
```

---

### 3. Group Access Control 🟠 High

**What to check:**
- What is `groupPolicy` set to?
- Are groups explicitly allowlisted?
- Are mention gates configured?

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -E '"groupPolicy"|"groups"' 
cat ~/.clawdbot/clawdbot.json | grep -i "mention"
```

**Vulnerability:** Open group policy allows anyone in the room to trigger commands.

**Remediation:**
```json
{
  "channels": {
    "telegram": {
      "groupPolicy": "allowlist",
      "groups": {
        "-100123456789": true
      }
    }
  }
}
```

---

### 4. Credentials Security 🔴 Critical

**What to check:**
- Credential file locations and permissions
- Environment variable usage
- Auth profile storage

**Credential Storage Map:**
| Platform | Path |
|----------|------|
| WhatsApp | `~/.clawdbot/credentials/whatsapp/{accountId}/creds.json` |
| Telegram | `~/.clawdbot/clawdbot.json` or env |
| Discord | `~/.clawdbot/clawdbot.json` or env |
| Slack | `~/.clawdbot/clawdbot.json` or env |
| Pairing allowlists | `~/.clawdbot/credentials/channel-allowFrom.json` |
| Auth profiles | `~/.clawdbot/agents/{agentId}/auth-profiles.json` |
| Legacy OAuth | `~/.clawdbot/credentials/oauth.json` |

**How to detect:**
```bash
ls -la ~/.clawdbot/credentials/
ls -la ~/.clawdbot/agents/*/auth-profiles.json 2>/dev/null
stat -c "%a" ~/.clawdbot/credentials/oauth.json 2>/dev/null
```

**Vulnerability:** Plaintext credentials with loose permissions can be read by any process.

**Remediation:**
```bash
chmod 700 ~/.clawdbot
chmod 600 ~/.clawdbot/credentials/oauth.json
chmod 600 ~/.clawdbot/clawdbot.json
```

---

### 5. Browser Control Exposure 🟠 High

**What to check:**
- Is browser control enabled?
- Are authentication tokens set for remote control?
- Is HTTPS required for Control UI?
- Is a dedicated browser profile configured?

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -A5 '"browser"'
cat ~/.clawdbot/clawdbot.json | grep -i "controlUi|insecureAuth"
ls -la ~/.clawdbot/browser/
```

**Vulnerability:** Exposed browser control without auth allows remote UI takeover. Browser access allows the model to use logged-in sessions.

**Remediation:**
```json
{
  "browser": {
    "remoteControlUrl": "https://...",
    "remoteControlToken": "...",
    "dedicatedProfile": true,
    "disableHostControl": true
  },
  "gateway": {
    "controlUi": {
      "allowInsecureAuth": false
    }
  }
}
```

**Security Note:** Treat browser control URLs as admin APIs.

---

### 6. Gateway Bind & Network Exposure 🟠 High

**What to check:**
- What is `gateway.bind` set to?
- Are trusted proxies configured?
- Is Tailscale enabled?

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
cat ~/.clawdbot/clawdbot.json | grep '"tailscale"'
```

**Vulnerability:** Public binding without auth allows internet access to gateway.

**Remediation:**
```json
{
  "gateway": {
    "bind": "127.0.0.1",
    "mode": "local",
    "trustedProxies": ["127.0.0.1", "10.0.0.0/8"],
    "tailscale": {
      "mode": "off"
    }
  }
}
```

---

### 7. Tool Access & Sandboxing 🟡 Medium

**What to check:**
- Are elevated tools allowlisted?
- Is `restrict_tools` or `mcp_tools` configured?
- What is `workspaceAccess` set to?
- Are sensitive tools running in sandbox?

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -i "restrict|mcp|elevated"
cat ~/.clawdbot/clawdbot.json | grep -i "workspaceAccess|sandbox"
cat ~/.clawdbot/clawdbot.json | grep -i "openRoom"
```

**Workspace Access Levels:**
| Mode | Description |
|------|-------------|
| `none` | Workspace is off limits |
| `ro` | Workspace mounted read-only |
| `rw` | Workspace mounted read-write |

**Vulnerability:** Broad tool access means more blast radius if compromised. Smaller models are more susceptible to tool misuse.

**Remediation:**
```json
{
  "restrict_tools": true,
  "mcp_tools": {
    "allowed": ["read", "write", "bash"],
    "blocked": ["exec", "gateway"]
  },
  "workspaceAccess": "ro",
  "sandbox": "all"
}
```

**Model Guidance:** Use latest generation models for agents with filesystem or network access. If using small models, disable web search and browser tools.

---

### 8. File Permissions & Local Disk Hygiene 🟡 Medium

**What to check:**
- Directory permissions (should be 700)
- Config file permissions (should be 600)
- Symlink safety

**How to detect:**
```bash
stat -c "%a" ~/.clawdbot
ls -la ~/.clawdbot/*.json
```

**Vulnerability:** Loose permissions allow other users to read sensitive configs.

**Remediation:**
```bash
chmod 700 ~/.clawdbot
chmod 600 ~/.clawdbot/clawdbot.json
chmod 600 ~/.clawdbot/credentials/*
```

---

### 9. Plugin Trust & Model Hygiene 🟡 Medium

**What to check:**
- Are plugins explicitly allowlisted?
- Are legacy models in use with tool access?

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -i "plugin|allowlist"
cat ~/.clawdbot/clawdbot.json | grep -i "model|anthropic"
```

**Vulnerability:** Untrusted plugins can execute code. Legacy models may lack modern safety.

**Remediation:**
```json
{
  "plugins": {
    "allowlist": ["trusted-plugin-1", "trusted-plugin-2"]
  },
  "agents": {
    "defaults": {
      "model": {
        "primary": "minimax/MiniMax-M2.1"
      }
    }
  }
}
```

---

### 10. Logging & Redaction 🟡 Medium

**What is logging.redactSensitive set to?**
- Should be `tools` to redact sensitive tool output
- If `off`, credentials may leak in logs

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -i "logging|redact"
ls -la ~/.clawdbot/logs/
```

**Remediation:**
```json
{
  "logging": {
    "redactSensitive": "tools",
    "path": "~/.clawdbot/logs/"
  }
}
```

---

### 11. Prompt Injection Protection 🟡 Medium

**What to check:**
- Is `wrap_untrusted_content` or `untrusted_content_wrapper` enabled?
- How is external/web content handled?
- Are links and attachments treated as hostile?

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -i "untrusted|wrap"
```

**Prompt Injection Mitigation Strategies:**
- Keep DMs locked to `pairing` or `allowlists`
- Use mention gating in groups
- Treat all links and attachments as hostile
- Run sensitive tools in a sandbox
- Use instruction-hardened models like Anthropic Opus 4.5

**Vulnerability:** Untrusted content (web fetches, sandbox output) can inject malicious prompts.

**Remediation:**
```json
{
  "wrap_untrusted_content": true,
  "untrusted_content_wrapper": "<untrusted>",
  "treatLinksAsHostile": true,
  "mentionGate": true
}
```

---

### 12. Dangerous Command Blocking 🟡 Medium

**What to check:**
- What commands are in `blocked_commands`?
- Are these patterns included: `rm -rf`, `curl |`, `git push --force`, `mkfs`, fork bombs?

**How to detect:**
```bash
cat ~/.clawdbot/clawdbot.json | grep -A10 '"blocked_commands"'
```

**Vulnerability:** Without blocking, a malicious prompt could destroy data or exfiltrate credentials.

**Remediation:**
```json
{
  "blocked_commands": [
    "rm -rf",
    "curl |",
    "git push --force",
    "mkfs",
    ":(){:|:&}"
  ]
}
```

---

### 13. Secret Scanning Readiness 🟡 Medium

**What to check:**
- Is detect-secrets configured?
- Is there a `.secrets.baseline` file?
- Has a baseline scan been run?

**How to detect:**
```bash
ls -la .secrets.baseline 2>/dev/null
which detect-secrets 2>/dev/null
```

**Secret Scanning (CI):**
```bash
# Find candidates
detect-secrets scan --baseline .secrets.baseline

# Review findings
detect-secrets audit

# Update baseline after rotating secrets or marking false positives
detect-secrets scan --baseline .secrets.baseline --update
```

**Vulnerability:** Leaked credentials in the codebase can lead to compromise.

---

## Audit Functions

The `--fix` flag applies these guardrails:

- Changes `groupPolicy` from `open` to `allowlist` for common channels
- Resets `logging.redactSensitive` from `off` to `tools`
- Tightens local permissions: `.clawdbot` directory to `700`, config files to `600`
- Secures state files including credentials and auth profiles

## High-Level Audit Checklist

Treat findings in this priority order:

1. **🔴 Lock down DMs and groups** if tools are enabled on open settings
2. **🔴 Fix public network exposure** immediately
3. **🟠 Secure browser control** with tokens and HTTPS
4. **🟠 Correct file permissions** for credentials and config
5. **🟡 Only load trusted plugins**
6. **🟡 Use modern models** for bots with tool access

## Access Control Models

### DM Access Model

| Mode | Description |
|------|-------------|
| `pairing` | Default - unknown senders must be approved via code |
| `allowlist` | Unknown senders blocked without handshake |
| `open` | Public access - requires explicit asterisk in allowlist |
| `disabled` | All inbound DMs ignored |

### Slash Commands

Slash commands are only available to authorized senders based on channel allowlists. The `/exec` command is a session convenience for operators and does not modify global config.

## Threat Model & Mitigation

### Potential Risks

| Risk | Mitigation |
|------|------------|
| Execution of shell commands | `blocked_commands`, `restrict_tools` |
| File and network access | `sandbox`, `workspaceAccess: none/ro` |
| Social engineering and prompt injection | `wrap_untrusted_content`, `mentionGate` |
| Browser session hijacking | Dedicated profile, token auth, HTTPS |
| Credential leakage | `logging.redactSensitive: tools`, env vars |

## Incident Response

If a compromise is suspected, follow these steps:

### Containment
1. **Stop the gateway process** — `clawdbot daemon stop`
2. **Set gateway.bind to loopback** — `"bind": "127.0.0.1"`
3. **Disable risky DMs and groups** — Set to `disabled`

### Rotation
1. **Change the gateway auth token** — `clawdbot doctor --generate-gateway-token`
2. **Rotate browser control and hook tokens**
3. **Revoke and rotate API keys** for model providers

### Review
1. **Check gateway logs and session transcripts** — `~/.clawdbot/logs/`
2. **Review recent config changes** — Git history or backups
3. **Re-run the security audit with the deep flag** — `clawdbot security audit --deep`

## Reporting Vulnerabilities

Report security issues to: **security@clawd.bot**

**Do not post vulnerabilities publicly** until they have been fixed.

## Audit Execution Steps

When running a security audit, follow this sequence:

### Step 1: Locate Configuration
```bash
CONFIG_PATHS=(
  "$HOME/.clawdbot/clawdbot.json"
  "$HOME/.clawdbot/config.yaml"
  "$HOME/.clawdbot/.clawdbotrc"
  ".clawdbotrc"
)
for path in "${CONFIG_PATHS[@]}"; do
  if [ -f "$path" ]; then
    echo "Found config: $path"
    cat "$path"
    break
  fi
done
```

### Step 2: Run Domain Checks
For each of the 13 domains above:
1. Parse relevant config keys
2. Compare against secure baseline
3. Flag deviations with severity

### Step 3: Generate Report
Format findings by severity:
```
🔴 CRITICAL: [vulnerability] - [impact]
🟠 HIGH: [vulnerability] - [impact]
🟡 MEDIUM: [vulnerability] - [impact]
✅ PASSED: [check name]
```

### Step 4: Provide Remediation
For each finding, output:
- Specific config change needed
- Example configuration
- Command to apply (if safe)

## Report Template

```
═══════════════════════════════════════════════════════════════
🔒 CLAWDBOT SECURITY AUDIT
═══════════════════════════════════════════════════════════════
Timestamp: $(date -Iseconds)

┌─ SUMMARY ───────────────────────────────────────────────
│ 🔴 Critical:  $CRITICAL_COUNT
│ 🟠 High:      $HIGH_COUNT
│ 🟡 Medium:    $MEDIUM_COUNT
│ ✅ Passed:    $PASSED_COUNT
└────────────────────────────────────────────────────────

┌─ FINDINGS ──────────────────────────────────────────────
│ 🔴 [CRITICAL] $VULN_NAME
│    Finding: $DESCRIPTION
│    → Fix: $REMEDIATION
│
│ 🟠 [HIGH] $VULN_NAME
│    ...
└────────────────────────────────────────────────────────

This audit was performed by Clawdbot's self-security framework.
No changes were made to your configuration.
```

## Extending the Skill

To add new security checks:

1. **Identify the vulnerability** - What misconfiguration creates risk?
2. **Determine detection method** - What config key or system state reveals it?
3. **Define the baseline** - What is the secure configuration?
4. **Write detection logic** - Shell commands or file parsing
5. **Document remediation** - Specific steps to fix
6. **Assign severity** - Critical, High, Medium, Low

### Example: Adding SSH Hardening Check

```
## 14. SSH Agent Forwarding 🟡 Medium

**What to check:** Is SSH_AUTH_SOCK exposed to containers?

**Detection:**
```bash
env | grep SSH_AUTH_SOCK
```

**Vulnerability:** Container escape via SSH agent hijacking.

**Severity:** Medium
```

## Security Assessment Questions

When auditing, ask:

1. **Exposure:** What network interfaces can reach Clawdbot?
2. **Authentication:** What verification does each access point require?
3. **Isolation:** What boundaries exist between Clawdbot and the host?
4. **Trust:** What content sources are considered "trusted"?
5. **Auditability:** What evidence exists of Clawdbot's actions?
6. **Least Privilege:** Does Clawdbot have only necessary permissions?

## Principles Applied

- **Zero modification** - This skill only reads; never changes configuration
- **Defense in depth** - Multiple checks catch different attack vectors
- **Actionable output** - Every finding includes a concrete remediation
- **Extensible design** - New checks integrate naturally

## References

- Official docs: https://docs.clawd.bot/gateway/security
- Original framework: [ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ on X](https://x.com/DanielMiessler/status/2015865548714975475)
- Repository: https://github.com/TheSethRose/Clawdbot-Security-Check
- Report vulnerabilities: security@clawd.bot

---

**Remember:** This skill exists to make Clawdbot self-aware of its security posture. Use it regularly, extend it as needed, and never skip the audit.