OpenClaw has over 135,000 exposed instances running on the public internet. The majority of these instances operate with default or insecure configurations, creating a critical security vulnerability across the entire ecosystem. Common misconfigurations include:
- Gateway services listening on
0.0.0.0instead of127.0.0.1 - Authentication completely disabled or using default credentials
- API keys hardcoded in configuration files
- TLS/SSL encryption not configured
- Webhook endpoints lacking signature validation
- Insufficient audit logging and monitoring
The OpenClaw Security Audit Toolkit is a comprehensive CLI scanner that automatically detects and reports common security misconfigurations in OpenClaw instances. It analyzes:
- Gateway Configuration: Validates network binding, port exposure, and protocol settings
- Authentication: Verifies authentication mechanisms are properly configured
- API Key Management: Detects hardcoded credentials and enforces environment variable usage
- TLS/SSL: Ensures encryption is enabled for all communication channels
- Webhook Security: Validates signature verification for webhook endpoints
- Session Management: Checks timeout configurations
- Audit Logging: Ensures comprehensive logging is enabled
Results are classified by severity level (CRITICAL, HIGH, MEDIUM, LOW) to help you prioritize remediation efforts.
npm install -g @effectorhq/security-auditOr use with npx (no installation required):
npx @effectorhq/security-audit scanRun a complete security audit on your OpenClaw configuration:
openclaw-audit scan /path/to/gateway.yamlCreate a detailed security report in multiple formats:
# Terminal output (colored)
openclaw-audit report /path/to/gateway.yaml --format text
# JSON output for programmatic processing
openclaw-audit report /path/to/gateway.yaml --format json
# Markdown output for documentation
openclaw-audit report /path/to/gateway.yaml --format markdownExecute individual security checks:
openclaw-audit check gateway-exposure /path/to/gateway.yaml
openclaw-audit check auth-missing /path/to/gateway.yaml
openclaw-audit check api-key-in-config /path/to/gateway.yamlOpenClaw Security Audit Scan Results
=====================================
Configuration: /etc/openclaw/gateway.yaml
Scan Time: 2026-03-05T10:30:00Z
CRITICAL Issues (2)
-------------------
✗ Gateway Exposure (gateway-exposure)
The gateway is listening on 0.0.0.0. This exposes the service to all network interfaces.
Location: gateway.yaml:12 - bind_address: 0.0.0.0
Recommendation: Change to 127.0.0.1 or a specific internal IP address
✗ Authentication Missing (auth-missing)
No authentication mechanism is configured. All requests are processed without verification.
Location: gateway.yaml:45 - auth: disabled
Recommendation: Enable authentication and configure user credentials
HIGH Issues (3)
---------------
⚠ API Key in Config (api-key-in-config)
API keys are hardcoded in the configuration file. Credentials should use environment variables.
Location: gateway.yaml:78 - api_key: sk_live_aBc...
Recommendation: Move to environment variable: export OPENCLAW_API_KEY=...
⚠ TLS Disabled (tls-disabled)
TLS/SSL encryption is not configured for the gateway. All traffic is unencrypted.
Location: gateway.yaml:52
Recommendation: Enable TLS with valid certificates
⚠ Default Port (default-port)
Gateway is using the default port 18789 without firewall protection.
Location: gateway.yaml:8 - port: 18789
Recommendation: Configure firewall rules or move to non-standard port
MEDIUM Issues (1)
-----------------
ℹ Webhook Validation (webhook-validation)
Webhook endpoints are not validating request signatures.
Location: gateway.yaml:95
Recommendation: Enable webhook signature validation
Summary
-------
Total Issues: 6
Critical: 2 | High: 3 | Medium: 1 | Low: 0
Status: FAILED - Critical issues must be addressed
Fix Priority:
1. Enable authentication
2. Change gateway binding address
3. Remove hardcoded API keys
4. Enable TLS encryption
5. Configure firewall rules
| Check Name | Severity | Description |
|---|---|---|
gateway-exposure |
CRITICAL | Detects if gateway listens on 0.0.0.0 |
auth-missing |
CRITICAL | Verifies authentication is configured |
api-key-in-config |
HIGH | Detects hardcoded API keys in configuration |
tls-disabled |
HIGH | Checks if TLS/SSL encryption is enabled |
default-port |
HIGH | Warns about default port 18789 without firewall |
webhook-validation |
MEDIUM | Validates webhook signature verification |
session-timeout |
MEDIUM | Checks session timeout configuration |
logging-config |
LOW | Verifies audit logging is enabled |
Create a .openclaw-audit.json file in your project root to customize scan behavior:
{
"configPath": "/etc/openclaw/gateway.yaml",
"severity": "HIGH",
"checks": ["gateway-exposure", "auth-missing", "api-key-in-config"],
"excludeChecks": ["logging-config"],
"strict": true
}0: Scan completed successfully, no critical issues1: Scan completed, critical or high-severity issues found2: Scan failed due to configuration error3: File not found or unreadable
This tool performs read-only analysis of your configuration files. It does not:
- Modify configuration files
- Make network connections to your OpenClaw instance
- Store or transmit your configuration data
- Require authentication credentials
Always review the tool's source code and run it in secure environments with restricted access to configuration files.
We welcome security researchers and community contributions. If you discover additional misconfigurations or hardening strategies, please open an issue or submit a pull request on GitHub.
Security Note: For security vulnerabilities in OpenClaw itself (not this tool), please report directly to the OpenClaw security team rather than opening public issues.
MIT License - Copyright 2026 effectorHQ Contributors