openclaw-security-watchdog
OpenClaw security scanning skill that performs comprehensive system security audits and generates human-friendly reports
How do I install this agent skill?
npx skills add https://github.com/aradotso/security-skills --skill openclaw-security-watchdogIs this agent skill safe to install?
- Gen Agent Trust Hubwarn
This skill provides security auditing capabilities but requires installing software from an untrusted GitHub repository. It performs extensive system-wide scans, including reading sensitive logs and searching for secrets, and can send metadata to external servers for threat analysis.
- Socketwarn
1 alert: gptSecurity
- Snykwarn
Risk: MEDIUM · 1 issue
What does this agent skill do?
OpenClaw Security Watchdog
Skill by ara.so — Security Skills collection.
OpenClaw Security Watchdog is an automated security scanning tool that performs comprehensive system security audits across 14 critical security dimensions. It generates human-readable reports with clear risk indicators (✅/⚠️/🚨) and can integrate with threat intelligence databases.
Installation
Prerequisites:
- Node.js v18 or higher
- OpenClaw CLI installed
Install via OpenClaw (Recommended):
# In OpenClaw chat, say:
# "Install the security watchdog skill from https://github.com/CTCT-CT2/openclaw-security-watchdog"
Manual Installation:
git clone https://github.com/CTCT-CT2/openclaw-security-watchdog.git
cd openclaw-security-watchdog
npm install
Triggering the Scan
Once installed as an OpenClaw skill, trigger it conversationally:
Execute security inspection
Help me check system security
Run a security audit
OpenClaw will automatically recognize and execute the security watchdog skill.
Scan Modes
Full Scan (Recommended)
- Runs all 14 security checks
- Queries threat intelligence databases (optional)
- Sends anonymized metadata for analysis
- Provides comprehensive risk scoring
Local-Only Mode
- Zero network traffic
- All data stays on local machine
- No threat intelligence lookups
- Privacy-first approach
Security Check Coverage
The tool scans 14 critical areas:
- Core Runtime Environment Health - Checks Node.js/system integrity
- Sensitive Directory Tamper Detection - Monitors critical system paths
- Gateway Process Memory Isolation - Validates credential isolation
- Configuration Integrity & Permission Baseline - Audits config file permissions
- Component Supply Chain Integrity - Validates package checksums
- Remote Access & Brute Force Monitoring - SSH/RDP attack detection
- Network Exposure & Anomalous Processes - Open ports and suspicious processes
- Automated Tasks & Backdoor Detection - Cron/scheduled task analysis
- Privilege Escalation & Unauthorized Commands - Sudo abuse detection
- Outbound Connections & Data Exfiltration - Network traffic analysis
- System Credentials & Sensitive File Access - Access log auditing
- Hardcoded Secrets & Mnemonic Leak Scanning - Secret detection in code
- Sudo Privilege Audit - Privilege escalation tracking
- Malicious Component Threat Intelligence - Known malware detection
Code Examples
Basic Scan Execution (JavaScript)
const SecurityWatchdog = require('openclaw-security-watchdog');
// Initialize scanner
const scanner = new SecurityWatchdog({
mode: 'full', // or 'local'
reportPath: '~/.openclaw/security-reports/',
enableThreatIntel: true
});
// Run scan
async function runSecurityScan() {
try {
const results = await scanner.scan();
console.log(`Security Score: ${results.score}/100`);
console.log(`Passed: ${results.passed}/${results.total}`);
console.log(`Warnings: ${results.warnings}`);
console.log(`Critical: ${results.critical}`);
// Access individual check results
results.checks.forEach(check => {
console.log(`${check.icon} ${check.name}: ${check.status}`);
if (check.findings.length > 0) {
console.log(` Findings: ${check.findings.join(', ')}`);
}
});
// Generate report
await scanner.generateReport(results);
} catch (error) {
console.error('Scan failed:', error);
}
}
runSecurityScan();
Scheduled Scanning
const cron = require('node-cron');
const SecurityWatchdog = require('openclaw-security-watchdog');
// Schedule daily scan at 2 AM
cron.schedule('0 2 * * *', async () => {
const scanner = new SecurityWatchdog({ mode: 'full' });
const results = await scanner.scan();
// Send alerts on critical findings
if (results.critical > 0) {
await scanner.sendAlert(results, {
channel: 'email',
recipients: [process.env.SECURITY_ALERT_EMAIL]
});
}
});
Custom Check Integration
const SecurityWatchdog = require('openclaw-security-watchdog');
const scanner = new SecurityWatchdog();
// Add custom security check
scanner.addCheck({
name: 'Custom API Key Validation',
category: 'secrets',
async execute() {
const apiKeys = await this.scanForPattern(/api[_-]?key\s*[:=]\s*['"][^'"]{20,}['"]/gi);
return {
status: apiKeys.length === 0 ? 'pass' : 'fail',
findings: apiKeys,
severity: 'high',
recommendation: 'Move API keys to environment variables'
};
}
});
scanner.scan();
Filtering Scan Results
const scanner = new SecurityWatchdog();
const results = await scanner.scan();
// Get only critical findings
const criticalIssues = results.checks.filter(
check => check.severity === 'critical' && check.status === 'fail'
);
// Get all permission-related issues
const permissionIssues = results.checks.filter(
check => check.category === 'permissions'
);
// Generate filtered report
await scanner.generateReport(results, {
filter: check => check.severity === 'high' || check.severity === 'critical'
});
Configuration
Create ~/.openclaw/security-watchdog.json:
{
"mode": "full",
"reportPath": "~/.openclaw/security-reports/",
"enableThreatIntel": true,
"excludePaths": [
"/tmp",
"/var/cache"
],
"checksToRun": [
"runtime-health",
"directory-tamper",
"memory-isolation",
"config-integrity",
"supply-chain",
"remote-access",
"network-exposure",
"scheduled-tasks",
"privilege-escalation",
"outbound-connections",
"credential-access",
"secret-scanning",
"sudo-audit",
"threat-intel"
],
"alerting": {
"enabled": true,
"thresholds": {
"critical": 1,
"high": 3
},
"channels": ["email", "slack"]
},
"threatIntelSources": [
"https://threat-intel.openclaw.io/api/v1/lookup"
]
}
Environment Variables
# Threat intelligence API key (if using external sources)
export OPENCLAW_THREAT_INTEL_API_KEY=your_api_key_here
# Alert notification endpoints
export SECURITY_ALERT_EMAIL=security@example.com
export SECURITY_ALERT_SLACK_WEBHOOK=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
# Report encryption key (optional)
export OPENCLAW_REPORT_ENCRYPTION_KEY=your_encryption_key_here
Report Output
Reports are saved to ~/.openclaw/security-reports/ with timestamp:
security-report-2026-05-06-14-30-00.json
security-report-2026-05-06-14-30-00.html
security-report-2026-05-06-14-30-00.txt
Accessing Report Programmatically
const fs = require('fs');
const path = require('path');
const reportPath = path.join(
process.env.HOME,
'.openclaw/security-reports/security-report-latest.json'
);
const report = JSON.parse(fs.readFileSync(reportPath, 'utf8'));
console.log(`Overall Security Score: ${report.score}/100`);
console.log(`Risk Level: ${report.riskLevel}`); // low, medium, high, critical
Common Patterns
Pre-Deployment Security Gate
// In CI/CD pipeline
const SecurityWatchdog = require('openclaw-security-watchdog');
async function securityGate() {
const scanner = new SecurityWatchdog({ mode: 'local' });
const results = await scanner.scan();
if (results.critical > 0) {
console.error('❌ Critical security issues found. Deployment blocked.');
process.exit(1);
}
if (results.score < 80) {
console.warn('⚠️ Security score below threshold. Review required.');
process.exit(1);
}
console.log('✅ Security scan passed. Proceeding with deployment.');
}
securityGate();
Continuous Monitoring
const SecurityWatchdog = require('openclaw-security-watchdog');
const EventEmitter = require('events');
class SecurityMonitor extends EventEmitter {
constructor() {
super();
this.scanner = new SecurityWatchdog({ mode: 'full' });
}
startMonitoring(intervalMinutes = 60) {
setInterval(async () => {
const results = await this.scanner.scan();
if (results.critical > 0) {
this.emit('criticalThreat', results);
}
if (results.score < this.lastScore - 10) {
this.emit('scoreDropped', results);
}
this.lastScore = results.score;
}, intervalMinutes * 60 * 1000);
}
}
const monitor = new SecurityMonitor();
monitor.on('criticalThreat', results => {
console.error('🚨 Critical threat detected!', results);
});
monitor.startMonitoring();
Troubleshooting
Permission Errors
# Ensure proper permissions for scanning system directories
sudo chmod +r /var/log/auth.log
sudo chmod +r /etc/ssh/sshd_config
# Or run with elevated privileges (not recommended for regular use)
sudo openclaw scan
Missing Dependencies
# Reinstall dependencies
npm install
# Check Node.js version
node --version # Should be v18+
Threat Intelligence Timeout
// Increase timeout in configuration
const scanner = new SecurityWatchdog({
threatIntel: {
timeout: 30000, // 30 seconds
retries: 3
}
});
Report Generation Fails
// Ensure report directory exists and is writable
const fs = require('fs');
const reportDir = path.join(process.env.HOME, '.openclaw/security-reports');
if (!fs.existsSync(reportDir)) {
fs.mkdirSync(reportDir, { recursive: true });
}
Large Codebases (Slow Scanning)
// Optimize for large projects
const scanner = new SecurityWatchdog({
excludePaths: [
'node_modules',
'.git',
'dist',
'build',
'coverage'
],
maxFileSize: 1048576, // 1MB
parallelScans: 4
});
Privacy Considerations
Full Mode sends:
- Check names and results (pass/fail)
- Anonymized device identifier (SHA-256 hash)
- Summary statistics only
Full Mode does NOT send:
- File contents
- Passwords or API keys
- Log file contents
- IP addresses
- Usernames
Local Mode:
- Zero network requests
- All data remains on device
- No telemetry or analytics
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/aradotso/security-skills/openclaw-security-watchdog">View openclaw-security-watchdog on skillZs</a>