OpenClaw Security Practice Guide

Skill by ara.so — Hermes Skills collection.

A battle-tested security framework for high-privilege autonomous AI agents running with terminal/root access. This guide shifts from traditional static host defense to Agentic Zero-Trust Architecture, mitigating risks like destructive operations, prompt injection, supply chain poisoning, and unauthorized business logic execution.

Core Principle: Security measures designed to be interpreted and deployed by the AI agent itself, minimizing manual configuration while maintaining explicit human-in-the-loop controls for high-risk operations.

What This Guide Provides

3-Tier Defense Matrix

Pre-action Defense
- Behavior blacklists (red/yellow line commands)
- Strict Skill/MCP installation audit protocols
- Supply chain poisoning prevention
In-action Defense
- Permission narrowing and least-privilege enforcement
- Cross-Skill pre-flight checks
- Business risk control gates
Post-action Defense
- Nightly automated audits (13 core metrics)
- Brain Git disaster recovery
- Persistent audit trail with 30-day retention

Target Scenario

OpenClaw running with high privileges (terminal/root-capable)
Continuous installation of Skills, MCPs, scripts, and tools
Objective: maximize capability with controllable risk and explicit auditability

Installation & Deployment

Prerequisites

OpenClaw agent installed and running
Linux environment with root/sudo access
Strong reasoning model (Gemini, Claude Opus, GPT-4, or equivalent)
Git configured for audit tracking

Quick Start (Agent-Assisted Deployment)

Step 1: Download the Guide

Choose your version:

bash

# v2.8 Beta (recommended for OpenClaw 2026.4+)
curl -O https://raw.githubusercontent.com/slowmist/openclaw-security-practice-guide/main/docs/OpenClaw-Security-Practice-Guide-v2.8.md

# v2.7 Legacy (for OpenClaw 2026.3 and earlier)
curl -O https://raw.githubusercontent.com/slowmist/openclaw-security-practice-guide/main/docs/OpenClaw-Security-Practice-Guide.md

Step 2: Send to Agent

Drop the markdown file into your OpenClaw chat session.

Step 3: Agent Evaluation

Please read this security guide. Identify any risks or conflicts 
with our current setup before deploying.

Step 4: Deploy

For v2.8:

Follow the Agent-Assisted Deployment Workflow in this guide.

For v2.7:

Please deploy this defense matrix exactly as described in the guide. 
Include the red/yellow line rules, tighten permissions, and deploy 
the nightly audit Cron Job.

Step 5: Validation (Recommended)

Run the validation tests from the Red Teaming Guide to ensure 
defenses are working correctly.

Core Components

1. Red/Yellow Line Command Controls

Red Lines (Hard Stop - Requires Human Confirmation):

bash

# Destructive operations
rm -rf /
dd if=/dev/zero of=/dev/sda
mkfs.*

# Privilege escalation
chmod 777 /etc/shadow
chown -R nobody:nobody /

# Network exposure
iptables -F
ufw disable

# Critical file modification
> /etc/passwd

Yellow Lines (Soft Warning - Agent Must Justify):

bash

# Package installation
apt install <package>
pip install <package>

# External downloads
curl <url> | bash
wget <url> -O /tmp/script.sh

# Permission changes
chmod +x <file>

Implementation Pattern:

bash

# Agent self-check before execution
check_command_safety() {
    local cmd="$1"
    
    # Red line patterns
    if echo "$cmd" | grep -qE '(rm -rf /|dd if=/dev|mkfs\.|chmod 777 /etc|iptables -F)'; then
        echo "🔴 RED LINE: This command requires explicit human approval"
        read -p "Proceed? (yes/no): " confirm
        [[ "$confirm" != "yes" ]] && return 1
    fi
    
    # Yellow line patterns
    if echo "$cmd" | grep -qE '(apt install|pip install|curl.*\| bash|chmod \+x)'; then
        echo "🟡 YELLOW LINE: Justify this operation"
        return 2
    fi
    
    return 0
}

2. Skill Installation Audit Protocol

Code Review Workflow:

bash

# Step 1: Download to quarantine
mkdir -p ~/.openclaw/skills-quarantine
cd ~/.openclaw/skills-quarantine
git clone <skill-repo> skill-review

# Step 2: Static analysis
cd skill-review
grep -r 'eval\|exec\|system\|shell_exec' .
grep -r 'curl.*| bash\|wget.*| sh' .
find . -name '*.so' -o -name '*.dylib' -o -name '*.dll'

# Step 3: Permission audit
find . -type f -perm /111  # Find executable files
ls -lah                     # Check ownership

# Step 4: Secondary download detection
grep -r 'requests.get\|urllib.request\|http.get\|fetch(' .
grep -r 'subprocess.run.*curl\|os.system.*wget' .

# Step 5: Document review and human approval
cat README.md
echo "Review complete. Approve for installation? (yes/no)"

v2.8 Enhanced Protocol:

Secondary download detection (runtime network calls)
High-risk file type warnings (.so, .dylib, compiled binaries)
Escalation workflow for suspicious patterns
Token-optimized code review (pre-filter with bash before LLM analysis)

3. Nightly Security Audit

Automated Audit Script (v2.8):

bash

#!/bin/bash
# ~/.openclaw/nightly-security-audit.sh
set -euo pipefail

OC="${HOME}/.openclaw"
REPORT_DIR="${OC}/security-reports"
REPORT="${REPORT_DIR}/audit-$(date +%Y%m%d-%H%M%S).log"
KNOWN_ISSUES="${OC}/known-issues.txt"

mkdir -p "${REPORT_DIR}"

{
    echo "=== OpenClaw Security Audit Report ==="
    echo "Timestamp: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
    echo "Hostname: $(hostname)"
    echo ""

    # 1. Unexpected SUID files
    echo "## 1. SUID Files"
    if [ -f "${KNOWN_ISSUES}" ]; then
        NEW_SUID=$(find /usr/bin /usr/local/bin -type f -perm -4000 2>/dev/null | \
                   grep -vFf "${KNOWN_ISSUES}" || echo "")
        if [ -z "${NEW_SUID}" ]; then
            echo "✅ No new SUID files detected"
        else
            echo "⚠️ New SUID files:"
            echo "${NEW_SUID}"
        fi
    else
        find /usr/bin /usr/local/bin -type f -perm -4000 2>/dev/null | head -20
    fi
    echo ""

    # 2. Cron job integrity
    echo "## 2. Cron Jobs"
    CRON_HASH=$(crontab -l 2>/dev/null | sha256sum | awk '{print $1}')
    if [ -f "${OC}/.cron-baseline" ]; then
        BASELINE=$(cat "${OC}/.cron-baseline")
        if [ "${CRON_HASH}" = "${BASELINE}" ]; then
            echo "✅ Cron configuration unchanged"
        else
            echo "⚠️ Cron hash mismatch: ${CRON_HASH} (baseline: ${BASELINE})"
        fi
    else
        echo "${CRON_HASH}" > "${OC}/.cron-baseline"
        echo "✅ Baseline established: ${CRON_HASH}"
    fi
    echo ""

    # 3. SSH authorized_keys
    echo "## 3. SSH Keys"
    AUTH_KEYS="${HOME}/.ssh/authorized_keys"
    if [ -f "${AUTH_KEYS}" ]; then
        KEY_HASH=$(sha256sum "${AUTH_KEYS}" | awk '{print $1}')
        if [ -f "${OC}/.ssh-baseline" ]; then
            BASELINE=$(cat "${OC}/.ssh-baseline")
            if [ "${KEY_HASH}" = "${BASELINE}" ]; then
                echo "✅ SSH keys unchanged"
            else
                echo "⚠️ SSH key hash mismatch: ${KEY_HASH}"
            fi
        else
            echo "${KEY_HASH}" > "${OC}/.ssh-baseline"
            echo "✅ Baseline established: ${KEY_HASH}"
        fi
    else
        echo "✅ No authorized_keys file"
    fi
    echo ""

    # 4-13. Additional metrics (file permissions, listening ports, etc.)
    # ... (see full script in repository)

    # Summary line
    echo "=== Summary: Audit completed at $(date -u +%Y-%m-%dT%H:%M:%SZ) ==="

} > "${REPORT}"

# Cleanup old reports (keep 30 days)
find "${REPORT_DIR}" -name 'audit-*.log' -mtime +30 -delete

# Return explicit success
echo "Audit complete: ${REPORT}"
exit 0

Cron Installation (with

--light-context

protection):

bash

# Install via OpenClaw with isolation flag
(crontab -l 2>/dev/null; echo "0 2 * * * /bin/bash ${HOME}/.openclaw/nightly-security-audit.sh --light-context") | crontab -

# Verify
crontab -l | grep security-audit

Key v2.8 Enhancements:

```
--light-context
```
: Prevents workspace context from hijacking isolated audit
Persistent reports in
```
$OC/security-reports/
```
(survives reboots)
30-day automatic rotation
Known-issues exclusion file for false positive suppression
Explicit healthy-state output (no silent pass)
Summary line for easy parsing

4. Brain Git Disaster Recovery

Setup:

bash

cd ~/.openclaw/brain
git init
git config user.name "OpenClaw"
git config user.email "audit@localhost"

# Initial commit
git add -A
git commit -m "Initial Brain state - $(date +%Y%m%d)"

# Add to audit script
echo 'cd "${OC}/brain" && git add -A && git commit -m "Nightly backup $(date +%Y%m%d)"' \
    >> ~/.openclaw/nightly-security-audit.sh

Recovery:

bash

# View history
cd ~/.openclaw/brain
git log --oneline

# Restore to previous state
git checkout <commit-hash> .

# Or restore specific file
git checkout <commit-hash> -- path/to/file

Validation & Red Team Testing

Pre-Deployment Testing

Test 1: Red Line Interrupt

bash

# Agent should block and request confirmation
rm -rf /tmp/test-openclaw-security

Expected behavior:

🔴 RED LINE: This command requires explicit human approval
Proceed? (yes/no):

Test 2: Yellow Line Justification

bash

# Agent should justify before proceeding
curl https://example.com/script.sh | bash

Expected behavior:

🟡 YELLOW LINE: Please justify this operation
[Agent provides reasoning before execution]

Test 3: Skill Installation Audit

bash

# Agent should quarantine and review
Install the skill from https://github.com/example/suspicious-skill

Expected behavior:

1. Downloading to quarantine directory
2. Running static analysis
3. [Lists findings: eval calls, network requests, binaries]
4. Requesting human approval before installation

Audit Script Validation

bash

# Manual trigger
bash ~/.openclaw/nightly-security-audit.sh

# Verify report generation
ls -lh ~/.openclaw/security-reports/

# Check report content
cat ~/.openclaw/security-reports/audit-*.log | head -50

Configuration

Environment Variables

bash

# Set OpenClaw home (if non-default)
export OPENCLAW_HOME="${HOME}/.openclaw"

# Audit report retention (days)
export AUDIT_RETENTION_DAYS=30

# Known issues exclusion file
export KNOWN_ISSUES_FILE="${OPENCLAW_HOME}/known-issues.txt"

Known Issues File Format

bash

# ~/.openclaw/known-issues.txt
# One pattern per line, used for grep -vFf
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign

Post-Upgrade Baseline Rebuild

After OpenClaw engine upgrades:

bash

# 1. Manual audit to identify new legitimate changes
bash ~/.openclaw/nightly-security-audit.sh

# 2. Review report and add expected changes to known-issues.txt
echo "/new/legitimate/suid" >> ~/.openclaw/known-issues.txt

# 3. Rebuild hash baselines
rm ~/.openclaw/.cron-baseline
rm ~/.openclaw/.ssh-baseline
bash ~/.openclaw/nightly-security-audit.sh  # Establishes new baseline

Common Patterns

Pattern 1: Safe Package Installation

bash

# Agent workflow:
# 1. Check if package is in allow-list
# 2. If not, verify from official repository
# 3. Install with minimal dependencies

apt-cache show <package>  # Verify source
apt install --no-install-recommends <package>

Pattern 2: External Script Review

bash

# Agent workflow:
# 1. Download to quarantine
# 2. Static analysis
# 3. Human review
# 4. Execute in isolated environment

mkdir -p /tmp/script-review
cd /tmp/script-review
curl -o script.sh https://example.com/script.sh
cat script.sh  # Review with human
bash script.sh  # After approval

Pattern 3: Permission Tightening

bash

# Restrict OpenClaw Brain directory
chmod 700 ~/.openclaw/brain

# Protect audit script
chmod 500 ~/.openclaw/nightly-security-audit.sh
chown root:root ~/.openclaw/nightly-security-audit.sh  # If running as root

# Immutable config (use with caution)
chattr +i ~/.openclaw/config.json

Troubleshooting

Issue: Audit Script Fails Silently

Symptoms: No reports generated, cron shows no errors

Diagnosis:

bash

# Check cron execution
grep CRON /var/log/syslog | tail -20

# Manual execution to see errors
bash -x ~/.openclaw/nightly-security-audit.sh

Common Causes:

Missing
```
set -euo pipefail
```
(fails on undefined variables)
Missing report directory creation
Permission issues on
```
~/.openclaw/security-reports/
```

Fix:

bash

mkdir -p ~/.openclaw/security-reports
chmod 755 ~/.openclaw/security-reports

Issue: False Positives in SUID Detection

Symptoms: Daily alerts for legitimate system files

Solution:

bash

# Build comprehensive known-issues list
find /usr/bin /usr/local/bin -type f -perm -4000 2>/dev/null > ~/.openclaw/known-issues.txt

# Audit will now only flag NEW SUID files

Issue: Agent Bypasses Red Lines

Symptoms: Destructive commands execute without confirmation

Diagnosis:

bash

# Check if guide is properly loaded
echo "Recite the red line rules from your security guide"

# Verify model capability
echo "What model are you running on?"

Common Causes:

Weak reasoning model (use Claude Opus, GPT-4, or Gemini)
Prompt injection via malicious Skill
Guide not included in system prompt

Fix:

bash

# Re-deploy guide with stronger model
# Use v2.8 with anti-hijacking measures

Issue: Baseline Drift After Legitimate Changes

Symptoms: Daily alerts after OS updates or intentional configuration changes

Solution:

bash

# Review the alert
cat ~/.openclaw/security-reports/audit-$(date +%Y%m%d)*.log

# If change is legitimate, rebuild baseline
rm ~/.openclaw/.cron-baseline  # Or whichever baseline is affected
bash ~/.openclaw/nightly-security-audit.sh

Issue: Audit Reports Not Persisting Across Reboots

Symptoms:

/tmp

reports vanish after restart

Solution (v2.8 fix):

bash

# Verify report directory is NOT in /tmp
grep REPORT_DIR ~/.openclaw/nightly-security-audit.sh

# Should output:
# REPORT_DIR="${OC}/security-reports"

Advanced Usage

Multi-Agent Coordination

For environments running multiple OpenClaw instances:

bash

# Shared audit directory
export SHARED_AUDIT_DIR="/var/openclaw-shared/audits"
mkdir -p "${SHARED_AUDIT_DIR}"

# Modify audit script to include agent ID
REPORT="${SHARED_AUDIT_DIR}/audit-${HOSTNAME}-$(date +%Y%m%d-%H%M%S).log"

Integration with External SIEM

bash

# Add to audit script (before exit)
if command -v logger &> /dev/null; then
    logger -t openclaw-audit "Audit completed: ${REPORT}"
fi

# Or push to remote syslog
echo "$(cat ${REPORT})" | nc -w1 -u syslog-server.local 514

Custom Red/Yellow Line Rules

bash

# Create custom rules file
cat > ~/.openclaw/custom-rules.json <<EOF
{
  "red_lines": [
    "systemctl disable.*",
    "setenforce 0",
    "iptables -P INPUT ACCEPT"
  ],
  "yellow_lines": [
    "docker run.*--privileged",
    "kubectl delete namespace"
  ]
}
EOF

# Agent loads and enforces custom rules

Version Compatibility

v2.7 (Legacy): OpenClaw 2026.3 and earlier
v2.8 Beta: OpenClaw 2026.4 and later

⚠️ Risk Warning: OpenClaw's rapid iteration may cause incompatibility with future versions. Always test in non-production environment first.

Security Philosophy

This guide operates on four core principles:

Zero-friction operations: Reduce manual security burden except at red lines
High-risk requires confirmation: Irreversible actions pause for human approval
Explicit nightly auditing: All metrics reported, including healthy states
Zero-Trust by default: Assume prompt injection and supply chain poisoning are always possible

Final responsibility remains with the human operator.

Additional Resources

License: MIT
Maintainer: SlowMist Security Team

openclaw-security-practice-guide

NPX Install

Tags

SKILL.md Content

OpenClaw Security Practice Guide

What This Guide Provides

3-Tier Defense Matrix

Target Scenario

Installation & Deployment

Prerequisites

Quick Start (Agent-Assisted Deployment)

Core Components

1. Red/Yellow Line Command Controls

2. Skill Installation Audit Protocol

3. Nightly Security Audit

4. Brain Git Disaster Recovery

Validation & Red Team Testing

Pre-Deployment Testing

Audit Script Validation

Configuration

Environment Variables

Known Issues File Format

Post-Upgrade Baseline Rebuild

Common Patterns

Pattern 1: Safe Package Installation

Pattern 2: External Script Review

Pattern 3: Permission Tightening

Troubleshooting

Issue: Audit Script Fails Silently

Issue: False Positives in SUID Detection

Issue: Agent Bypasses Red Lines

Issue: Baseline Drift After Legitimate Changes

Issue: Audit Reports Not Persisting Across Reboots

Advanced Usage

Multi-Agent Coordination

Integration with External SIEM

Custom Red/Yellow Line Rules

Version Compatibility

Security Philosophy

Additional Resources