Have I Been
Clawned?

Read ~/.openclaw/openclaw.json → gateway.bind

If 0.0.0.0, lan, or non-loopback: VERIFIED FAIL

If loopback/127.0.0.1: probe external interface. Blocked → VERIFIED PASS

Fix: openclaw config set gateway.bind loopback

Read ~/.openclaw/openclaw.json → gateway.auth

Auth disabled/no token: FAIL

Auth enabled: attempt unauthenticated WebSocket (5s). Connects → VERIFIED FAIL. Rejected → VERIFIED PASS

Fix: openclaw config set gateway.auth.mode token && openclaw config set gateway.auth.token "$(openssl rand -hex 32)"

curl -s -m 2 http://169.254.169.254/latest/meta-data/

HTTP 200: VERIFIED FAIL. Timeout: PASS. Not on cloud: SKIP

Fix: sudo iptables -A OUTPUT -d 169.254.169.254 -j DROP

Read ~/.openclaw/openclaw.json → email config

Match against gmail.com, yahoo.com, hotmail.com, outlook.com, icloud.com, protonmail.com, etc.

Match: FAIL. Custom domain or no email: PASS

Fix: Use a dedicated agent email on a domain you control

Scan: ~/.openclaw/openclaw.json, ~/.openclaw/.env, .env, openclaw.json

Patterns: sk- (20+), sk-ant-, AKIA (16), ghp_ (36), xoxb-/xoxp-, AIza (35)

Any match: FAIL (report file + type, never echo the key)

Fix: chmod 600 ~/.openclaw/.env && openclaw config set auth.keychain true

Test readable: ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.config/gcloud/application_default_credentials.json, ~/.kube/config, ~/.npmrc, ~/.docker/config.json, ~/.netrc

3+: VERIFIED FAIL. 1-2: WARN. None: VERIFIED PASS

Fix: openclaw config set sandbox.mode all

OPT-IN: Ask user consent. Declined → SKIP

Scan 10 most recent files in ~/.openclaw/agents/*/sessions/*.jsonl

Credit cards, SSNs, API keys found → VERIFIED FAIL (report count, never values)

Fix: openclaw config set logging.redactSensitive tools

Check if running in Docker: test -f /.dockerenv

docker inspect: check Privileged, NetworkMode=host, Binds mounting / or /home

Privileged or host net or full mount: VERIFIED FAIL. Not in Docker: SKIP

Fix: Remove --privileged, use bridge networking, mount only needed dirs

Check: id -u (or stat /proc/self if in container)

UID 0: VERIFIED FAIL. Non-root: PASS

Fix: Run agent as unprivileged user: useradd -r openclaw && su openclaw

Scan MCP config files for invisible Unicode (zero-width spaces, bidirectional overrides, tag characters)

Also scan for suspicious keywords: ignore previous, exfiltrate, override

Invisible Unicode found: VERIFIED FAIL. Suspicious keywords: WARN. Clean: PASS

Fix: perl -CSD -pe 's/[\\x{200B}-\\x{200F}\\x{202A}-\\x{202E}\\x{2060}-\\x{2064}\\x{FEFF}]//g' -i ~/.openclaw/mcp/*.json

Parse all MCP server configs, extract tool names

Build map of tool_name → [servers]. Any name in 2+ servers: VERIFIED FAIL

All unique: PASS. No MCP: SKIP

Fix: openclaw mcp list-tools --check-duplicates && openclaw config set mcp.allowedServers ["filesystem","git"]

Check network.allowedHosts in config. Not set or *: test outbound (curl httpbin.org)

Unrestricted outbound confirmed: VERIFIED FAIL. Allowlist configured: PASS

Fix: openclaw config set network.allowedHosts ["api.anthropic.com","api.openai.com"]

Scan config and .env for: Telegram bot tokens (digits:base64), Slack (xoxb-/xoxp-), Discord tokens

Tokens found + lax file perms: FAIL. Tokens via env vars: PASS. None: PASS

Fix: Move tokens to env vars, chmod 600 .env, rotate exposed tokens

Check /proc/self/cmdline and startup scripts for: --dangerously-skip-permissions, --yolo, --trust-all-tools, --disable-sandbox

Check env vars: OPENCLAW_SKIP_PERMISSIONS, OPENCLAW_YOLO

Any found: VERIFIED FAIL. None: PASS

Fix: Remove all dangerous flags. Use explicit, minimal permission grants instead.

Send WebSocket upgrade with Origin: https://evil.example.com

HTTP 101 accepted: VERIFIED FAIL. Rejected: PASS. Gateway not running: check gateway.cors.allowedOrigins in config

Fix: openclaw config set gateway.cors.allowedOrigins ["https://your-domain.com"]

Read API base URLs from config and env (ANTHROPIC_BASE_URL, OPENAI_BASE_URL, etc.)

Check against known providers: api.anthropic.com, api.openai.com, etc.

Flag HTTP_PROXY/HTTPS_PROXY overrides and NODE_TLS_REJECT_UNAUTHORIZED=0

Custom/unknown base URL or proxy override: FAIL. Known providers only: PASS

Fix: Remove custom base URLs, unset HTTP_PROXY/HTTPS_PROXY, unset NODE_TLS_REJECT_UNAUTHORIZED

Scan SKILL.md and README.md in ~/.openclaw/skills/*/

Search for patterns: 'include your API key', 'paste your token', 'pass your credentials in the message'

Pattern found: FAIL. No skills or clean: PASS

Fix: Refactor skills to read credentials from env vars or config, never from the context window

Check active network connections against known C2 IP list

Match found: VERIFIED FAIL. No matches: PASS

Fix: Kill suspicious connections: ss -tlnp | grep <C2_IP> && kill <PID>

Scan installed skills for AMOS stealer signatures and known malicious hashes

Malware signature found: VERIFIED FAIL. Clean: PASS

Fix: rm -rf ~/.openclaw/skills/<infected-skill> && rotate all credentials

Check installed VS Code extensions for OpenClaw-related names

Any OpenClaw extension found: VERIFIED FAIL (OpenClaw has no official extension). None: PASS. VS Code not installed: SKIP

Fix: code --uninstall-extension <fake-extension-id> && rotate credentials

Read ~/.openclaw/openclaw.json → gateway.dangerouslyDisableDeviceAuth and gateway.trustedProxies

dangerouslyDisableDeviceAuth=true or trustedProxies contains *: VERIFIED FAIL. Both secure: PASS

Fix: openclaw config set gateway.dangerouslyDisableDeviceAuth false && openclaw config set gateway.trustedProxies '[]'

Read ~/.openclaw/openclaw.json → sandbox.mode

off/not set: FAIL. non-main: WARN. all + session scope: PASS. all + shared scope: WARN

Fix: openclaw config set sandbox.mode all && openclaw config set sandbox.scope session

Read ~/.openclaw/openclaw.json → tools.elevated

allowFrom * or all: FAIL. Restricted: PASS. Not configured: PASS

Fix: openclaw config set tools.elevated.allowFrom ["your-telegram-id"]

Check: ~/.openclaw/openclaw.json, ~/.openclaw/.env, ~/.openclaw/credentials/*, auth-profiles.json

Any > 600 (files) or > 700 (dirs): FAIL. All owner-only: PASS

Fix: chmod 600 ~/.openclaw/openclaw.json ~/.openclaw/.env

List ~/.openclaw/skills/

Check against: data-exfil, keylogger, reverse-shell, crypto-miner, credential-stealer, prompt-injector, shadow-agent, backdoor-tool, solana-wallet-tracker, polymarket-trader, token-sniper, atomic-stealer, openclaw-boost, free-credits, claw-premium, admin-tools

Also flag: no SKILL.md, modified last 24h, npm post-install scripts

Malicious: VERIFIED FAIL. 3+ unverified: WARN. Clean: PASS

Fix: rm -rf ~/.openclaw/skills/<malicious-skill>

Find MCP packages in agent config, node_modules, MCP config

mcp-remote < 1.1.0, @anthropic/mcp-inspector < 0.7.0, @anthropic/mcp-server-filesystem < 2.1.0, @anthropic/mcp-server-git < 2.1.0

Vulnerable: FAIL. No MCP: SKIP. All patched: PASS

Fix: npm update mcp-remote @anthropic/mcp-inspector @anthropic/mcp-server-filesystem

openclaw --version or package.json

< 2.6.1: CVE-2026-25253 (RCE). < 2.5.0: path traversal

Vulnerable: FAIL. Current: PASS

Fix: openclaw update

Check ~/.openclaw/agents/*/sessions/ permissions

Readable by group/others: FAIL. Owner-only: PASS

Fix: chmod -R 700 ~/.openclaw/agents/*/sessions/

Scan openclaw.json and .env for: change_me, default, placeholder, example, YOUR_, xxx, CHANGEME, TODO

Any match in a value field: FAIL. None found: PASS

Fix: Replace all placeholder values with real credentials

Check if .env is listed in .gitignore (in cwd and in ~/.openclaw/)

Not present in .gitignore: FAIL. Present: PASS. Not a git repo: SKIP

Fix: echo '.env' >> .gitignore && echo '.env.local' >> .gitignore

Run: git log --all -p (last 50 commits) and search for API key patterns

Same patterns as CLAW-05: sk-, AKIA, ghp_, xoxb-, etc.

Found: FAIL (report commit hash, never the key). No git: SKIP. Clean: PASS

Fix: git filter-branch or BFG Repo-Cleaner to remove secrets, then rotate keys

Test readable: ~/.config/google-chrome/, ~/.config/BraveSoftware/, ~/.mozilla/firefox/, ~/Library/Application Support/Google/Chrome/

Any readable: FAIL. None: PASS

Fix: openclaw config set sandbox.mode all

Test readable: ~/.git-credentials, ~/.gitconfig (check for credential helpers storing tokens)

Plaintext credentials found: FAIL. No credential files: PASS

Fix: Use SSH keys instead, or credential-cache with short timeout

Test readable: ~/.pgpass, ~/.my.cnf, ~/.mongosh/, ~/.redis-cli-history

Any found and readable: FAIL. None: PASS

Fix: chmod 600 ~/.pgpass ~/.my.cnf && openclaw config set sandbox.mode all

Run: ss -tlnp or netstat -tlnp

Check for services on 0.0.0.0 or ::: at common agent ports (3000, 5000, 8000, 8080, 8888)

Any found: FAIL (list ports). None: PASS

Fix: Bind services to 127.0.0.1 in their respective configs

Check: iptables -L -n, ufw status, nftables list

No rules or firewall inactive: FAIL. Active with rules: PASS. macOS with pf disabled: WARN

Fix: ufw enable && ufw default deny incoming && ufw allow ssh

If in Docker: docker inspect → SecurityOpt

No seccomp or AppArmor profile (unconfined): FAIL. Profile applied: PASS. Not in container: SKIP

Fix: Run with --security-opt seccomp=default --security-opt apparmor=docker-default

cd to agent install dir, run git status/diff

Uncommitted changes to source files: FAIL. Clean: PASS. Not a git repo: SKIP

Fix: git diff to review changes, git checkout -- . to revert if unauthorized

For each skill in ~/.openclaw/skills/, check package.json for preinstall/postinstall/prepare scripts

Scripts found: WARN (list them). Known malicious patterns (curl|wget|eval|exec): VERIFIED FAIL. None: PASS

Fix: Remove suspect skills and reinstall from verified sources

Check /proc/self/uid_map

0 0 4294967295 → no remapping: FAIL. Non-zero mapping: PASS. Not in Docker: SKIP

Fix: Add "userns-remap": "default" to /etc/docker/daemon.json, restart Docker

Find OpenClaw install dir (dirname $(which openclaw))

test -w: writable → FAIL. Read-only: PASS. Not found: SKIP

Fix: chown -R root:root /path/to/openclaw && chmod -R a-w /path/to/openclaw

Read gateway.rateLimit.enabled from config

Not set or false: FAIL. Enabled: PASS

Fix: openclaw config set gateway.rateLimit.enabled true && openclaw config set gateway.rateLimit.maxPerMinute 60

Test readable: Exodus, Electrum, Bitcoin, Ethereum dirs (macOS + Linux)

Also search for seed/mnemonic/recovery files in home dir

2+: VERIFIED FAIL. 1: WARN. None: PASS

Fix: chmod 700 ~/.bitcoin ~/.ethereum ~/.electrum; run agent as dedicated user

Check langchain-core version: < 0.3.81 or 1.0-1.2.4 → FAIL

Scan skills for yaml.load (not safe_load) → FAIL

All clean: PASS

Fix: pip install 'langchain-core>=0.3.81' && replace yaml.load with yaml.safe_load

Check /proc/mounts for root filesystem

ro flag: PASS. rw: FAIL. Not in Docker: SKIP

Fix: docker run --read-only --tmpfs /tmp:rw,noexec,nosuid ...

Read plugins.permissions and plugins.defaultDeny from config

No per-skill permissions: FAIL. defaultDeny includes network: PASS

Fix: openclaw config set plugins.defaultDeny network

Read sessions.encryptAtRest from config

Not set or false: FAIL (if sessions exist). Enabled: PASS

Fix: openclaw config set sessions.encryptAtRest true

Scan CLAUDE.md, .openclaw/rules.md, agent system prompts

Check for invisible Unicode, injection keywords, suspiciously long lines

Invisible Unicode: VERIFIED FAIL. Suspicious keywords: WARN. Clean: PASS

Fix: perl -CSD -pe 's/[\\x{200B}-\\x{200F}\\x{202A}-\\x{202E}]//g' -i CLAUDE.md

Check last modification time of .env and openclaw.json

> 90 days: FAIL. 30-90: WARN. < 30: PASS

Fix: Rotate API keys now, set auth.rotationReminder 30

Run npm audit in agent directory and skill directories

Critical/high vulns: FAIL. Moderate/low: WARN. Clean: PASS

Fix: npm audit fix && npm audit fix --force

Check tools.filesystem.write, tools.execute.allowed, tools.network.outbound

3+ wildcard categories: FAIL. 1-2: WARN. All scoped: PASS

Fix: openclaw config set tools.defaultPolicy deny

Parse MCP configs for http:// URLs (excluding localhost/127.0.0.1)

Remote HTTP found: FAIL. All HTTPS or local: PASS

Fix: Replace http:// with https:// in MCP config, or use stdio transport

Scan ~/.openclaw/memory/, CLAUDE.md, .claude/memory/ for injection markers

Check for: 'ignore previous instructions', base64 payloads, zero-width Unicode

Injection markers found: VERIFIED FAIL. Suspicious patterns: WARN. Clean: PASS

Fix: Review and clean memory files, remove injected content, rotate compromised sessions

Check OpenClaw config for autoApprove, allowedTools: '*'

Check Claude Code settings and MCP configs for per-category auto-approve

Wildcard or broad auto-approve found: FAIL. No auto-approve: PASS

Fix: Remove autoApprove flags and wildcard allowedTools, use explicit per-tool permissions

Scan MCP tool configs and skill definitions for social engineering patterns

Check for: 'read ~/.ssh', 'include API key', 'before using this tool first', 'exfiltrate', 'send to'

Pattern found: FAIL. Clean: PASS

Fix: Remove or rewrite suspicious tool descriptions, audit skill sources

Check MCP configs for tool definition hashes, pinning, or version locks

No integrity mechanism: WARN. Hashes or pinning configured: PASS

Fix: Pin MCP tool definitions with hashes or version locks where supported

Parse MCP server configs for token patterns: ghp_, glpat-, xoxb-, xoxp-

Check OAuth scopes for overly broad permissions: admin, org, write:all

Check for inline secrets in config

Long-lived tokens or broad scopes: FAIL. Narrow scopes, short-lived: PASS

Fix: Replace long-lived tokens with short-lived ones, narrow OAuth scopes to minimum required

Scan persistent context files for conditional triggers

Check for: 'if date is after', 'when the user asks about', base64 near conditionals

Trigger patterns found: VERIFIED FAIL. Suspicious patterns: WARN. Clean: PASS

Fix: Review and remove conditional payloads from context files, reset memory

Check config and env for telemetry endpoints: LANGSMITH_ENDPOINT, LANGFUSE_HOST, HELICONE_BASE_URL

HTTP endpoint found: FAIL. HTTPS or no telemetry: PASS

Fix: Update telemetry endpoints to use HTTPS

List installed skills in ~/.openclaw/skills/

Compare names against known popular skills using edit distance 1-2

Near-match found (edit distance 1-2): WARN. Exact malicious match: FAIL. All clean: PASS

Fix: Remove typosquatted skills and install from verified sources

Scan skill source files for known exfiltration domains: webhook.site, ngrok.io, requestbin.com, pipedream.com, burpcollaborator.net

Domain reference found: FAIL. Clean: PASS

Fix: Remove or replace skills referencing exfiltration domains

Read exec-approvals.json or equivalent approval config

Wildcard approvals or approve-all patterns: FAIL. Scoped approvals: PASS. No file: SKIP

Fix: Restrict exec-approvals.json to specific commands and paths

Read channel config for DM policies

Unrestricted DM access or no DM policy: FAIL. DM restricted to approved contacts: PASS

Fix: openclaw config set channels.dm.policy restricted

List installed skills and extract publisher/author metadata

Check against known malicious publisher blacklist

Blacklisted publisher found: VERIFIED FAIL. All clean: PASS

Fix: rm -rf ~/.openclaw/skills/<blacklisted-skill> && openclaw skills install <verified-alternative>

Read ~/.openclaw/openclaw.json → logging.redactSensitive

Not set or off: FAIL. tools (default): PASS

Fix: openclaw config set logging.redactSensitive tools

Read ~/.openclaw/openclaw.json → logging.level

debug or verbose: FAIL. info/warn/error: PASS. Not set (defaults to info): PASS

Fix: openclaw config set logging.level info

Check if ~/.openclaw/ path contains: Mobile Documents, iCloud, Dropbox, Google Drive, OneDrive

Inside sync folder: FAIL. Outside: PASS

Fix: Move ~/.openclaw/ outside synced folders, or add to .nosync

Check ulimit -u (processes), ulimit -n (files), cgroup memory limit

Multiple unlimited: FAIL. Partial: WARN. All limited: PASS

Fix: docker run --memory=2g --cpus=2 --pids-limit=256 ... OR ulimit -n 4096 -u 256

Probe gateway at common endpoints: /debug, /env, /config, /admin, /metrics

Any debug/env/config returns 200: FAIL. Only /health: PASS. Gateway not running: SKIP

Fix: openclaw config set server.debug false && openclaw config set server.disableEndpoints ["debug","env","config"]

Detect container runtime: check for /proc/self/status gVisor markers, /sys/hypervisor for Firecracker

runc: WARN (note stronger alternatives). gVisor or Firecracker: PASS. Not in container: SKIP

Fix: Switch to gVisor (runsc) or Firecracker for stronger container isolation

Test writable: ~/.bashrc, ~/.zshrc, ~/.profile, ~/Library/LaunchAgents/, ~/.config/systemd/user/

Check cron write access: crontab -l

3+: VERIFIED FAIL. 1-2: WARN. None: PASS

Fix: Run agent as dedicated user without write access to shell configs and startup dirs

Check for mDNS/Bonjour service advertisements related to OpenClaw

Broadcasting agent paths/ports: FAIL. No mDNS advertisements: PASS. mDNS not available: SKIP

Fix: Disable mDNS advertisement for agent services or restrict to loopback