Skill Trust Decision
openclaw-security-auditor
OpenClaw security auditing tool with documented mismatch: SKILL.md claims read-only operation but config_fixer.py has write capabilities to modify system configs. No malicious behavior detected, but undeclared modification capability violates transparency principle.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
What drove the risk score up
Undeclared filesystem write access +20
SKILL.md states skill is 'safe and non-destructive' and 'only reads configuration files' but config_fixer.py writes modified configs
Documentation framing mismatch +10
SKILL.md says 'never makes automatic changes without explicit user approval' but automated remediation section exists
Missing security boundary declarations +10
No documentation of what paths can be modified or what protections prevent unintended changes
Most important evidence
Medium Doc Mismatch
Undeclared filesystem write capability
SKILL.md states the skill is 'safe and non-destructive - it only reads configuration files' but config_fixer.py contains code to write modified configurations. This is a documentation mismatch where the code behavior is more powerful than documented.
scripts/config_fixer.py:52 Update SKILL.md to explicitly declare filesystem:WRITE capability for config modification. Document which configuration paths can be modified and the safety mechanisms in place.
Low Doc Mismatch
Misleading 'never makes automatic changes' claim
SKILL.md states 'never makes automatic changes without explicit user approval' but the skill includes scripts for automated remediation and fix application. While CLI usage requires arguments, the capability exists.
SKILL.md:85 Clarify documentation: if automated fixes can be applied through scripts, state the conditions and safeguards. If truly manual-only, remove automated remediation script references.
Low Sensitive Access
Access to OpenClaw configuration directory
Skill reads and potentially modifies ~/.openclaw/ configuration directory. This contains security-sensitive settings including tokens and authentication configuration.
scripts/security_scanner.py:25 This is legitimate for a security auditing tool. Ensure backup procedures (implemented in config_fixer.py) are always invoked before any modifications.
Declared capability vs actual capability
Filesystem Block
Declared READ
→ Inferred WRITE
scripts/config_fixer.py:52 - json.dump(config, f) Suspicious artifacts and egress
Medium External URL
https://docs.openclaw.ai/security scripts/report_generator.py:143
Medium External URL
https://docs.openclaw.ai/best-practices scripts/report_generator.py:145
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| osa | unknown | external import | No | Imported as 'openclaw-security-auditor' package - not locally defined, external dependency |
File composition
7 files · 1218 lines
Python 4 files · 688 linesMarkdown 3 files · 530 lines
Files of concern · 4
scripts/report_generator.py https://docs.openclaw.ai/security · https://docs.openclaw.ai/best-practices
SKILL.md Misleading 'never makes automatic changes' claim
scripts/security_scanner.py Access to OpenClaw configuration directory
scripts/config_fixer.py Undeclared filesystem write capability
Other files · config-guide.md · security-modes.md · test_skill.py
Security positives
No credential harvesting - skill audits config but does not extract secrets
No data exfiltration - no external data transmission observed
No obfuscation - all code is readable plaintext Python
No base64-encoded payloads or eval() calls
No suspicious network connections (external URLs only in generated report text, not executed)
No ~/.ssh, ~/.aws, or .env file access attempts
Backup mechanism implemented before config modification (config_fixer.py:17)
Supports dry-run mode for config_fixer (--dry-run argument)