OpenClaw Security Audit

Scan your openclaw.json for security misconfigurations, known-vulnerable skills, and risky policies — entirely in your browser. Get a severity-scored issue list and an A–F security grade.

Run Security Audit →

What the Audit Checks

Critical
  • Sandbox disabled (mode: off) with exec tool allowed — unrestricted shell access
  • Skills matching the ClawHavoc known-malicious list (341 identified skills)
  • Skills with known credential leaks (Snyk: 7.1% of skills affected)
High
  • Agent sandbox set to 'off' without exec — still elevated risk
  • Skills requesting exec tool without sandbox protection
Medium
  • Channel dmPolicy set to 'open' — anyone can message your agent
  • Agent has no fallback models configured — single point of failure
  • Skills with elevated permissions not in allowlist
Low
  • Skills installed from non-ClawHub sources (unverified supply chain)
  • Skills with no security grade available
  • Stale skills not updated in 90+ days

Security Scoring

ClawChart starts at 100 points and deducts based on issue severity. The final score maps to a letter grade:

A
90–100
B
75–89
C
60–74
D
40–59
F
0–39
−25 pts
Critical issue
−15 pts
High issue
−8 pts
Medium issue
−3 pts
Low issue

Frequently Asked Questions

What security issues does ClawChart detect in openclaw.json?

ClawChart's security audit detects: sandbox disabled with exec tool allowed (critical), skills from the ClawHavoc known-vulnerable list (critical), open DM policies that allow anyone to message your agent (medium), missing fallback models (medium), skills installed from non-ClawHub sources (low), and more.

Is the OpenClaw security audit safe to use?

Yes. The entire audit runs in your browser using client-side JavaScript. Your openclaw.json is never transmitted to any server. The known-vulnerable skills list is pre-cached at build time and served as a static file.

What is the ClawHavoc vulnerability list?

ClawHavoc refers to a set of 341 malicious OpenClaw skills identified by security researchers. Snyk research also found that 7.1% of OpenClaw skills contain credential leaks. ClawChart cross-references your installed skills against this known-vulnerable list and flags any matches as critical issues.

How is the OpenClaw security score calculated?

ClawChart starts at 100 points and deducts: 25 points per critical issue, 15 per high, 8 per medium, 3 per low. The final score maps to a letter grade: A (90–100), B (75–89), C (60–74), D (40–59), F (0–39).

← ClawChart HomeSkills DirectoryConfig VisualizerFAQ