--- name: clawdbot-self-security-audit description: Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge. homepage: https://github.com/TheSethRose/Clawdbot-Security-Check metadata: {"clawdbot":{"emoji":"🔒","os":["darwin","linux"],"requires":{"files":["read"],"tools":["exec","bash"]},"install":[{"id":"read-skill","kind":"skill","name":"clawdbot-self-security-audit","label":"Install security audit skill","bins":["SKILL.md"]}]}} ---

Clawdbot Self-Security Audit Framework

This skill empowers Clawdbot to audit its own security posture using first-principles reasoning. Rather than relying on a static script, Clawdbot learns the framework and applies it dynamically to detect vulnerabilities, understand their impact, and recommend specific remediations.

Core Philosophy

> "Security through transparency and self-awareness." — Inspired by ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ

Clawdbot should know its own attack surface. This skill embeds that knowledge directly.

Security Principles

Running an AI agent with shell access requires caution. Focus on three areas:

1. Who can talk to the bot — DM policies, group allowlists, channel restrictions
2. Where the bot is allowed to act — Network exposure, gateway binding, proxy configs
3. What the bot can touch — Tool access, file permissions, credential storage

Start with the smallest access possible and widen it as you gain confidence.

Trust Hierarchy

Apply appropriate trust levels based on role:

| Level | Entity | Trust Model | |-------|--------|-------------| | 1 | Owner | Full trust — has all access | | 2 | AI | Trust but verify — sandboxed, logged | | 3 | Allowlists | Limited trust — only specified users | | 4 | Strangers | No trust — blocked by default |

Audit Commands

Use these commands to run security audits:

• clawdbot security audit — Standard audit of common issues
• clawdbot security audit --deep — Comprehensive audit with all checks
• clawdbot security audit --fix — Apply guardrail remediations

The 12 Security Domains

When auditing Clawdbot, systematically evaluate these domains:

1. Gateway Exposure 🔴 Critical

What to check:

• Where is the gateway binding? (gateway.bind)
• Is authentication configured? (gateway.auth_token or CLAWDBOT_GATEWAY_TOKEN env var)
• What port is exposed? (default: 18789)
• Is WebSocket auth enabled?

How to detect:

cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
env | grep CLAWDBOT_GATEWAY_TOKEN

Vulnerability: Binding to 0.0.0.0 or lan without auth allows network access.

Remediation:

# Generate gateway token
clawdbot doctor --generate-gateway-token
export CLAWDBOT_GATEWAY_TOKEN="$(openssl rand -hex 32)"

---

2. DM Policy Configuration 🟠 High

What to check:

• What is dm_policy set to?
• If allowlist, who is explicitly allowed via allowFrom?

How to detect:

cat ~/.clawdbot/clawdbot.json | grep -E '"dm_policy|"allowFrom"'

Vulnerability: Setting to allow or open means any user can DM Clawdbot.

Remediation:

{
  "channels": {
    "telegram": {
      "dmPolicy": "allowlist",
      "allowFrom": ["@trusteduser1", "@trusteduser2"]
    }
  }
}

---

3. Group Access Control 🟠 High

What to check:

• What is groupPolicy set to?
• Are groups explicitly allowlisted?
• Are mention gates configured?

How to detect:

cat ~/.clawdbot/clawdbot.json | grep -E '"groupPolicy"|"groups"' 
cat ~/.clawdbot/clawdbot.json | grep -i "mention"

Vulnerability: Open group policy allows anyone in the room to trigger commands.

Remediation:

{
  "channels": {
    "telegram": {
      "groupPolicy": "allowlist",
      "groups": {
        "-100123456789": true
      }
    }
  }
}

---

4. Credentials Security 🔴 Critical

What to check:

• Credential file locations and permissions
• Environment variable usage
• Auth profile storage

Credential Storage Map: | Platform | Path | |----------|------| | WhatsApp | ~/.clawdbot/credentials/whatsapp/{accountId}/creds.json | | Telegram | ~/.clawdbot/clawdbot.json or env | | Discord | ~/.clawdbot/clawdbot.json or env | | Slack | ~/.clawdbot/clawdbot.json or env | | Pairing allowlists | ~/.clawdbot/credentials/channel-allowFrom.json | | Auth profiles | ~/.clawdbot/agents/{agentId}/auth-profiles.json | | Legacy OAuth | ~/.clawdbot/credentials/oauth.json |

How to detect:

ls -la ~/.clawdbot/credentials/
ls -la ~/.clawdbot/agents/*/auth-profiles.json 2>/dev/null
stat -c "%a" ~/.clawdbot/credentials/oauth.json 2>/dev/null

Vulnerability: Plaintext credentials with loose permissions can be read by any process.

Remediation:

chmod 700 ~/.clawdbot
chmod 600 ~/.clawdbot/credentials/oauth.json
chmod 600 ~/.clawdbot/clawdbot.json

---

5. Browser Control Exposure 🟠 High

What to check:

• Is browser control enabled?
• Are authentication tokens set for remote control?
• Is HTTPS required for Control UI?
• Is a dedicated browser profile configured?

How to detect:

cat ~/.clawdbot/clawdbot.json | grep -A5 '"browser"'
cat ~/.clawdbot/clawdbot.json | grep -i "controlUi|insecureAuth"
ls -la ~/.clawdbot/browser/

Vulnerability: Exposed browser control without auth allows remote UI takeover. Browser access allows the model to use logged-in sessions.

Remediation:

{
  "browser": {
    "remoteControlUrl": "https://...",
    "remoteControlToken": "...",
    "dedicatedProfile": true,
    "disableHostControl": true
  },
  "gateway": {
    "controlUi": {
      "allowInsecureAuth": false
    }
  }
}

Security Note: Treat browser control URLs as admin APIs.

---

6. Gateway Bind & Network Exposure 🟠 High

What to check:

• What is gateway.bind set to?
• Are trusted proxies configured?
• Is Tailscale enabled?

How to detect:

cat ~/.clawdbot/clawdbot.json | grep -A10 '"gateway"'
cat ~/.clawdbot/clawdbot.json | grep '"tailscale"'

Vulnerability: Public binding without auth allows internet access to gateway.

Remediation:

{
  "gateway": {
    "bind": "127.0.0.1",
    "mode": "local",
    "trustedProxies": ["127.0.0.1", "10.0.0.0/8"],
    "tailscale": {
      "mode": "off"
    }
  }
}

---

7. Tool Access & Sandboxing 🟡 Medium

What to check:

• Are elevated tools allowlisted?
• Is restrict_tools or mcp_tools configured?
• What is workspaceAccess set to?
• Are sensitive tools running in sandbox?

How to detect:

cat ~/.clawdbot/clawdbot.json | grep -i "restrict|mcp|elevated"
cat ~/.clawdbot/clawdbot.json | grep -i "workspaceAccess|sandbox"
cat ~/.clawdbot/clawdbot.json | grep -i "openRoom"

Workspace Access Levels: | Mode | Description | |------|-------------| | none | Workspace is off limits | | ro | Workspace mounted read-only | | rw | Workspace mounted read-write |

Vulnerability: Broad tool access means more blast radius if compromised. Smaller models are more susceptible to tool misuse.

Remediation:

{
  "restrict_tools": true,
  "mcp_tools": {
    "allowed": ["read", "write", "bash"],
    "blocked": ["exec", "gateway"]
  },
  "workspaceAccess": "ro",
  "sandbox": "all"
}

Model Guidance: Use latest generation models for agents with filesystem or network access. If using small models, disable web search and browser tools.

---

...