One-command security scanner for OpenClaw deployments. Find credential leaks, dangerous skills, permission issues, and configuration risks in seconds.
Zero dependencies. MIT licensed. Built by ClawStack.
git clone https://github.com/SkunkWorks0x/clawstack-sentinel.git
cd clawstack-sentinel
npm install
npm run build
# Scan a project directory
npm run audit -- --path /path/to/your/openclaw-project
# Or link globally
npm link
clawstack-sentinel audit --path /path/to/your/openclaw-project| Category | What it finds | Severity |
|---|---|---|
| Credential Exposure | API keys, database URIs, private keys, JWTs, .env files, secrets in agent memory | Critical |
| Dangerous Skill Patterns | Network exfiltration, filesystem abuse, process spawning, eval, env access in skills | High |
| Permission & Config | Root execution, Docker misconfig, exposed ports, disabled sandboxing/auth | Critical-High |
| Hygiene | Missing .gitignore rules, absent lockfiles | Medium-Low |
Every scan produces a 0-100 score:
| Score | Label | Meaning |
|---|---|---|
| 90-100 | HARDENED | Production-ready |
| 70-89 | MODERATE RISK | Address high-severity findings |
| 40-69 | HIGH RISK | Significant vulnerabilities present |
| 0-39 | CRITICAL RISK | Immediate action required |
clawstack-sentinel audit [options]
--path <dir> Directory to scan (default: current directory)
--output <file> Report output path (default: ./sentinel-report.md)
--json Output JSON instead of terminal formatting
Sentinel is the security module of ClawStack — the open-source production layer for OpenClaw.
https://clawpilled.me
MIT