Detect OpenClaw Security Gaps with the Open‑Source Dejavu Baseline Scanner

OpenClaw is an AI‑agent platform that can read and write the local file system, call arbitrary external APIs, execute system commands, and load third‑party skill packages. Its default configuration disables authentication, exposing a gateway port (default 18789) to the network. Public reports show that 85 % of deployments expose this port, CVE‑2026‑25253 (WebSocket service trusts localhost requests, CVSS 8.8) is widely exploited, and 10.8 % of downloaded skills contain malicious code.

Why OpenClaw security is more complex than ordinary software

OpenClaw’s autonomy gives it value but also expands the attack surface: it can access the file system, invoke external services, run commands, and install third‑party skills, all without authentication by default.

Seven‑step baseline security audit

Check configuration files (CRITICAL) : ensure API keys are not hard‑coded in ~/.openclaw/openclaw.json.

cat ~/.openclaw/openclaw.json | grep -iE "(ignore|override|bypass|pretend|forget|jailbreak|你现在是|忽略之前)"

Inspect installed skill packages (HIGH) : list installed skills and review skill.yaml permissions.

openclaw skills list
ls ~/.openclaw/skills/

Validate exposed ports (CRITICAL) : confirm only localhost bindings (e.g., 127.0.0.1:3000) and that Playwright/Chromium control ports (9222/9223) are not reachable from the internet.

ss -tlnp | grep -E "3000|8080|9000|4140"
ss -tlnp | grep openclaw

Audit authentication settings (CRITICAL) : verify gateway.auth.enabled is true and that the token length is at least 40 hex characters.

openclaw config get gateway.auth.enabled
openclaw config get gateway.auth.token | tr -d '"' | wc -c

Check dependencies and supply‑chain integrity (HIGH) : list Node.js version and top‑level npm packages, look for disclosed CVEs and typosquatted packages.

npm ls --depth=0
node --version

Inspect host‑level artifacts (MEDIUM) : detect unknown outbound connections, suspicious cron jobs, and recent file changes under ~/.openclaw.

ss -tnp | grep openclaw
crontab -l
find ~/.openclaw -newer /tmp/checkpoint -type f

Search for leaked secrets (CRITICAL) : locate private keys, mnemonic phrases, and plaintext session databases.

find ~/.openclaw -name "*.pem" -o -name "*.key"
grep -rE "(mnemonic|seed phrase|private.?key)" ~/.openclaw/memory/
file ~/.openclaw/data/conversations.db

Dejavu – open‑source baseline scanner

Dejavu automates the seven‑step logic, runs locally, produces a graded JSON report (CRITICAL/HIGH/MEDIUM), and does not upload any data. It provides full‑dimension coverage and community‑driven rule updates.

GitHub repository: https://github.com/AscendGrace/Dejavu

Running Dejavu yields a quick (2‑5 minute) baseline assessment and can be integrated into CI/CD pipelines for continuous security checks.