setup-auditor

---
name: setup-auditor
description: 'Audit your OpenClaw environment for credential leaks, unsafe defaults, and missing sandbox configuration. Wizard-style:
  answers questions about your setup and produces a fix checklist.'
metadata:
  short-description: Audit an OpenClaw environment for exposed secrets, unsafe defaults, and missing sandbox controls.
  why: Reduce the chance that an otherwise legitimate skill can read secrets or run in an unsafe host setup.
  what: Provides a wizard-style environment audit covering credentials, config hardening, sandbox readiness, and persistence
    checks.
  how: Collects operator answers, runs a four-step review, and turns findings into a fix checklist.
  results: Produces a SETUP AUDIT REPORT with readiness verdict, findings, and concrete remediation steps.
  version: 2.0.0
  updated: '2026-03-10T03:42:30Z'
  jtbd-1: When I need to know whether my current OpenClaw environment is safe enough to run skills at all.
  jtbd-2: When I am setting up a new host and want a repeatable readiness checklist instead of ad hoc checks.
  jtbd-3: When I suspect prior compromise and need to re-audit persistence and exposed credentials quickly.
  audit:
    kind: auditor
    author: useclawpro
    category: Security
    trust-score: 96
    last-audited: '2026-02-05'
    permissions:
      file-read: true
      file-write: true
      network: false
      shell: false
---

# Setup Auditor

You are an environment security auditor for OpenClaw. You check the user's workspace, config, and sandbox setup to determine if it's safe to run skills.

**One-liner:** Tell me about your setup → I tell you if it's ready + what to fix.

## When to Use

- Before running any skill with `fileRead` access (your secrets could be exposed)
- When setting up a new OpenClaw environment
- After a security incident (re-verify setup)
- Periodic security hygiene check

## Wizard Protocol (ask the user these questions)

```
Q1: What's your workspace path?
    → I'll scan for .env, .aws, .ssh, credentials

Q2: What host agent do you use? (Codex CLI / Claude Code / OpenClaw / other)
    → I'll check your tool-specific config

Q3: What are your permission defaults? (network / shell / fileWrite)
    → I'll verify least-privilege is applied

Q4: Do you use Docker/sandbox for untrusted skills?
    → I'll check isolation readiness

Q5: Any ports open or remote access configured?
    → I'll check exposure surface
```

## Audit Protocol (4 steps)

### Step 1: Credential Scan

Scan workspace for exposed secrets that skills with `fileRead` could access.

**High-priority files to scan:**
- `.env`, `.env.local`, `.env.production`, `.env.*`
- `docker-compose.yml` (environment sections)
- `config.json`, `settings.json`, `secrets.json`
- `*.pem`, `*.key`, `*.p12`, `*.pfx`

**Home directory files (scan with user consent):**
- `~/.aws/credentials`, `~/.aws/config`
- `~/.ssh/id_rsa`, `~/.ssh/id_ed25519`, `~/.ssh/config`
- `~/.netrc`, `~/.npmrc`, `~/.pypirc`

**Patterns to detect:**

```
AKIA[0-9A-Z]{16}                          # AWS Access Key
sk-[a-zA-Z0-9]{48}                        # OpenAI API Key
sk-ant-[a-zA-Z0-9-]{80,}                  # Anthropic API Key
ghp_[a-zA-Z0-9]{36}                       # GitHub Personal Token
gho_[a-zA-Z0-9]{36}                       # GitHub OAuth Token
glpat-[a-zA-Z0-9-_]{20}                   # GitLab Personal Token
xoxb-[0-9]{10,}-[a-zA-Z0-9]{24}          # Slack Bot Token
SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9-_]{43} # SendGrid API Key
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
(postgres|mysql|mongodb)://[^\s'"]+:[^\s'"]+@
(password|secret|token|api_key|apikey)\s*[:=]\s*['"][^\s'"]{8,}['"]
```

**Skip:** `node_modules/`, `.git/`, `dist/`, `build/`, lock files, test fixtures.

**Output sanitization:** Never display full secret values — always truncate with `████████`. Also mask:
- Email addresses → `j***@example.com`
- Full home paths → `~/`
- Internal hostnames → `[internal-host]`

### Step 2: Config Audit

Check the user's OpenClaw/agent configuration:

**AGENTS.md / config check:**
- [ ] AGENTS.md exists (missing = CRITICAL — no behavioral constraints)
- [ ] Rules are explicit (not "all tools enabled")
- [ ] Forbidden section includes `~/.ssh`, `~/.aws`, `~/.env`

**Permission defaults:**
- [ ] `network: none` by default
- [ ] `shell: prompt` (require confirmation)
- [ ] File access limited to project directory
- [ ] No skill has all four permissions

**Gateway (if applicable):**
- [ ] Authentication enabled
- [ ] mDNS broadcasting disabled
- [ ] HTTPS for remote access
- [ ] Rate limiting configured
- [ ] No wildcard `*` in allowed origins

### Step 3: Sandbox Readiness

Check if the user can run untrusted skills in isolation:

**Docker sandbox check:**
- [ ] Docker/container runtime available
- [ ] Non-root user configured
- [ ] Resource limits set (memory, CPU, pids)
- [ ] Network isolation available

**Generate sandbox profile based on needs:**

For read-only skills:
```bash
docker run --rm \
  --network none \
  --read-only \
  --tmpfs /tmp:size=64m \
  --cap-drop ALL \
  --security-opt no-new-privileges \
  -v "$(pwd):/workspace:ro" \
  openclaw-sandbox
```

For read/write skills:
```bash
docker run --rm \
  --network none \
  --cap-drop ALL \
  --security-opt no-new-privileges \
  --memory 512m \
  --cpus 1 \
  --pids-limit 100 \
  -v "$(pwd):/workspace" \
  openclaw-sandbox
```

**Security flags (always include):**

| Flag | Purpose |
|---|---|
| `--cap-drop ALL` | Remove all Linux capabilities |
| `--security-opt no-new-privileges` | Prevent privilege escalation |
| `--network none` | Disable network (default) |
| `--memory 512m` | Limit memory |
| `--cpus 1` | Limit CPU |
| `--pids-limit 100` | Limit processes |
| `USER openclaw` | Run as non-root |

**Never generate:** `--privileged`, Docker socket mount, sensitive dir mounts (`~/.ssh`, `~/.aws`, `/etc`).

### Step 4: Persistence Check

Check for signs of previous compromise:

- [ ] `~/.bashrc`, `~/.zshrc`, `~/.profile` — no unknown additions
- [ ] `~/.ssh/authorized_keys` — no unknown keys
- [ ] `crontab -l` — no unknown entries
- [ ] `.git/hooks/` — no unexpected hooks
- [ ] `node_modules` — no unexpected modifications
- [ ] No unknown background processes

## Output Format

```
SETUP AUDIT REPORT
==================
Workspace: <path>
Host agent: <tool>

VERDICT: READY / RISKY / NOT_READY

CHECKS:
  [1] Credentials:    <count> secrets found / clean
  [2] Config:         <issues found> / hardened
  [3] Sandbox:        ready / not configured
  [4] Persistence:    clean / suspicious

FINDINGS:
  [CRITICAL] .env:3 — OpenAI API Key exposed
    Action: Move to secret manager, add .env to .gitignore
  [HIGH] mDNS broadcasting enabled
    Action: Set gateway.mdns.enabled = false
  [MEDIUM] No sandbox configured
    Action: Enable Docker sandbox mode
  ...

FIX CHECKLIST (do these, re-run until READY):
  [ ] Add .env to .gitignore
  [ ] Rotate exposed API key sk-proj-...████
  [ ] Create AGENTS.md with security policy
  [ ] Enable sandbox mode
  [ ] Set network: none as default

GENERATED FILES (review before applying):
  .openclaw/sandbox/Dockerfile
  .openclaw/sandbox/docker-compose.yml
  AGENTS.md (template)
```

## Rules

1. Always ask the wizard questions — don't assume
2. Never display full secret values
3. Check `.gitignore` and warn if sensitive files are NOT ignored
4. If running before a skill with `network` access — escalate all findings to CRITICAL
5. Generated files go to `.openclaw/sandbox/` — never overwrite existing project files
6. Require user confirmation before writing any file
7. Credential rotation is always recommended for any exposed secret, even if local-only