openclaw-security-monitor_skill

This skill provides real-time security monitoring and automated remediation for OpenClaw deployments, integrating threat intel, scans, and Telegram alerts.
  • Python

2.6k

GitHub Stars

3

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill openclaw-security-monitor

  • _meta.json658 B
  • README.md55.7 KB
  • SKILL.md10.6 KB

Overview

This skill provides proactive security monitoring, daily threat scanning, and automated remediation tailored for OpenClaw deployments. It combines a 32-point scanner, threat intelligence feeds, a web dashboard, and Telegram alerting to surface and fix risky configurations and indicators of compromise. The goal is reduce exposure from malicious skills, exfiltration channels, and risky runtime settings.

How this skill works

The monitor runs a comprehensive set of checks across networking, file permissions, running processes, extension/plugin hygiene, container settings, and credential exposure. It uses curated IOC lists (C2 IPs, malicious domains, file hashes, publisher patterns) and heuristics for obfuscation, reverse shells, and persistence mechanisms. Results are viewable in a dark-themed dashboard, sent to Telegram, and can be remediated automatically via per-check scripts with dry-run and auto-approve options.

When to use it

  • Before exposing an OpenClaw instance to public networks or clients
  • After installing new skills, plugins, or VS Code extensions
  • When unexpected network connections or suspicious processes appear
  • As a daily automated safety check for production agents
  • During incident response to quickly locate and neutralize compromises

Best practices

  • Enable the daily automated scan and Telegram alerts to catch issues early
  • Run remediation in dry-run mode first, then auto-approve only trusted fixes
  • Keep the IOC files updated from your threat intelligence sources
  • Limit privileged mounts (Docker socket, root) and enforce least privilege
  • Review remediation scripts before auto-applying in sensitive environments

Example use cases

  • Detect and block outgoing connections to known C2 IP addresses discovered by threat intel
  • Identify skills or extensions that exfiltrate credentials to public payload hosts
  • Audit container configurations to ensure no privileged socket mounts or root access
  • Scan for persistence artifacts (cron, LaunchAgents, systemd) added by malicious skills
  • Automate nightly scans with Telegram summaries for on-call teams

FAQ

Exit codes indicate overall status: 0 = secure, 1 = warnings found, 2 = compromised; use the dashboard or logs for details.

Can I preview fixes before applying them?

Yes — the remediation supports --dry-run to show planned changes, and --yes to auto-approve fixes when you’re ready.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational