About ClawVitals
What it is, why it exists, and why you probably need it.
The problem
OpenClaw is an autonomous AI agent. It has real, persistent access to your files, messages, APIs, and services, and it acts on your behalf throughout the day, often without you watching.
That level of access is what makes it powerful. It's also what makes it a target. A misconfigured permission, an outdated component, or a quietly modified config file can silently compromise your agent without you ever knowing. There's no warning. No error. Just an agent that's no longer quite yours.
Most users have no way to check. They assume everything's fine until it isn't.
What ClawVitals does
ClawVitals is a security health checker for OpenClaw. It runs a set of targeted checks across your installation, covering authentication, permissions, channel configuration, network trust, and version hygiene. Results are presented as a clear 0–100 score with plain-English findings for every check.
Failing checks come with exact remediation steps: the specific command or config change that fixes it. No security expertise required, no vague recommendations. Just: here's what's wrong, here's how to fix it.
Because your agent's configuration can change through updates, new skills, or manual edits, it's worth running ClawVitals periodically, not just once. A regular scan is the easiest way to catch regressions before they become a problem.
Important: A clean ClawVitals score indicates that your OpenClaw configuration follows some key best practices, but it doesn't guarantee that your agent is secure in all scenarios.
ClawVitals comes in two forms. Both are free and open source.
On-demand scanning
Run a full scan any time with a single command. Instant score, instant results, exact fixes. Stateless, with nothing stored between sessions. Install via ClawHub in seconds.
Install the skill →Continuous monitoring
Everything in the skill, plus recurring scans, scan history, delta detection, regression alerts, config tamper detection, and a posture trend dashboard. Built for users who want to track their security over time, not just spot-check it.
Install the plugin →What we check
ClawVitals runs a set of security controls, each targeting a real misconfiguration that affects OpenClaw deployments in the wild:
- → Authentication configuration: is auth enabled and enforced?
- → Group and user permissions: who has access to what?
- → Channel security: are messaging channels properly isolated?
- → Reverse proxy trust: is proxy forwarding correctly configured?
- → Version currency: are you running a patched release?
- → And more, including informational controls for additional signal
The plugin adds enhanced security controls: system-level checks covering exposed services, open ports, secrets on disk, and Docker configuration, as well as config tamper detection with SHA256 baseline hashing, drift detection, and prompt injection scanning across your core agent files.
Open source & free
MIT License
Security tools should be transparent. Both the ClawVitals skill and the ClawVitals plugin are open source with the code on GitHub, and released under the MIT License.