Control Library

v0.1.0 — 16 controls across 3 domains. Stable controls contribute to your score. Experimental controls are reported separately.

Stable

Experimental

Critical severity

Score-contributing

Stable controls — contribute to score

IDControlSeverityStatus

NC-OC-003

No ineffective deny command entries

Checks that gateway.nodes.denyCommands entries are all valid, recognized command names.

High Stable NC-OC-004

No open (unauthenticated) groups

Checks that no messaging groups are configured with open (unauthenticated) access alongsid...

Critical Stable NC-OC-008

All configured channels healthy

Checks that all configured messaging channels have successful probe results.

Medium Stable NC-OC-009

OpenClaw update available

Informational notice when a newer OpenClaw version is available in the registry.

Info Stable NC-AUTH-001

Reverse proxy trust correctly configured

Checks that trusted proxies are configured when the gateway binds to loopback.

High Stable NC-VERS-001

OpenClaw is behind latest release

Checks whether the installed OpenClaw version is behind the latest available release.

Medium Stable NC-VERS-002

OpenClaw not more than 2 minor versions behind

Checks that the installed version is within 2 minor versions of the latest release.

Medium Stable

Experimental — reported only, not scored

NC-OC-002

Sandbox mode appropriate for deployment context

Checks that sandbox mode is appropriately configured when multi-user heuristics are detect...

High Experimental NC-OC-005

Elevated tools usage acknowledged

Checks whether elevated tools are enabled and prompts user acknowledgement.

Info Experimental NC-OC-006

Workspace file access scoped

Checks that filesystem access is scoped to workspace when multi-user heuristics are detect...

High Experimental NC-OC-007

Dependency integrity verifiable

Checks that the dependency integrity status is verifiable (not a known failure state).

Medium Experimental NC-AUTH-002

No API tokens in workspace files

Scans workspace files for exposed API tokens and credentials.

High Experimental NC-AUTH-003

No tokens in OpenClaw log files

Scans OpenClaw log files for accidentally logged credentials.

High Experimental NC-VERS-004

Node.js runtime within LTS support window

Checks that the Node.js runtime is within the LTS support window.

Medium Experimental NC-VERS-005

No deprecated API usage warnings

Checks for deprecation warnings in OpenClaw security audit output.

Low Experimental

Deferred — not yet implementable

NC-OC-001

Webhook signing secret configured

Verifies that a webhook signing secret is configured when webhooks are enabled.

Critical Deferred