Control Library

26 controls across 5 domains. Standard controls run via the OpenClaw CLI. Expanded controls require the plugin in expanded mode and check the host system directly.

10

Stable

8

Experimental

8

Expanded (Plugin)

5

Critical severity

Stable controls contribute to score

IDControlSeverityStatus

No ineffective deny command entries

Checks that gateway.nodes.denyCommands entries are all valid, recognized command names.

High Stable NC-OC-004

No open (unauthenticated) groups

Checks that no messaging groups are configured with open (unauthenticated) access alongsid...

Critical Stable NC-OC-008

All configured channels healthy

Checks that all configured messaging channels have successful probe results.

Medium Stable NC-OC-009

OpenClaw update available

Informational notice when a newer OpenClaw version is available in the registry.

Info Stable NC-AUTH-001

Reverse proxy trust correctly configured

Checks that trusted proxies are configured when the gateway binds to loopback.

High Stable NC-VERS-001

OpenClaw is behind latest release

Checks whether the installed OpenClaw version is behind the latest available release.

Medium Stable NC-VERS-002

OpenClaw not more than 2 minor versions behind

Checks that the installed version is within 2 minor versions of the latest release.

Medium Stable NC-OC-012

Gateway authentication not configured

Checks that the OpenClaw gateway has an authentication token configured.

Critical Stable NC-OC-013

Browser control requires gateway authentication

Checks that gateway authentication is configured when browser control is enabled.

Critical Stable NC-OC-014

Gateway auth token meets minimum length

Checks that the gateway authentication token is of sufficient length to resist brute-force.

Experimental reported only, not scored

Sandbox mode appropriate for deployment context

Checks that sandbox mode is appropriately configured when multi-user heuristics are detect...

High Experimental NC-OC-005

Elevated tools usage acknowledged

Checks whether elevated tools are enabled and prompts user acknowledgement.

Info Experimental NC-OC-006

Workspace file access scoped

Checks that filesystem access is scoped to workspace when multi-user heuristics are detect...

High Experimental NC-OC-007

Dependency integrity verifiable

Checks that the dependency integrity status is verifiable (not a known failure state).

Medium Experimental NC-AUTH-002

No API tokens in workspace files

Scans workspace files for exposed API tokens and credentials.

High Experimental NC-AUTH-003

No tokens in OpenClaw log files

Scans OpenClaw log files for accidentally logged credentials.

High Experimental NC-VERS-004

Node.js runtime within LTS support window

Checks that the Node.js runtime is within the LTS support window.

Medium Experimental NC-VERS-005

No deprecated API usage warnings

Checks for deprecation warnings in OpenClaw security audit output.

Low Experimental

Expanded controls Plugin only · run clawvitals --expanded

System-level checks that require direct host access. Run with run clawvitals --expanded. Results are reported separately from the standard score.

IDControlSeverityStatus

Ollama not externally accessible

Checks that Ollama is not bound to a public network interface on port 11434.

Critical Expanded NC-NET-001

Management interfaces not internet-exposed

Checks that SSH, Docker API, and admin dashboards are not accessible from public interfaces.

Critical Expanded NC-SECRET-001

No secrets in env/config files

Scans common config files for hardcoded API keys and credentials.

Critical Expanded NC-SECRET-002

No API keys in shell history

Scans zsh and bash history for accidentally typed API keys and secrets.

High Expanded NC-TUNNEL-001

Cloudflare tunnel endpoints authenticated

Checks that services exposed via Cloudflare Tunnel have Access policies configured.

High Expanded NC-DOCKER-001

Containers not running as root or privileged

Checks running Docker containers for dangerous privilege configurations.

High Expanded NC-OS-001

OS auto-updates enabled

Checks that the operating system is configured to receive automatic security updates.

High Expanded NC-OS-002

Disk encryption enabled

Checks that FileVault (macOS) or LUKS (Linux) disk encryption is active.