Plugin only Expanded controls require the ClawVitals plugin. See clawvitals.io/plugin →
Expanded Controls
The plugin supports two control sets. Standard mode is the default 16 checks using the OpenClaw CLI. Expanded mode adds 8 deeper system-level checks that go beyond what the CLI can see.
Standard vs expanded
Standard mode (default) runs every time you use run clawvitals. It uses only the OpenClaw CLI no additional system access needed. This is the same control set the skill uses, with the plugin adding history, delta detection, and alerts on top.
Expanded mode adds 8 system-level checks: Ollama exposure, open management ports, secrets in config files and shell history, Cloudflare tunnel auth, Docker container privileges, OS auto-updates, and disk encryption. These require reading system files and running shell commands beyond the OpenClaw CLI.
How to run
One-off expanded scan (standard controls + expanded controls in a single run):
Set expanded as your permanent default for all future scans:
Revert to standard mode (default):
What expanded mode checks
| ID | Control | Severity | What it checks |
|---|---|---|---|
| NC-OLLAMA-001 | Ollama not externally accessible | Critical | Port 11434 not bound to 0.0.0.0 |
| NC-NET-001 | Management interfaces not internet-exposed | Critical | SSH/Docker API/admin dashboards not on public interface |
| NC-SECRET-001 | No secrets in env/config files | Critical | Regex scan of ~/.env, .envrc for API key patterns |
| NC-SECRET-002 | No API keys in shell history | High | Regex scan of ~/.zsh_history, ~/.bash_history |
| NC-TUNNEL-001 | Cloudflare tunnel endpoints authenticated | High | ~/.cloudflared/config.yml has Access policies |
| NC-DOCKER-001 | Containers not running as root or privileged | High | docker inspect for privileged/root/dangerous caps |
| NC-OS-001 | OS auto-updates enabled | High | softwareupdate (macOS) / unattended-upgrades (Linux) |
| NC-OS-002 | Disk encryption enabled | High | FileVault (macOS) / LUKS (Linux) |
When a check is not applicable
Some expanded checks only make sense if the relevant tool or service is present on your machine. If it isn't, the check is marked SKIPPED not failed so it doesn't affect your score or trigger alerts. Your scan output will note any skipped controls and why.
- Docker not installed → NC-DOCKER-001 skipped. No Docker means no containers to check.
- Cloudflare Tunnel not configured → NC-TUNNEL-001 skipped. If
~/.cloudflared/config.ymldoesn't exist, there's nothing to check. - Unrecognised operating system → NC-OS-001 and NC-OS-002 skipped. Auto-update and disk encryption checks are platform-specific (macOS/Linux). If the platform can't be determined, the checks are skipped rather than failing incorrectly.
Permissions required
Full details in SECURITY.md on GitHub.
Expanded controls read the following all operations are read-only:
- •
~/.env,~/.zsh_history,~/.bash_history,~/.cloudflared/config.yml - • Runs
lsof,docker inspect,fdesetup,softwareupdate