Scoring

How ClawVitals calculates your security score and what each band means.

How the score is calculated

Every scan starts at a base score of 100. Deductions are applied for each stable control that fails, based on severity. The final score is a number between 0 and 100.

Only stable controls contribute to the score. Experimental controls are reported separately and do not affect your score.

A minimum of 5 evaluable (PASS or FAIL) stable controls are required for a valid score. If fewer controls can be evaluated (e.g. due to collection errors), the score is marked as insufficient data.

Severity deductions

Severity	Deduction per failure	Example
Critical	−25 points	Open (unauthenticated) group
High	−10 points	Reverse proxy trust not configured
Medium	−5 points	OpenClaw behind latest release
Low	−2 points	—
Info	0 points	Update available notification

RAG bands

🟢

Green

Score 90–100. No urgent action required.

🟡

Amber

Score 70–89. Review recommended one or more high/medium findings.

🔴

Red

Score 0–69. Immediate action required critical or multiple high findings.

❓

Insufficient data

Fewer than 5 controls could be evaluated. Check collector errors in the detail report.

Domain scores

The full detail report (run show clawvitals details) breaks the score down by domain Authentication, OpenClaw Config, and Version Currency so you can see which area needs the most attention.

A domain score requires at least 2 evaluable controls to be considered valid.