OpenClaw Module 3: Security & Permissions

Start with a human-readable report:
openclaw security audit

For deeper checks (DM scopes, sandbox, hooks, webhooks, plugins):
openclaw security audit --deep

Skim the summary and note any high or critical warnings (shared DM scopes, open group policies, sandbox disabled with browser tools, etc.).

Produce JSON output you can feed into scripts:
openclaw security audit --json | jq ' .summary '
openclaw security audit --deep --json | jq ' .findings[] | select(.severity=="critical") | .checkId '

Store these reports under your ops or security repository so you can track drift over time.

Let OpenClaw apply deterministic remediations:
openclaw security audit --fix

Or combine with JSON output:
openclaw security audit --fix --json | jq ' {fix: .fix.ok, summary: .report.summary} '

--fix focuses on safe changes: tightening file permissions, enabling logging.redactSensitive, closing obvious group-policy oversharing, etc. It does not remove plugins, rotate keys, or change gateway exposure on its own.

After applying fixes, run:
openclaw doctor --deep

Confirm that gateway, sandbox, and channels all look healthy, and that any remaining warnings are either acceptable or queued for manual remediation.