Skip to main content
Security Audit is a beta feature. Detection coverage and UI are evolving — feedback is welcome.
The Audit Rules tab shows every detection rule the audit engine is currently running. Rules are read-only — they reflect the live configuration and cannot be modified from the dashboard. This page documents each rule category in detail.
The engine checks every file_read and file_write event against glob patterns that match files likely to contain secrets or credentials. A match raises a sensitive_path or sensitive_path_medium risk flag.The OpenClaw workspace paths are whitelisted — they are checked first, and any match suppresses all other path rules. This prevents normal agent workspace reads from generating noise.
PatternLabelSeverity
**/.openclaw/workspace/**OpenClaw workspaceWhitelisted (no alert)
**/.openclaw/agents/**OpenClaw agent dataWhitelisted (no alert)
**/.ssh/**SSH directoryLow
**/id_rsa, **/id_ed25519, **/id_ecdsaSSH private keyMedium
**/.env, **/.env.*Environment fileMedium
**/*.envEnvironment fileLow
**/*password*, **/*secret*, **/*credential*Password / secret / credential fileMedium
**/*token*Token fileLow
**/Library/Keychains/**macOS KeychainMedium
**/.netrcNetrc credentialsMedium
**/.pgpassPostgreSQL password fileMedium
**/config/credentials.yml*Rails credentialsMedium
**/*.pem, **/*.p12, **/*.pfxPEM certificate / PKCS12 keystoreLow
Path matching uses glob syntax with dot-file support — **/.ssh/** matches hidden directories at any depth.
The engine evaluates every exec event against two tiers of shell command patterns.Critical — high riskThese commands are immediately destructive or enable remote code execution. Any match sets the critical_cmd flag and scores the event as high risk.
PatternWhat it detects
rm -rfRecursive forced deletion
curl/wget | bash or curl/wget | shDownloads and executes remote code
chmod +sSets the SUID bit (privilege escalation)
chmod 777Makes a file world-writable
dd if=... of=/dev/...Writes directly to a block device
iptables -FFlushes all firewall rules
mkfsFormats a filesystem
echo ... > /etc/Writes to system configuration files
Elevated — medium riskThese commands are not immediately destructive but represent elevated privilege or significant network access. Any match sets the elevated_cmd flag and scores the event as medium risk.
PatternWhat it detects
sudoAny command run with elevated privileges
ssh / scp / rsyncRemote connections and file transfers
curl / wgetOutbound HTTP requests from a shell command
nc / netcat / ftpRaw network connections
cat .env / cat passwd / cat shadowReading credential files via shell
chown rootChanging file ownership to root
The engine scans text content in agent messages for patterns that suggest an attempt to manipulate the agent’s instructions or extract data. All prompt injection findings are scored as high risk.
Pattern typeWhat it detects
Instruction overridePhrases like “ignore all previous instructions”, “disregard prior rules”, “override system prompt”
New instructionsPhrases like “new instructions:”, “updated system prompt:”, “revised directive”
Role hijackPhrases like “you are now”, “act as”, “pretend to be”, “your new role is”
Exfiltration requestInstructions to output, reveal, send, or transmit API keys, passwords, secrets, or tokens
Exfiltration URLInstructions to send or upload data to an http:// or https:// URL
Base64 / encoded payloadInstructions to base64-decode and execute or eval content
Delimiter escapePatterns like --- END ---, --- SYSTEM ---, --- ADMIN --- used to break prompt boundaries
XML injectionXML-style tags like <system>, <admin>, <root>, <prompt> injected into content
DAN jailbreak”DAN”, “do anything now”, “developer mode”, or “jailbreak” patterns
Prompt injection detection runs on the text content the agent receives, including content fetched from external URLs via web_fetch. An injection planted in a web page the agent reads will be caught the same way as one in a user message.
The engine checks exec events for shell command patterns that explicitly send local file content to an external destination. A match sets the exfil_pattern flag and scores the event as high risk.Command patterns
PatternWhat it detects
curl -F file=@/path URLMultipart file upload via curl
curl --data-binary @/path URLBinary data upload via curl
curl --upload-file /path URLDirect file upload via curl
cat /path | curl or cat /path | wgetPipes file content to a network request
scp /local/file user@remote:Outbound SCP file transfer
Credential escalation detectionWhen a credential is found in an agent’s tool output (sensitive_data flag), Claw Lens checks the rest of the same session for subsequent web_fetch or web_search events. If any external call follows the exposure in the same session, the finding is flagged as a potential exfiltration path and the status in the credential inventory becomes Exfiltrated.This detection is correlative — it identifies a plausible exfiltration path (secret exposed, then external call made) rather than confirmed transmission of that specific secret.
Anomaly signals compare each agent’s current behavior against its individual baseline, built from the past 30 days of activity. A deviation sets a low-risk flag. Anomaly detection requires an existing baseline — new agents with no history will not generate anomaly flags.
SignalFlagWhat it checks
Unusual hoursanomaly_hourAgent is active at an hour not in its top-12 most active hours
Unusual volumeanomaly_volumeSession tool call count exceeds 3× the agent’s average
Unusual pathanomaly_pathAgent accessed a filesystem directory not seen in its baseline
New domainnew_domainAgent contacted a domain not in its known-domains list (medium risk)
The baseline captures: top 20 filesystem directories, top 12 active hours of day, average tool calls per session, and all known external domains. Baselines update automatically as new sessions are recorded.