> ## Documentation Index
> Fetch the complete documentation index at: https://claw-lens.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit Rules

> Reference for all built-in detection rules active in the Security Audit engine.

<Note>
  Security Audit is a beta feature. Detection coverage and UI are evolving — feedback is welcome.
</Note>

The **Audit Rules** tab shows every detection rule the audit engine is currently running. Rules are read-only — they reflect the live configuration and cannot be modified from the dashboard. This page documents each rule category in detail.

<AccordionGroup>
  <Accordion title="Sensitive paths">
    The engine checks every `file_read` and `file_write` event against glob patterns that match files likely to contain secrets or credentials. A match raises a `sensitive_path` or `sensitive_path_medium` risk flag.

    The OpenClaw workspace paths are **whitelisted** — they are checked first, and any match suppresses all other path rules. This prevents normal agent workspace reads from generating noise.

    | Pattern                                           | Label                               | Severity               |
    | ------------------------------------------------- | ----------------------------------- | ---------------------- |
    | `**/.openclaw/workspace/**`                       | OpenClaw workspace                  | Whitelisted (no alert) |
    | `**/.openclaw/agents/**`                          | OpenClaw agent data                 | Whitelisted (no alert) |
    | `**/.ssh/**`                                      | SSH directory                       | Low                    |
    | `**/id_rsa`, `**/id_ed25519`, `**/id_ecdsa`       | SSH private key                     | Medium                 |
    | `**/.env`, `**/.env.*`                            | Environment file                    | Medium                 |
    | `**/*.env`                                        | Environment file                    | Low                    |
    | `**/*password*`, `**/*secret*`, `**/*credential*` | Password / secret / credential file | Medium                 |
    | `**/*token*`                                      | Token file                          | Low                    |
    | `**/Library/Keychains/**`                         | macOS Keychain                      | Medium                 |
    | `**/.netrc`                                       | Netrc credentials                   | Medium                 |
    | `**/.pgpass`                                      | PostgreSQL password file            | Medium                 |
    | `**/config/credentials.yml*`                      | Rails credentials                   | Medium                 |
    | `**/*.pem`, `**/*.p12`, `**/*.pfx`                | PEM certificate / PKCS12 keystore   | Low                    |

    Path matching uses glob syntax with dot-file support — `**/.ssh/**` matches hidden directories at any depth.
  </Accordion>

  <Accordion title="Dangerous commands">
    The engine evaluates every `exec` event against two tiers of shell command patterns.

    **Critical — high risk**

    These commands are immediately destructive or enable remote code execution. Any match sets the `critical_cmd` flag and scores the event as high risk.

    | Pattern                                  | What it detects                          |
    | ---------------------------------------- | ---------------------------------------- |
    | `rm -rf`                                 | Recursive forced deletion                |
    | `curl/wget \| bash` or `curl/wget \| sh` | Downloads and executes remote code       |
    | `chmod +s`                               | Sets the SUID bit (privilege escalation) |
    | `chmod 777`                              | Makes a file world-writable              |
    | `dd if=... of=/dev/...`                  | Writes directly to a block device        |
    | `iptables -F`                            | Flushes all firewall rules               |
    | `mkfs`                                   | Formats a filesystem                     |
    | `echo ... > /etc/`                       | Writes to system configuration files     |

    **Elevated — medium risk**

    These commands are not immediately destructive but represent elevated privilege or significant network access. Any match sets the `elevated_cmd` flag and scores the event as medium risk.

    | Pattern                                  | What it detects                             |
    | ---------------------------------------- | ------------------------------------------- |
    | `sudo`                                   | Any command run with elevated privileges    |
    | `ssh` / `scp` / `rsync`                  | Remote connections and file transfers       |
    | `curl` / `wget`                          | Outbound HTTP requests from a shell command |
    | `nc` / `netcat` / `ftp`                  | Raw network connections                     |
    | `cat .env` / `cat passwd` / `cat shadow` | Reading credential files via shell          |
    | `chown root`                             | Changing file ownership to root             |
  </Accordion>

  <Accordion title="Prompt injection patterns">
    The engine scans text content in agent messages for patterns that suggest an attempt to manipulate the agent's instructions or extract data. All prompt injection findings are scored as **high** risk.

    | Pattern type             | What it detects                                                                                    |
    | ------------------------ | -------------------------------------------------------------------------------------------------- |
    | Instruction override     | Phrases like "ignore all previous instructions", "disregard prior rules", "override system prompt" |
    | New instructions         | Phrases like "new instructions:", "updated system prompt:", "revised directive"                    |
    | Role hijack              | Phrases like "you are now", "act as", "pretend to be", "your new role is"                          |
    | Exfiltration request     | Instructions to output, reveal, send, or transmit API keys, passwords, secrets, or tokens          |
    | Exfiltration URL         | Instructions to send or upload data to an `http://` or `https://` URL                              |
    | Base64 / encoded payload | Instructions to base64-decode and execute or eval content                                          |
    | Delimiter escape         | Patterns like `--- END ---`, `--- SYSTEM ---`, `--- ADMIN ---` used to break prompt boundaries     |
    | XML injection            | XML-style tags like `<system>`, `<admin>`, `<root>`, `<prompt>` injected into content              |
    | DAN jailbreak            | "DAN", "do anything now", "developer mode", or "jailbreak" patterns                                |

    <Info>
      Prompt injection detection runs on the text content the agent receives, including content fetched from external URLs via `web_fetch`. An injection planted in a web page the agent reads will be caught the same way as one in a user message.
    </Info>
  </Accordion>

  <Accordion title="Data exfiltration detection">
    The engine checks `exec` events for shell command patterns that explicitly send local file content to an external destination. A match sets the `exfil_pattern` flag and scores the event as **high** risk.

    **Command patterns**

    | Pattern                                    | What it detects                         |
    | ------------------------------------------ | --------------------------------------- |
    | `curl -F file=@/path URL`                  | Multipart file upload via curl          |
    | `curl --data-binary @/path URL`            | Binary data upload via curl             |
    | `curl --upload-file /path URL`             | Direct file upload via curl             |
    | `cat /path \| curl` or `cat /path \| wget` | Pipes file content to a network request |
    | `scp /local/file user@remote:`             | Outbound SCP file transfer              |

    **Credential escalation detection**

    When a credential is found in an agent's tool output (`sensitive_data` flag), Claw Lens checks the rest of the same session for subsequent `web_fetch` or `web_search` events. If any external call follows the exposure in the same session, the finding is flagged as a potential exfiltration path and the status in the credential inventory becomes **Exfiltrated**.

    This detection is correlative — it identifies a plausible exfiltration path (secret exposed, then external call made) rather than confirmed transmission of that specific secret.
  </Accordion>

  <Accordion title="Anomaly detection">
    Anomaly signals compare each agent's current behavior against its individual baseline, built from the past 30 days of activity. A deviation sets a low-risk flag. Anomaly detection requires an existing baseline — new agents with no history will not generate anomaly flags.

    | Signal         | Flag             | What it checks                                                       |
    | -------------- | ---------------- | -------------------------------------------------------------------- |
    | Unusual hours  | `anomaly_hour`   | Agent is active at an hour not in its top-12 most active hours       |
    | Unusual volume | `anomaly_volume` | Session tool call count exceeds 3× the agent's average               |
    | Unusual path   | `anomaly_path`   | Agent accessed a filesystem directory not seen in its baseline       |
    | New domain     | `new_domain`     | Agent contacted a domain not in its known-domains list (medium risk) |

    The baseline captures: top 20 filesystem directories, top 12 active hours of day, average tool calls per session, and all known external domains. Baselines update automatically as new sessions are recorded.
  </Accordion>
</AccordionGroup>
