Skip to main content
Security Audit is a beta feature. Detection coverage and UI are evolving — feedback is welcome.
Security Audit continuously scans your OpenClaw agent sessions and surfaces security-relevant events in one place. Every tool call your agents make — file reads, shell commands, web requests — is evaluated against a set of detection rules and scored for risk. You get a filterable timeline, per-agent verdicts, a credential inventory, and a view of all active detection rules without leaving the dashboard.

Event types

The audit engine tracks five event types across all agent sessions:
Event typeTool(s)What it covers
file_readread, imageFiles read by the agent, including images
file_writewriteFiles created by the agent
file_editeditFiles modified by the agent
execbash, exec, computerShell commands and system-level actions executed by the agent
web_fetchweb_fetchOutbound HTTP requests made by the agent
web_searchweb_searchWeb search queries issued by the agent

KPI strip

At the top of the page, three counters give you an at-a-glance summary of the current state:
  • High risk — events scored at level 3: confirmed exfiltration paths, critical shell commands, or prompt injection
  • Medium risk — events scored at level 2: credential exposure, elevated commands, or unknown domains
  • Low risk — events scored at level 1: sensitive file access, behavioral anomalies
See Event Risk Scoring for the full breakdown of what triggers each level.

Tabs

The audit page has four tabs.

Timeline

Audit Timeline
The Timeline tab shows a filterable feed of every flagged event across all sessions. Four filter rows let you narrow the view:
  • Agent — select a specific agent or view all
  • Risk — filter to high, medium, or low events only
  • Event type — filter by file_read, exec, web_fetch, and so on
  • Time — today, last 7 days, last 30 days, or all time
Each event in the feed shows the agent, timestamp, event type, risk level, and the target (file path, URL, or command). Click an event to see its full detail, including matched risk flags and any associated findings.
Audit Mediumrisk
You can dismiss individual findings from the event detail view. Dismissing a finding marks it as reviewed and removes it from active counts, but keeps it in the record.

Agent Security

The Agent Security tab shows a per-agent security summary. For each agent you’ll see:
Audit Agentscore
  • Risk Levelsafe, caution, or unsafe (see Risk Scoring for how levels are assigned)
  • Network Trust — describes the agent’s network behavior:
    • local — the agent made no external network calls
    • transparent — the agent made external calls, all to known domains
    • opaque — the agent contacted unknown domains or triggered an exfiltration pattern
  • Footprint — which tools the agent used, which directories it accessed, and which external domains it contacted

Credentials

Audit Credential
The Credentials tab aggregates all credential and secret exposures detected across sessions into a single inventory, grouped by credential type. See Credential Inventory for the full column reference and what to do when a credential is flagged.

Audit Rules

The Audit Rules tab shows the detection rules currently active. Rules are read-only — they give you transparency on what the engine is actually checking. See Audit Rules for the complete rule reference.