oh-ashen-one/clawdbot-security-cron.md

## clawdbot-security-cron.md

      
    Raw
  

              clawdbot-security-cron.md
            
          
    🔒 Clawdbot Daily Security Audit Cron

Drop this into your Clawdbot and it'll check your setup daily and alert you to any security issues.
The Cron Job

Name: daily-security-audit
Schedule: 0 9 * * * (9am daily)
Prompt:

DAILY SECURITY AUDIT - ClawdBot

You are a security auditor. Check this ClawdBot instance for vulnerabilities and misconfigurations.

**STEP 1: GATEWAY EXPOSURE**
Run: netstat -tlnp | grep 18789 (Linux) or netstat -an | findstr 18789 (Windows)
- 🔴 CRITICAL if bound to 0.0.0.0 - exposed to internet!
- ✅ SAFE if bound to 127.0.0.1 (loopback only)

**STEP 2: AUTH CHECK**
Read the gateway config and verify:
- gateway.auth.mode should be "token" (not "none")
- Token should be 32+ characters
- 🔴 CRITICAL if auth is disabled or token is weak

**STEP 3: CHANNEL POLICIES**
Check each enabled channel:
- dmPolicy should be "allowlist" or "pairing" (not "open")
- groupPolicy should be "allowlist" (not "open")
- 🔴 HIGH RISK if any policy is "open" - anyone can message your bot

**STEP 4: FILE PERMISSIONS (Linux/Mac only)**
Run: ls -la ~/.clawdbot/
- Directory should be 700 (owner only)
- Config files should be 600
- 🟡 MEDIUM if permissions are too open

**STEP 5: SENSITIVE DATA LOCATIONS**
Check these exist and are protected:
- ~/.clawdbot/credentials/ (channel auth)
- ~/.clawdbot/sessions/*.jsonl (chat history with potential passwords)
- ~/.config/ (API keys)

**STEP 6: NETWORK SCAN (VPS only)**
If on a VPS, check external exposure:
- Run: curl -s ifconfig.me to get public IP
- Check if ports 18789, 18790, 18800 are reachable externally
- 🔴 CRITICAL if gateway ports are publicly accessible

**STEP 7: RECENT SESSION AUDIT**
Scan recent session files for accidentally logged sensitive data:
- Passwords, API keys, wallet seeds
- If found: 🔴 ALERT - recommend clearing sessions

**OUTPUT FORMAT**

🔒 DAILY SECURITY REPORT - [DATE]

Gateway: [✅ SAFE / 🔴 EXPOSED]
Auth: [✅ ENABLED / 🔴 DISABLED]  
DM Policy: [✅ RESTRICTED / 🔴 OPEN]
Group Policy: [✅ RESTRICTED / 🔴 OPEN]
File Perms: [✅ LOCKED / 🟡 CHECK / ❌ N/A Windows]
External Exposure: [✅ NONE / 🔴 EXPOSED / ⚪ LOCAL ONLY]

Issues Found: [X]
[List any issues with recommended fixes]

If ALL green: "✅ All clear! Your ClawdBot is properly secured."
If ANY red: "🚨 ACTION REQUIRED - Fix the issues above ASAP"

Send this report via the configured channel.


How to Add It

Option 1: Via Telegram

Message your bot:
/cron add daily-security-audit "0 9 * * *" [paste the prompt above]

Option 2: Via Config

Add to your clawdbot.json:
{
  "cron": {
    "jobs": [
      {
        "name": "daily-security-audit",
        "schedule": "0 9 * * *",
        "message": "[the prompt above]",
        "deliver": true
      }
    ]
  }
}

What It Catches


Issue
Risk
This Cron Detects It


Gateway bound to 0.0.0.0
🔴 Critical
✅ Yes


Auth disabled
🔴 Critical
✅ Yes


DM policy open
🔴 High
✅ Yes


Group policy open
🔴 High
✅ Yes


Loose file permissions
🟡 Medium
✅ Yes (Linux/Mac)


Ports exposed externally
🔴 Critical
✅ Yes (VPS)


Sensitive data in logs
🟡 Medium
✅ Yes


Recommended Companion Crons

Weekly deep audit:
0 3 * * 0  →  clawdbot security audit --deep

Monthly token rotation reminder:
0 9 1 * *  →  "Reminder: Rotate your gateway token and API keys"


Created by @ashen_one's Clawdbot (Midir) 🐉
Based on security research from @a1i_hasnain

  
## security-cron-copyable.json
{
  "name": "daily-security-audit",
  "schedule": {
    "kind": "cron",
    "expr": "0 9 * * *",
    "tz": "America/Chicago"
  },
  "payload": {
    "kind": "agentTurn",
    "message": "DAILY SECURITY AUDIT\n\nYou are a security auditor. Check this ClawdBot instance for vulnerabilities.\n\n**STEP 1: GATEWAY EXPOSURE**\nCheck what address the gateway is bound to:\n- Linux: netstat -tlnp | grep 18789\n- Windows: netstat -an | findstr 18789\n- macOS: lsof -i :18789\n\nResult:\n- 🔴 CRITICAL if 0.0.0.0 (exposed to internet)\n- ✅ SAFE if 127.0.0.1 (loopback only)\n\n**STEP 2: AUTH CHECK**\nRead gateway config and verify:\n- gateway.auth.mode = \"token\" (not \"none\")\n- Token is 32+ characters\n- 🔴 CRITICAL if auth disabled\n\n**STEP 3: CHANNEL POLICIES**\nFor each channel (telegram, whatsapp, discord, slack):\n- dmPolicy should be \"allowlist\" or \"pairing\"\n- groupPolicy should be \"allowlist\"\n- 🔴 HIGH RISK if \"open\"\n\n**STEP 4: FILE PERMISSIONS (Linux/Mac)**\nRun: ls -la ~/.clawdbot/\n- Directory should be 700\n- Files should be 600\n- 🟡 MEDIUM if too open\n- Skip on Windows\n\n**STEP 5: EXTERNAL EXPOSURE (VPS)**\nIf on cloud/VPS:\n- Get public IP: curl -s ifconfig.me\n- Check if 18789/18790/18800 reachable externally\n- 🔴 CRITICAL if yes\n\n**OUTPUT FORMAT**\n\n🔒 SECURITY REPORT - [DATE]\n\n| Check | Status |\n|-------|--------|\n| Gateway Binding | ✅/🔴 |\n| Auth Enabled | ✅/🔴 |\n| DM Policy | ✅/🔴 |\n| Group Policy | ✅/🔴 |\n| File Permissions | ✅/🟡/N/A |\n| External Exposure | ✅/🔴/LOCAL |\n\n**Issues Found:** [count]\n[List each issue + fix]\n\nIf all green: \"✅ All clear!\"\nIf any red: \"🚨 ACTION REQUIRED\"\n\nSend report to user.",
    "deliver": true
  },
  "isolation": {
    "postToMainMode": "summary",
    "postToMainMaxChars": 500
  }
}
Issue	Risk	This Cron Detects It
Gateway bound to 0.0.0.0	🔴 Critical	✅ Yes
Auth disabled	🔴 Critical	✅ Yes
DM policy open	🔴 High	✅ Yes
Group policy open	🔴 High	✅ Yes
Loose file permissions	🟡 Medium	✅ Yes (Linux/Mac)
Ports exposed externally	🔴 Critical	✅ Yes (VPS)
Sensitive data in logs	🟡 Medium	✅ Yes
	{
	"name": "daily-security-audit",
	"schedule": {
	"kind": "cron",
	"expr": "0 9 * * *",
	"tz": "America/Chicago"
	},
	"payload": {
	"kind": "agentTurn",
	"message": "DAILY SECURITY AUDIT\n\nYou are a security auditor. Check this ClawdBot instance for vulnerabilities.\n\nSTEP 1: GATEWAY EXPOSURE\nCheck what address the gateway is bound to:\n- Linux: netstat -tlnp \| grep 18789\n- Windows: netstat -an \| findstr 18789\n- macOS: lsof -i :18789\n\nResult:\n- 🔴 CRITICAL if 0.0.0.0 (exposed to internet)\n- ✅ SAFE if 127.0.0.1 (loopback only)\n\nSTEP 2: AUTH CHECK\nRead gateway config and verify:\n- gateway.auth.mode = \"token\" (not \"none\")\n- Token is 32+ characters\n- 🔴 CRITICAL if auth disabled\n\nSTEP 3: CHANNEL POLICIES\nFor each channel (telegram, whatsapp, discord, slack):\n- dmPolicy should be \"allowlist\" or \"pairing\"\n- groupPolicy should be \"allowlist\"\n- 🔴 HIGH RISK if \"open\"\n\nSTEP 4: FILE PERMISSIONS (Linux/Mac)\nRun: ls -la ~/.clawdbot/\n- Directory should be 700\n- Files should be 600\n- 🟡 MEDIUM if too open\n- Skip on Windows\n\nSTEP 5: EXTERNAL EXPOSURE (VPS)\nIf on cloud/VPS:\n- Get public IP: curl -s ifconfig.me\n- Check if 18789/18790/18800 reachable externally\n- 🔴 CRITICAL if yes\n\nOUTPUT FORMAT\n\n🔒 SECURITY REPORT - [DATE]\n\n\| Check \| Status \|\n\|-------\|--------\|\n\| Gateway Binding \| ✅/🔴 \|\n\| Auth Enabled \| ✅/🔴 \|\n\| DM Policy \| ✅/🔴 \|\n\| Group Policy \| ✅/🔴 \|\n\| File Permissions \| ✅/🟡/N/A \|\n\| External Exposure \| ✅/🔴/LOCAL \|\n\nIssues Found: [count]\n[List each issue + fix]\n\nIf all green: \"✅ All clear!\"\nIf any red: \"🚨 ACTION REQUIRED\"\n\nSend report to user.",
	"deliver": true
	},
	"isolation": {
	"postToMainMode": "summary",
	"postToMainMaxChars": 500
	}
	}