Greyline: Deployment Hardener

135,000+ OpenClaw instances are publicly reachable with insecure defaults. The ClawHavoc supply chain attack exploited exactly this; default gateway tokens, unrestricted skill installation from unofficial registries, and no audit logging. Operators had no idea their instances were compromised until the damage was done.

Greyline: Deployment Hardener runs a 15-check security audit against any OpenClaw instance. Each check covers a specific misconfiguration class: exposed gateway endpoints, default credentials, unprotected admin routes, open filesystem access, missing sandbox mode, unencrypted credential storage, permissive network policies, missing audit logging, and more. Every finding is classified by severity (CRITICAL, HIGH, or MEDIUM) and paired with the exact remediation command to fix it.

The audit ends with a prioritized remediation order and an overall active exploitation risk assessment. If a check reveals signs of active compromise, the audit halts and surfaces an escalation alert before continuing.

Use cases:

New instance setup: Run before you install your first skill or connect your first integration. Establish a clean baseline.

Post-incident review: Run after any suspected compromise to identify the entry vector and confirm the scope of misconfiguration.

Regular hardening audits: Run quarterly or after any significant configuration change to verify controls have not drifted.

Team handoffs: Run when an instance moves from development to production or transfers between operators.

Who it's for:

Individual developers running local OpenClaw instances for automation

Teams operating shared OpenClaw instances behind internal tooling

Operators deploying OpenClaw in cloud environments (EC2, Fly.io, Railway, self-hosted VPS)

Security-conscious users who read the ClawHavoc post-mortem and want to verify their exposure