Continuously scans Docker images, dependencies, network ports, SSL/TLS, and OpenClaw config for CVEs; alerts via WhatsApp, Telegram, or Discord.
# threat-radar — Continuous Security Scanning & CVE Alerting
**Version:** 1.0.0
**Category:** Security
**Type:** Monitoring + Alerting
**Published:** February 24, 2026
---
## What It Does
Continuous security posture monitoring that scans your running services, Docker images, and software dependencies for known CVEs. Alerts you via WhatsApp/Telegram/Discord when new vulnerabilities affect your stack.
**No external services required** — runs entirely within OpenClaw using public CVE feeds.
---
## Features
### Security Scanning
- **Docker image vulnerability scanning** — trivy-style CVE detection for your container images
- **Dependency auditing** — npm, pip, cargo lockfile analysis for known vulnerabilities
- **Port discovery** — identifies exposed services on your local network
- **SSL/TLS grading** — evaluates certificate validity and security config
- **OpenClaw config security** — checks your OpenClaw setup against best practices
- **Exposed service detection** — flags accidentally public services
### CVE Monitoring
- **Automatic CVE feeds** — pulls from NVD (National Vulnerability Database) and GitHub Advisories
- **Track your versions** — matches CVEs to YOUR installed software versions
- **Severity-based alerting** — CRITICAL immediately, HIGH in daily digest, LOW weekly summary
- **Recovery tracking** — knows when you patch and closes alerts
### Reporting
- **Weekly security digest** — Canvas dashboard or markdown report
- **Trend tracking** — is your security posture improving?
- **Remediation suggestions** — actionable fixes per finding
- **CWE references** — understand the vulnerability class
---
## Commands
### Scanning
```bash
threat-radar scan # Full security scan now
threat-radar scan --docker # Docker images only
threat-radar scan --deps <path> # Dependency audit (npm/pip/cargo)
threat-radar scan --ports # Port scan (local network)
threat-radar scan --ssl <domain> # SSL certificate check
threat-radar scan --openclaw # OpenClaw config check
threat-radar scan --exposed # Check for accidentally public services
```
### CVE Tracking
```bash
threat-radar cves # Show CVEs affecting your stack
threat-radar cves --critical # Only CRITICAL severity
threat-radar cves --since <days> # New CVEs in last N days
threat-radar watch <software> <v> # Track specific software version
threat-radar unwatch <software> # Stop tracking
threat-radar watches # List all watched software
```
### Reporting
```bash
threat-radar report # Generate full security report
threat-radar report --period=week # Weekly summary
threat-radar report --period=month # Monthly summary
threat-radar status # Quick security status
threat-radar history # View past scans
threat-radar trends # Posture improvement tracking
```
### Management
```bash
threat-radar init # Initialize threat-radar
threat-radar config show # Show current configuration
threat-radar config update # Update scan settings
threat-radar cron-install # Set up scheduled daily scans + CVE checks
threat-radar cron-remove # Remove scheduled scans
threat-radar data-refresh # Force CVE database refresh
```
### Output
All commands support:
- `--json` — machine-readable JSON output
- `--csv` — comma-separated for spreadsheet import
- `--md` — markdown for reports
- `--no-color` — plain text (useful for logs)
---
## Example Usage
### Initial Setup
```bash
$ threat-radar init
✓ Initialized threat-radar
✓ Created ~/.openclaw/workspace/monitoring/threat-radar/
✓ Pulled CVE databases (NVD: 245,891 entries, GitHub: 14,329 advisories)
✓ Scanned Docker images: 3 images, 0 vulnerabilities found
✓ Scanned dependencies: npm 487 packages, pip 89 packages — 2 warnings
✓ Security score: 87/100
Ready to scan. Try: threat-radar scan --docker
```
### Full Security Scan
```bash
$ threat-radar scan
Scanning security posture...
[DOCKER IMAGES] ─────────────────────────────────────────
openclaw-agent:latest 0 CVEs ✓ Clean
postgres:15 2 CVEs ⚠ Medium (libc, OpenSSL)
redis:latest 0 CVEs ✓ Clean
[DEPENDENCIES] ──────────────────────────────────────────
npm (workspace root) 3 CVEs ⚠ 1 High, 2 Medium
- lodash@4.17.19 CVE-2021-23337 (High: Prototype pollution)
- axios@0.21.0 CVE-2021-41773 (Medium: XXE in parser)
- ws@7.4.0 CVE-2021-32640 (Medium: Buffer overflow)
[PORTS] ──────────────────────────────────────────────────
192.168.1.50:80 (nginx) ✓ Private network
192.168.1.50:443 (nginx) ✓ Private network
10.10.10.230:6379 (redis) ✓ Private network
[SSL/TLS] ────────────────────────────────────────────────
openclaw.local Grade A Valid until Jun 24, 2026 ✓
example.com Grade B Warning: no HSTS header
[OPENCLAW CONFIG] ────────────────────────────────────────
agentToAgent permissions ✓ Restricted (not [*])
Credential file permissions ✓ 600 (not world-readable)
Memory file permissions ✓ 600
Gateway auth enabled ✓ Yes
Sandbox restrictions ⚠ exec-sandbox: false (accepted risk)
[EXPOSED SERVICES] ───────────────────────────────────────
0 accidentally public services found ✓
SUMMARY
──────
Security Score: 82/100 (down 5 points from 87 on 2026-02-23)
Critical CVEs: 0
High CVEs: 1 (lodash)
Medium CVEs: 4 (axios, ws, libc, OpenSSL)
Low CVEs: 2
Estimated fix time: 2 hours (update npm packages)
Next scan: 2026-02-25 09:00 UTC (via cron)
```
### CVE Tracking
```bash
$ threat-radar cves --critical
Critical vulnerabilities affecting your stack:
None currently. Your environment is clean at this severity level.
$ threat-radar cves
CVEs affecting your stack:
[HIGH] ──────────────────────────────────────────────────
CVE-2021-23337 (lodash)
Package: lodash 4.17.19
Component: Prototype pollution
Fix: upgrade to 4.17.21 (available now)
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-23337
Status: UNFIXED (discovered 5 days ago)
[MEDIUM] ────────────────────────────────────────────────
CVE-2021-41773 (axios)
Package: axios 0.21.0
Component: XXE in parameter parser
Fix: upgrade to 0.27.0+ (available now)
Status: UNFIXED (discovered 3 days ago)
CVE-2021-32640 (ws)
Package: ws 7.4.0
Component: Buffer overflow in frame parsing
Fix: upgrade to 8.0.0+ (available now)
Status: UNFIXED
CVE-2023-4807 (libc - in postgres:15 image)
Component: Memory corruption in glibc malloc
Fix: Rebuild image from postgres:15-alpine (fixed base image)
Status: UNFIXED (image vulnerability)
CVE-2024-1086 (OpenSSL - in postgres:15 image)
Component: Key recovery in RSA operations
Fix: Update Dockerfile to postgres:16 (has patch)
Status: UNFIXED (image vulnerability)
View details: threat-radar cves <CVE-ID>
Set alert threshold: threat-radar config update --alert-level=medium
```
### Weekly Report
```bash
$ threat-radar report --period=week
┌─ SECURITY POSTURE REPORT (Feb 18 - Feb 24, 2026) ─────────────────────┐
│ │
│ Overall Score: 82/100 (was 85/100 on Feb 17) │
│ │
│ Metrics ──────────────────────────────────────────────────────────── │
│ Critical CVEs: 0 (↓ 0) │
│ High CVEs: 1 (↑ 1, new: lodash) │
│ Medium CVEs: 4 (↔ 4) │
│ Low CVEs: 2 (↓ 1, patched: urllib3) │
│ Unfixed vulnerabilities: 7 (↑ 2) │
│ Average fix time: 1.8 hours (was 1.2) │
│ │
│ Trend Analysis ───────────────────────────────────────────────────── │
│ Feb 17 (85/100) ↓ Feb 18 (83/100) ↓ Feb 19 (82/100) ↔ Feb 24 │
│ ⚠ Declining trend: +2 new CVEs found, zero patches applied │
│ │
│ Action Items ──────────────────────────────────────────────────────── │
│ 1. npm audit fix — 3 packages, 15 min │
│ 2. Update postgres:15 — rebuild from latest, 10 min │
│ 3. Review HSTS config — grade B on example.com │
│ │
│ Docker Images (3 scanned) ────────────────────────────────────────── │
│ openclaw-agent:latest ✓ 0 CVEs │
│ postgres:15 ⚠ 2 CVEs (libc, OpenSSL) │
│ redis:latest ✓ 0 CVEs │
│ │
│ Dependencies (npm + pip) ──────────────────────────────────────────── │
│ npm (workspace root) ⚠ 3 High + Medium CVEs │
│ lodash, axios, ws │
│ pip (python deps) ✓ 0 CVEs │
│ │
│ Port Security (7 ports) ──────────────────────────────────────────── │
│ All ports on private network (10.0.0.0/8, 192.168.0.0/16) ✓ │
│ │
│ Next Actions ──────────────────────────────────────────────────────── │
│ □ Run: npm audit fix │
│ □ Update base images: postgres:16 or postgres:15-alpine │
│ □ Run: threat-radar scan (verify fixes) │
│ │
│ Alert Settings ────────────────────────────────────────────────────── │
│ Critical: Alert immediately via WhatsApp │
│ High: Daily digest (at 09:00 UTC) │
│ Medium: Weekly report │
│ Low: Suppress (monthly audit only) │
│ │
└─────────────────────────────────────────────────────────────────────────┘
To apply remediations: threat-radar remediate --auto-npm
To stop alerts: threat-radar config update --alert-level=critical
```
### Scheduled Scanning
```bash
$ threat-radar cron-install
✓ Installed daily security scan (09:00 UTC)
✓ Installed CVE feed refresh (every 6 hours)
✓ Installed weekly report (Monday 08:00 UTC)
✓ WhatsApp alerts: CRITICAL (immediate), HIGH (daily digest)
Cron schedule:
- threat-radar scan → daily 09:00 UTC
- threat-radar data-refresh → every 6h (00:00, 06:00, 12:00, 18:00 UTC)
- threat-radar report → Monday 08:00 UTC
View logs: threat-radar logs [--tail=50]
```
---
## Installation
```bash
clawhub install threat-radar
```
## Configuration
Threat-radar stores config in `~/.openclaw/workspace/monitoring/threat-radar/config.json`:
```json
{
"scan_paths": {
"docker_images": true,
"dependencies": ["npm", "pip"],
"ports": true,
"ssl_domains": ["example.com", "openclaw.local"],
"openclaw_check": true,
"exposed_scan": true
},
"alerts": {
"critical": "immediate",
"high": "daily_digest",
"medium": "weekly",
"low": "suppress"
},
"cve_feeds": ["nvd", "github"],
"max_age_days": 30,
"local_network_cidrs": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"],
"ignored_cves": [],
"watched_software": {}
}
```
Edit with: `threat-radar config update`
---
## How It Works
1. **Initialization** — Downloads latest CVE databases from NVD + GitHub Advisories (~500KB)
2. **Scanning** — Runs 7 security checks in parallel:
- Docker image analysis (hashes vs CVE DB)
- Dependency file parsing (npm/pip/cargo) → version extraction
- Port scan (local network only, non-invasive)
- SSL cert validation
- Service exposure check (looks for :80, :443, :8080, etc. on public IPs)
- OpenClaw config audit
3. **CVE Matching** — Compares detected versions against CVE database
4. **Alerting** — Dispatches alerts based on severity + cooldown
5. **History** — Stores scan results in SQLite (trend analysis)
**Performance:** Full scan ~30 seconds. CVE refresh ~10 seconds. Optimized for homelab scale.
---
## Integration with Other Skills
- **With infra-watchdog** — threat-radar feeds security events into watchdog alerts
- **With ops-journal** — CVE findings auto-logged for incident correlation
- **With daily-maintenance.sh** — integrated as Phase 8 (security scanning)
---
## Security Notes
- **Offline mode** — scans work without internet after initial CVE download
- **No credential exposure** — never scans credentials (security-hardener handles that)
- **Local network only** — port scanning stays within your private networks
- **Privacy** — no data sent external except NVD API calls (CVE checking)
---
## Troubleshooting
**Q: "CVE database outdated" warning**
A: Run `threat-radar data-refresh` to pull latest feeds
**Q: Scan is slow**
A: Disable slow checks: `threat-radar config update --skip-ports`
**Q: Too many alerts**
A: Adjust severity: `threat-radar config update --alert-level=high`
**Q: False positive CVE**
A: Mark as accepted risk: `threat-radar ignore CVE-XXXX-XXXXX`
---
## What's Next
- **Real-time CVE feed** (when a new vulnerability drops affecting you, know in minutes)
- **Remediation automation** (auto-file PRs to update dependencies)
- **Integration with vulnerability scanners** (nessus, qualys API)
---
## Support
For issues: Check `~/.openclaw/workspace/monitoring/threat-radar/threat-radar.log`
```bash
threat-radar logs --tail=100
threat-radar logs --follow # Real-time logging
```
---
**Built for OpenClaw agents running homelab infrastructure.**
don't have the plugin yet? install it then click "run inline in claude" again.
added explicit 10-step procedure with input/output per step, defined external api connections with auth requirements and rate limits, created detailed decision trees for offline fallback, permission errors, alert delivery failures, and edge cases like expired certs and high-effort remediations, specified output contracts for all command formats and file locations, and clarified outcome signals for each major workflow.
threat-radar runs continuous security posture monitoring across your docker images, software dependencies, exposed network ports, ssl/tls certificates, and openclaw configuration. it matches detected versions against public cve feeds (nvd, github advisories) and alerts you immediately for critical vulnerabilities, daily for high-severity issues, and weekly for lower-severity findings via whatsapp, telegram, or discord. use this when you need automated detection of known vulnerabilities in your running infrastructure without relying on external scanning services.
internal context:
external connections:
configuration file:
initialize threat-radar and pull cve databases
scan docker images for vulnerabilities
docker images --format jsonaudit dependencies (npm, pip, cargo) for known vulnerabilities
discover and classify exposed network ports
validate ssl/tls certificates
audit openclaw agent configuration
match detected versions against cve database and compute security score
dispatch alerts based on severity and cooldown
store scan results and compute trends
generate security report (weekly, monthly, or on-demand)
if cve database is stale (older than 6 hours):
threat-radar data-refresh, fail with actionable error (check internet, check api rate limits)if docker daemon is unavailable:
if dependency lockfile not found at configured path:
if cve match has conflicting severity ratings across sources (nvd vs. github):
if alert delivery fails (whatsapp/telegram/discord api returns 4xx or 5xx):
if user has not configured any alert channel (no env vars set):
threat-radar cves commandif ignored_cves list contains a cve that later re-appears in database with higher severity:
if scan detects a port open on a public ip (not in local_network_cidrs):
if ssl certificate is expired:
if remediation time estimate exceeds 8 hours:
if user runs threat-radar remediate --auto-npm and lockfile is read-only:
scan output (threat-radar scan):
cve output (threat-radar cves):
report output (threat-radar report):
config output (threat-radar config show):
log output (threat-radar logs):
alert payload (whatsapp, telegram, discord):
database (sqlite):
you know the skill worked when:
after running threat-radar init, you see output confirming cve databases downloaded (entry counts displayed), initial scan completed, and security score calculated.
after running threat-radar scan, a report appears in terminal showing all 7 check types (docker, deps, ports, ssl, openclaw, exposed services) with clear pass/fail indicators per finding.
after configuring alert channels (env vars set) and running a scan with findings, you receive a message on whatsapp, telegram, or discord within 10 seconds for critical severity, or queued in daily/weekly digest for lower severities.
after running threat-radar report --period=week, a markdown or json report file is created in ~/.openclaw/workspace/monitoring/threat-radar/reports/ showing security score trend, actionable remediation items, and link counts.
after running threat-radar cron-install, cron jobs appear in crontab output showing daily scan at 09:00 utc, cve feed refresh every 6 hours, and weekly report on mondays.
when you patch a vulnerability (e.g., npm audit fix) and run threat-radar scan again, the cve count decreases, the security score increases, and the old cve no longer appears in threat-radar cves output.
when you check logs via threat-radar logs --tail=20, you see entries for each scan step (docker scan, dep audit, port scan, ssl check, openclaw audit, cve matching, alert dispatch) with no error lines, or error lines clearly explaining what failed and why.
if a critical vulnerability is discovered affecting your stack (e.g., new cve released that matches your postgres version), you receive an immediate alert on your configured channel within 10 seconds of the next scheduled cve feed refresh.