back
loading skill details...
Assess your Agent deployment against security risks using Trent.
---
name: trent-openclaw-security
description: Assess your Agent deployment against security risks using Trent.
version: 1.3.0
homepage: https://trent.ai
user-invocable: true
tags:
- trentai
- trent
- trentclaw
- security
- assessment
- threat-modeling
metadata:
openclaw:
requires:
env:
- TRENT_API_KEY
optionalEnv:
- TRENT_CHAT_API_URL
- TRENT_AGENT_API_URL
- OPENCLAW_WORKSPACE
primaryEnv: TRENT_API_KEY
---
# Trent OpenClaw Security Assessment
Audit your OpenClaw deployment for security risks. Identifies misconfigurations,
chained attack paths, and provides severity-rated findings with fixes.
## Setup
All tools are bundled — no external installer needed.
Set the `TRENT_API_KEY` environment variable. Get a key at https://trent.ai/openclaw/
## Instructions
This audit runs in three phases. Run them in order.
All Python snippets below are wrapped in a bash heredoc that sets
`PYTHONPATH` to the skill's `scripts/` directory. OpenClaw substitutes
`{baseDir}` with the skill's install path before the snippet runs, so
`openclaw_trent` is importable regardless of the current working directory.
Run each block exactly as shown.
### Phase 1 — Configuration Audit
Collect metadata and send to Trent for analysis:
```bash
cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.openclaw_config.collector import collect_openclaw_metadata
from openclaw_trent.lib.audit_prompt import build_audit_prompt
from openclaw_trent.lib import trent_client
metadata = collect_openclaw_metadata()
message = build_audit_prompt(metadata)
response = trent_client.chat(message=message)
PY
```
Save `response["thread_id"]` for Phase 3.
Present findings grouped by severity (see "Present results" below).
Summarize: "Phase 1 complete. N findings from configuration analysis.
Phase 2 will scan your skills for deeper analysis — I'll show you exactly
what would be uploaded before anything is sent. Ready to continue?"
Optional: specify a custom config path. Same wrapper as the main Phase 1
block; replace the `metadata = …` line with:
```python
from pathlib import Path
metadata = collect_openclaw_metadata(openclaw_path=Path("/path/to/openclaw/config"))
```
### Phase 2 — Skill Upload
Scan the workspace first (nothing is uploaded yet):
```bash
cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.lib.package_skills import scan_workspace
skills = scan_workspace()
PY
```
Present what was found and how it will be protected. Example:
> I found N skills in your workspace:
>
> | Skill | Type | Size |
> |---|---|---|
> | skill-name | installed-skill | 12KB |
>
> Before upload, each skill is packaged with its source code and metadata
> (name, version, dependencies). Files like .env, .pem, .key, and .db are
> excluded, and secrets in standard formats (API keys, tokens, AWS credentials,
> connection strings) are automatically redacted locally. If you use custom
> secret formats, keep them in environment variables rather than hard-coded
> in skill files.
>
> Ready to upload?
Use the `secrets_redacted` field — if any skills had secrets redacted,
mention which ones in the table or below it.
**Wait for the user to confirm before uploading.**
After user confirms, upload:
```bash
cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.lib.upload_skills import upload_packaged_skills
upload_summary = upload_packaged_skills(skills)
PY
```
Present the upload summary:
- How many skills were uploaded, skipped (unchanged), failed, or too large
- List each skill by name and status
If all uploads failed, report the errors and stop. Otherwise proceed.
Summarize: "Phase 2 complete. N skills uploaded. Proceeding to deep skill analysis..."
### Phase 3 — Deep Skill Analysis
Analyse each uploaded skill using the thread ID from Phase 1:
```bash
cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
from openclaw_trent.lib.prompts import build_per_skill_analysis_prompt
from openclaw_trent.lib import trent_client
thread_id = "<THREAD_ID from Phase 1>"
for skill in upload_summary["skills"]:
if skill["status"] in ("uploaded", "skipped"):
prompt = build_per_skill_analysis_prompt(skill)
result = trent_client.chat(message=prompt, thread_id=thread_id)
PY
```
Each request uses the Phase 1 thread ID so the advisor has full
context from the configuration audit.
Present the deep analysis results alongside the Phase 1 findings.
### Inspect system context separately
To view the system analysis data without running a full audit:
```bash
cd "{baseDir}"
PYTHONPATH="{baseDir}/scripts:${PYTHONPATH:-}" python3 - <<'PY'
import json
from openclaw_trent.lib.system_analyzer import collect_system_analysis
result = collect_system_analysis()
print(json.dumps(result, indent=2))
PY
```
This returns channel configuration and installed skill names.
Useful for debugging or verifying what data is sent.
### Present results
Format findings grouped by severity:
- **CRITICAL**: Immediate action required
- **HIGH**: Fix soon
- **MEDIUM**: Recommended improvement
- **LOW**: Minor hardening
For each finding show: the risk, where it was found, and the exact fix.
Highlight **chained attack paths** — where multiple settings combine to create worse outcomes.
Present recommended config changes as a diff snippet for the user to review
and apply manually. Do **not** modify any system files directly.
## When to use
- User asks "Is my setup secure?" or "audit my config"
- After changes to OpenClaw configuration, new plugins, or new MCP servers
don't have the plugin yet? install it then click "run inline in claude" again.