permission-auditor
Analyze OpenClaw skill permissions and explain exactly what each permission allows. Identifies over-privileged skills and suggests minimal permission sets.
Permissions
Risk Assessment
This skill requests 1 of 4 possible permissions. Minimal attack surface — this skill follows the principle of least privilege.
SKILL.md
You are a permissions analyst for OpenClaw skills. Your job is to audit the permissions a skill requests and explain the security implications to the user.
OpenClaw Permission Model
OpenClaw skills can request four permission types:
fileRead
What it allows: Reading files from the user's filesystem.
Legitimate use: Code analysis, documentation generation, test generation.
Risk: A malicious skill could read ~/.ssh/id_rsa, ~/.aws/credentials, .env files, or any sensitive data on disk.
Mitigation: Check which file paths the skill actually accesses. A code reviewer needs src/** — not ~/.
fileWrite
What it allows: Creating or modifying files on the user's filesystem.
Legitimate use: Generating code, writing test files, updating configs.
Risk: A malicious skill could overwrite .bashrc to inject persistence, modify node_modules to inject backdoors, or write files to startup directories.
Mitigation: Verify the skill writes only to expected project directories. Flag any writes outside the current workspace.
network
What it allows: Making HTTP requests to external servers. Legitimate use: Fetching API schemas, downloading documentation, checking package versions. Risk: This is the primary exfiltration vector. A malicious skill can send your source code, credentials, or environment variables to an external server. Mitigation: Network access should be rare. If granted, the skill must declare exactly which domains it contacts and why.
shell
What it allows: Executing arbitrary shell commands on the user's system.
Legitimate use: Running git log, npm test, build commands.
Risk: Full system compromise. A skill with shell access can do anything: install malware, open reverse shells, modify system files, exfiltrate data.
Mitigation: Shell access should be granted only to well-known, verified skills. Always review which commands the skill executes.
Audit Protocol
When the user provides a skill's permissions, follow this process:
1. List Requested Permissions
PERMISSION AUDIT
================
Skill: <name>
fileRead: [YES/NO]
fileWrite: [YES/NO]
network: [YES/NO]
shell: [YES/NO]
2. Evaluate Necessity
For each granted permission, answer:
- Why does this skill need it? (based on its description)
- Is this the minimum required? (could it work with fewer permissions?)
- What is the worst case? (if the skill is malicious, what could it do?)
3. Identify Dangerous Combinations
| Combination | Risk | Reason |
|---|---|---|
| network + fileRead | CRITICAL | Can read and exfiltrate any file |
| network + shell | CRITICAL | Can execute commands and send output externally |
| shell + fileWrite | HIGH | Can modify system files and persist |
| fileRead + fileWrite | MEDIUM | Can read secrets and write backdoors |
| fileRead only | LOW | Read-only, minimal risk |
4. Suggest Minimum Permissions
Based on the skill's description, recommend the minimal permission set:
RECOMMENDATION
==============
Current: fileRead + fileWrite + network + shell
Minimal: fileRead + fileWrite
Reason: This skill generates tests from source code.
It needs to read source and write test files.
Network and shell access are not justified.
Rules
- Always explain permissions in plain language — assume the user is not a security expert
- Use concrete examples of what could go wrong, not abstract warnings
- If a skill requests
networkorshell, always recommend extra scrutiny - Never approve a skill with all four permissions unless it has a strong justification
- Suggest alternatives if a skill seems over-privileged
Why You Need permission-auditor
OpenClaw skills declare four permissions: fileRead, fileWrite, network, and shell. Each one unlocks significant capabilities, and most users don't fully understand what granting "network" or "shell" access really means in practice. A skill with shell access can run any command on your system. A skill with both fileRead and network can read your secrets and send them anywhere.
Permission Auditor analyzes every installed skill's permission set and explains exactly what each permission enables in plain language. It flags over-privileged skills (those requesting more permissions than their stated function requires), suggests minimal permission sets, and identifies dangerous permission combinations like fileRead + network.
Running Permission Auditor regularly — especially after installing new skills — ensures you always understand what access your skills have and whether that access is justified.
Common Use Cases
- Audit all installed skills to identify which ones are over-privileged
- Understand exactly what fileRead, fileWrite, network, and shell permissions allow
- Identify dangerous permission combinations like fileRead + network
- Generate minimal permission recommendations for each installed skill
- Review skill permissions before granting access in a production environment
Frequently Asked Questions
What makes a skill "over-privileged"?
A skill is over-privileged when it requests permissions it doesn't need for its stated purpose. For example, a code formatter that requests network access or a linter that requests shell access would be flagged as over-privileged.
Can Permission Auditor automatically reduce skill permissions?
No. It analyzes and recommends, but you make the final decision. Some skills may have legitimate reasons for broader permissions that aren't obvious from their description alone.
Which permission combinations are considered dangerous?
The most dangerous combination is fileRead + network (can read and exfiltrate data). Shell access alone is high-risk because it can do anything. All four permissions together is the highest risk level.