Skip to content
Arxo Arxo

Remediation Playbook

Remediation Playbook

Section titled “Remediation Playbook”

Use this playbook to turn OpenClaw findings into concrete fixes.

Config Security

Section titled “Config Security”

Typical risk signals:

  • gateway_auth_gap_score
  • loopback_binding_gap_score
  • weak_auth_token_score
  • rate_limit_absence_score
  • sensitive_directory_exposure_score

Recommended fixes:

  1. Require gateway auth token when remote access is enabled.
  2. Bind local services to loopback unless explicitly needed.
  3. Rotate weak/static tokens and enforce strong token generation.
  4. Add rate limiting for command, tool, and API-facing paths.
  5. Restrict writable/executable sensitive paths for agent runtime users.

Validation:

  • config_security_score increases.
  • Critical config findings drop in count and severity.

Skill Governance

Section titled “Skill Governance”

Typical risk signals:

  • skill_allowlist_absence_score
  • human_approval_gap_score
  • sandbox_absence_score
  • tool_poisoning_susceptibility_score
  • unbounded_tool_access_score

Recommended fixes:

  1. Enforce skills.allowed/skills.denied governance.
  2. Require approval workflows for dangerous tools.
  3. Run shell/browser/code tools in sandboxed execution contexts.
  4. Validate and constrain MCP/tool descriptors before loading.
  5. Apply least-privilege tool scopes per agent role.

Validation:

  • skill_governance_score increases.
  • High/Critical governance findings trend down over time.

Observability

Section titled “Observability”

Typical risk signals:

  • otel_plugin_absence_score
  • audit_log_disabled_score
  • log_retention_too_short_score
  • reasoning_trace_capture_absence_score
  • goal_drift_detection_absence_score

Recommended fixes:

  1. Enable OTel diagnostics plugin and core spans/events.
  2. Enable audit logging for critical agent actions.
  3. Set retention to compliance-appropriate windows.
  4. Add trace capture and drift/goal monitoring guardrails.
  5. Ensure metrics and logs are queryable in incident workflows.

Validation:

  • observability_score increases.
  • Missing telemetry findings decrease.

Supply Chain

Section titled “Supply Chain”

Typical risk signals:

  • clawhub_skill_provenance_score
  • skill_virus_scan_absence_score
  • unpinned_mcp_server_version_score
  • skill_source_integrity_score
  • known_malicious_skill_id_score

Recommended fixes:

  1. Pin skill and MCP server versions (avoid floating/latest).
  2. Enforce provenance checks and integrity/hash verification.
  3. Scan skill artifacts/content before activation.
  4. Remove known-malicious IDs and typosquat sources.
  5. Add egress restrictions and isolation for high-risk sources.

Validation:

  • supply_chain_score increases.
  • Malicious-signal detectors move to Good.

Prioritization Order

Section titled “Prioritization Order”
  1. Close Critical findings in Config Security and Supply Chain first.
  2. Enforce sandbox + approval in Skill Governance.
  3. Raise observability coverage to support regression detection.
  4. Lock no-regression policy once baseline stabilizes.
Section titled “Read Next”