nxtsecure-openclaw 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 scorpion7slayer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,87 @@
+# Secure-your-openclaw
+
+OpenClaw security audit skill with an integrated npm CLI.
+
+Published and maintained by `scorpion7slayer`.
+
+## Install
+
+```bash
+npm install -g nxtsecure-openclaw
+```
+
+Then use:
+
+```bash
+nxtsecure openclaw help
+```
+
+## What this repository contains
+
+- An OpenClaw skill in `skills/openclaw-security-audit/`
+- A Node-based CLI exposed as `nxtsecure openclaw`
+- Bash runners for audit, cron setup, and VirusTotal browser-assisted checks
+
+## What the skill checks
+
+- Firewall enabled
+- `fail2ban` active
+- SSH hardened with key-only auth and a non-default port
+- Unexpected listening ports
+- Docker container allowlisting
+- Disk usage threshold
+- Failed login attempts in the last 24 hours
+- Automatic security package updates
+- VirusTotal review for URLs and files without using a VirusTotal API key
+
+## Quick start
+
+1. Create a local config:
+
+```bash
+npm run nxtsecure -- openclaw config init --output ./openclaw-security-audit.conf
+```
+
+2. Review and edit the generated config.
+
+3. Run the audit:
+
+```bash
+npm run nxtsecure -- openclaw audit --config ./openclaw-security-audit.conf
+```
+
+4. Install the nightly cron job at 23:00:
+
+```bash
+npm run nxtsecure -- openclaw cron install --log ~/openclaw-security-audit.log
+```
+
+## CLI commands
+
+```bash
+npm run nxtsecure -- openclaw help
+npm run nxtsecure -- openclaw audit --config ./openclaw-security-audit.conf
+npm run nxtsecure -- openclaw cron install --log ~/openclaw-security-audit.log
+npm run nxtsecure -- openclaw vt url https://example.test
+npm run nxtsecure -- openclaw vt file /path/to/sample.bin
+```
+
+## VirusTotal mode
+
+This repository intentionally avoids the VirusTotal API.
+
+- URL checks are prepared for the public VirusTotal website through the OpenClaw browser tool.
+- File checks compute the SHA-256 locally and prepare the public VirusTotal report URL.
+- If a file is flagged, the agent must ask the user whether to keep or remove it.
+
+## Repository layout
+
+```text
+bin/nxtsecure.mjs
+package.json
+skills/openclaw-security-audit/SKILL.md
+skills/openclaw-security-audit/references/openclaw-security-audit.conf.example
+skills/openclaw-security-audit/scripts/install_cron.sh
+skills/openclaw-security-audit/scripts/openclaw_security_audit.sh
+skills/openclaw-security-audit/scripts/openclaw_virustotal_check.sh
+```

package/bin/nxtsecure.mjs

@@ -0,0 +1,212 @@
+#!/usr/bin/env node
+
+import { spawnSync } from 'node:child_process';
+import { copyFileSync, existsSync, mkdirSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const currentDir = dirname(fileURLToPath(import.meta.url));
+const rootDir = resolve(currentDir, '..');
+const skillDir = resolve(rootDir, 'skills', 'openclaw-security-audit');
+const scriptsDir = resolve(skillDir, 'scripts');
+const referencesDir = resolve(skillDir, 'references');
+
+const paths = {
+  audit: resolve(scriptsDir, 'openclaw_security_audit.sh'),
+  cron: resolve(scriptsDir, 'install_cron.sh'),
+  vt: resolve(scriptsDir, 'openclaw_virustotal_check.sh'),
+  configExample: resolve(referencesDir, 'openclaw-security-audit.conf.example')
+};
+
+function printHelp() {
+  console.log(`nxtsecure openclaw
+
+Usage:
+  nxtsecure help
+  nxtsecure openclaw help
+  nxtsecure openclaw audit [--config PATH]
+  nxtsecure openclaw cron install [--log PATH]
+  nxtsecure openclaw vt url <url> [--allow-uploads]
+  nxtsecure openclaw vt file <path> [--allow-uploads]
+  nxtsecure openclaw config init [--output PATH] [--force]
+  nxtsecure openclaw paths
+
+Examples:
+  nxtsecure openclaw config init --output ./openclaw-security-audit.conf
+  nxtsecure openclaw audit --config ./openclaw-security-audit.conf
+  nxtsecure openclaw cron install --log ~/openclaw-security-audit.log
+  nxtsecure openclaw vt url https://example.test
+  nxtsecure openclaw vt file /tmp/sample.bin --allow-uploads
+`);
+}
+
+function fail(message, exitCode = 1) {
+  console.error(`[ERROR] ${message}`);
+  process.exit(exitCode);
+}
+
+function runBashScript(scriptPath, args = [], env = {}) {
+  if (!existsSync(scriptPath)) {
+    fail(`Missing script: ${scriptPath}`);
+  }
+
+  const result = spawnSync('bash', [scriptPath, ...args], {
+    cwd: rootDir,
+    stdio: 'inherit',
+    env: { ...process.env, ...env }
+  });
+
+  if (result.error) {
+    fail(result.error.message);
+  }
+
+  process.exit(result.status ?? 1);
+}
+
+function takeOption(argv, optionName) {
+  const index = argv.indexOf(optionName);
+  if (index === -1) {
+    return undefined;
+  }
+  if (index === argv.length - 1) {
+    fail(`Missing value for ${optionName}`);
+  }
+  return argv[index + 1];
+}
+
+function hasFlag(argv, flagName) {
+  return argv.includes(flagName);
+}
+
+function withoutOption(argv, optionName) {
+  const index = argv.indexOf(optionName);
+  if (index === -1) {
+    return argv.slice();
+  }
+  const clone = argv.slice();
+  clone.splice(index, 2);
+  return clone;
+}
+
+function withoutFlag(argv, flagName) {
+  return argv.filter((item) => item !== flagName);
+}
+
+function commandAudit(argv) {
+  const configPath = takeOption(argv, '--config');
+  const args = configPath ? withoutOption(argv, '--config') : argv.slice();
+  if (args.length !== 0) {
+    fail(`Unknown audit arguments: ${args.join(' ')}`);
+  }
+  runBashScript(paths.audit, [], configPath ? { OPENCLAW_AUDIT_CONFIG: resolve(rootDir, configPath) } : {});
+}
+
+function commandCron(argv) {
+  if (argv[0] !== 'install') {
+    fail('Usage: nxtsecure openclaw cron install [--log PATH]');
+  }
+
+  const logPath = takeOption(argv, '--log');
+  const args = logPath ? withoutOption(argv.slice(1), '--log') : argv.slice(1);
+  if (args.length !== 0) {
+    fail(`Unknown cron arguments: ${args.join(' ')}`);
+  }
+
+  runBashScript(paths.cron, [], logPath ? { OPENCLAW_AUDIT_LOG: logPath } : {});
+}
+
+function commandVirusTotal(argv) {
+  const allowUploads = hasFlag(argv, '--allow-uploads');
+  const cleaned = allowUploads ? withoutFlag(argv, '--allow-uploads') : argv.slice();
+  const mode = cleaned[0];
+  const value = cleaned[1];
+
+  if (!mode || !value || cleaned.length !== 2 || !['url', 'file'].includes(mode)) {
+    fail('Usage: nxtsecure openclaw vt url <url> [--allow-uploads] | nxtsecure openclaw vt file <path> [--allow-uploads]');
+  }
+
+  const scriptArgs = mode === 'url' ? ['--url', value] : ['--file', value];
+  runBashScript(paths.vt, scriptArgs, {
+    VIRUSTOTAL_ALLOW_UPLOADS: allowUploads ? '1' : '0'
+  });
+}
+
+function commandConfig(argv) {
+  if (argv[0] !== 'init') {
+    fail('Usage: nxtsecure openclaw config init [--output PATH] [--force]');
+  }
+
+  const force = hasFlag(argv, '--force');
+  const output = takeOption(argv, '--output') ?? './openclaw-security-audit.conf';
+  const cleaned = force ? withoutFlag(argv.slice(1), '--force') : argv.slice(1);
+  const finalArgs = output ? withoutOption(cleaned, '--output') : cleaned;
+  if (finalArgs.length !== 0) {
+    fail(`Unknown config arguments: ${finalArgs.join(' ')}`);
+  }
+
+  const targetPath = resolve(rootDir, output);
+  if (existsSync(targetPath) && !force) {
+    fail(`Config already exists: ${targetPath}. Use --force to overwrite.`);
+  }
+
+  mkdirSync(dirname(targetPath), { recursive: true });
+  copyFileSync(paths.configExample, targetPath);
+  console.log(`Created config: ${targetPath}`);
+}
+
+function commandPaths(argv) {
+  if (argv.length !== 0) {
+    fail(`Unknown paths arguments: ${argv.join(' ')}`);
+  }
+
+  console.log(`root=${rootDir}`);
+  console.log(`skill=${skillDir}`);
+  console.log(`audit=${paths.audit}`);
+  console.log(`cron=${paths.cron}`);
+  console.log(`vt=${paths.vt}`);
+  console.log(`configExample=${paths.configExample}`);
+}
+
+function runOpenClaw(argv) {
+  const [command = 'help', ...rest] = argv;
+
+  switch (command) {
+    case 'help':
+    case '--help':
+    case '-h':
+      printHelp();
+      break;
+    case 'audit':
+      commandAudit(rest);
+      break;
+    case 'cron':
+      commandCron(rest);
+      break;
+    case 'vt':
+      commandVirusTotal(rest);
+      break;
+    case 'config':
+      commandConfig(rest);
+      break;
+    case 'paths':
+      commandPaths(rest);
+      break;
+    default:
+      fail(`Unknown openclaw command: ${command}`);
+  }
+}
+
+const [namespace = 'help', ...rest] = process.argv.slice(2);
+
+switch (namespace) {
+  case 'help':
+  case '--help':
+  case '-h':
+    printHelp();
+    break;
+  case 'openclaw':
+    runOpenClaw(rest);
+    break;
+  default:
+    fail(`Unknown namespace: ${namespace}. Expected: openclaw`);
+}

package/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "nxtsecure-openclaw",
+  "version": "0.1.0",
+  "description": "npm CLI wrapper for the OpenClaw security audit skill",
+  "license": "MIT",
+  "type": "module",
+  "bin": {
+    "nxtsecure": "bin/nxtsecure.mjs"
+  },
+  "files": [
+    "bin",
+    "skills",
+    "README.md",
+    "LICENSE"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/scorpion7slayer/Secure-your-openclaw.git"
+  },
+  "homepage": "https://github.com/scorpion7slayer/Secure-your-openclaw#readme",
+  "bugs": {
+    "url": "https://github.com/scorpion7slayer/Secure-your-openclaw/issues"
+  },
+  "keywords": [
+    "openclaw",
+    "security",
+    "audit",
+    "cli",
+    "virustotal",
+    "ssh"
+  ],
+  "scripts": {
+    "nxtsecure": "node ./bin/nxtsecure.mjs",
+    "test": "node ./bin/nxtsecure.mjs help"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}

package/skills/openclaw-security-audit/SKILL.md

@@ -0,0 +1,104 @@
+---
+name: openclaw-security-audit
+description: Use when auditing and remediating an OpenClaw Linux host with a nightly 23:00 security run. Covers firewall status, fail2ban bans, SSH hardening with key-only auth and a non-default port, unexpected listening ports, Docker container allowlisting, disk usage under 80%, failed login attempts in the last 24 hours, automatic security package updates, VirusTotal browser-based checks for URLs and files without API keys, and installing the cron entry.
+homepage: https://openclaw.ai/
+---
+
+# OpenClaw Security Audit
+
+Original requested prompt, preserved verbatim:
+"Effectuez un audit de sécurité tous les soirs à 23h faite un cron."
+
+Use this skill when the user wants a repeatable OpenClaw host security audit, a nightly cron job, or immediate remediation of common hardening gaps.
+
+## Workflow
+
+1. Prefer the npm CLI in `{baseDir}/../../bin/nxtsecure.mjs` to keep the agent workflow stable.
+2. From the repository root, create the local configuration with `npm run nxtsecure -- openclaw config init --output ./openclaw-security-audit.conf` or copy `{baseDir}/references/openclaw-security-audit.conf.example`.
+3. Run `npm run nxtsecure -- openclaw audit --config ./openclaw-security-audit.conf` to execute the audit and remediation workflow.
+4. Install the nightly 23:00 cron entry with `npm run nxtsecure -- openclaw cron install --log ~/openclaw-security-audit.log`.
+5. If every check passes, print exactly `audit de sécurité réussi`.
+6. If a check fails, explain the issue, attempt remediation immediately, and rerun the relevant verification.
+
+## Checks
+
+The audit must verify:
+
+1. Firewall enabled.
+2. `fail2ban` active and total banned IP count collected.
+3. If SSH is used, password authentication must be disabled, public key authentication must be available, and the SSH service must not listen on port `22`.
+4. Unexpected listening ports identified and, when configured, blocked.
+5. Docker containers reviewed when Docker is present, with unexpected containers stopped only when an allowlist is configured.
+6. Disk usage below `80%` on persistent filesystems.
+7. Failed login attempts during the last 24 hours.
+8. Automatic security package updates enabled on the host.
+9. If VirusTotal is configured, URLs and files in scope must be checked before being trusted.
+
+## SSH hardening guidance
+
+When SSH is enabled, the agent must help the user migrate safely instead of changing access blindly.
+
+1. Explain the goal: SSH on a non-default port and key-only authentication.
+2. Ask or infer the target SSH port from configuration. Use `2222` only as a fallback example, not a forced default.
+3. Help the user generate a key pair if needed:
+   `ssh-keygen -t ed25519 -C "openclaw-admin"`
+4. Help the user install the public key on the server:
+   `ssh-copy-id -p <new-port> <user>@<host>`
+   or append the public key to `~/.ssh/authorized_keys` with correct permissions.
+5. Update SSH to use the chosen non-default port and disable password authentication.
+6. Make sure the firewall allows the new SSH port before reloading SSH.
+7. Tell the user to open a second terminal and verify:
+   `ssh -p <new-port> <user>@<host>`
+8. Only after the new key-based login works, remove any temporary legacy access and confirm the hardening is complete.
+
+If the agent cannot verify that key-based access on the new port works, it must explain the exact manual steps still required and avoid risky lockout actions.
+
+## VirusTotal guidance
+
+When the user wants file or link reputation checks, the agent must use VirusTotal without an API key:
+
+1. Use the OpenClaw `browser` tool, not the VirusTotal API.
+2. Ensure the OpenClaw browser tool is enabled before starting the workflow.
+3. For files, compute the SHA-256 locally first and prefer the public report page for an existing report.
+4. Only upload a file through the VirusTotal website when the user has explicitly allowed it, because website uploads may disclose the sample outside the organization.
+5. For URLs, open the public VirusTotal URL page in the browser tool and submit the URL for analysis through the web interface.
+6. If a file or URL is malicious, explain the verdict. For files, ask the user whether to keep or remove the file. For URLs, recommend blocking the URL or domain.
+7. If an item is suspicious, explain the risk and require explicit user confirmation before trusting it.
+8. For nightly automation, treat VirusTotal as browser-assisted review.
+9. If VirusTotal flags a file as malicious or suspicious, the agent must ask the user whether to keep or remove the file. The user always decides.
+10. Do not claim that a URL or file was cleared automatically when the agent has only prepared the VirusTotal browser workflow and not inspected the result page.
+
+Use the bundled helper:
+
+- `npm run nxtsecure -- openclaw vt url https://example.test`
+- `npm run nxtsecure -- openclaw vt file /path/to/sample.bin`
+- fallback: `{baseDir}/scripts/openclaw_virustotal_check.sh --url https://example.test`
+- fallback: `{baseDir}/scripts/openclaw_virustotal_check.sh --file /path/to/sample.bin`
+
+OpenClaw browser flow:
+
+1. `browser.start`
+2. `browser.open` or `browser.navigate` to `https://www.virustotal.com/gui/home/url` for URLs
+3. `browser.open` or `browser.navigate` to `https://www.virustotal.com/gui/home/upload` for files
+4. Use `browser.snapshot` and `browser.act` to type, upload, and inspect detection results
+
+## Operational notes
+
+- Run the audit as `root` when possible. Some remediations require privileged access.
+- Adjust expected ports and allowed Docker containers before enabling strict enforcement.
+- The bundled script prefers `ufw`, then `firewalld`, then a non-empty `nftables` ruleset for firewall detection.
+- The script uses `sshd -T` when available and falls back to SSH config files.
+- The bundled SSH policy expects a non-default port whenever SSH is enabled. Port `22` is treated as non-compliant.
+- The audit should enable automatic security updates when supported by the distribution, such as `unattended-upgrades` on Debian or Ubuntu and `dnf-automatic` on RPM-based hosts.
+- Failed logins are collected from `journalctl`, `lastb`, or `/var/log/auth.log`, depending on what the host exposes.
+- VirusTotal checks in this skill are intentionally API-free and rely on the public website plus the OpenClaw browser tool.
+- The nightly cron line installed by the helper is `0 23 * * *`.
+
+## Files
+
+- `{baseDir}/../../package.json`: npm package definition for the `nxtsecure openclaw` CLI.
+- `{baseDir}/../../bin/nxtsecure.mjs`: npm CLI entrypoint for audit, cron, VirusTotal, and config init.
+- `{baseDir}/scripts/openclaw_security_audit.sh`: audit and remediation runner.
+- `{baseDir}/scripts/openclaw_virustotal_check.sh`: VirusTotal URL and file reputation helper.
+- `{baseDir}/scripts/install_cron.sh`: idempotent cron installer for `23:00` every day.
+- `{baseDir}/references/openclaw-security-audit.conf.example`: baseline configuration template.

package/skills/openclaw-security-audit/references/openclaw-security-audit.conf.example

@@ -0,0 +1,36 @@
+# Copy this file to:
+# - /etc/openclaw-security-audit.conf
+# or point the audit to it with OPENCLAW_AUDIT_CONFIG=/path/to/file
+
+# Expected listening ports. Do not keep 22 here if SSH is enabled.
+# Include the chosen SSH_EXPECTED_PORT instead.
+EXPECTED_TCP_PORTS="80 443 2222"
+EXPECTED_UDP_PORTS=""
+
+# SSH policy. If SSH is enabled, it must not use port 22.
+# Set SSH_EXPECTED_PORT to the chosen non-default port, for example 2222.
+SSH_EXPECTED_PORT="2222"
+SSH_PORT_IN_USE=1
+SSH_REQUIRE_KEYS_ONLY=1
+ENABLE_SSH_PORT_REMEDIATION=0
+
+# VirusTotal integration for URLs and files, without API keys.
+# The agent should use the public VirusTotal website through the OpenClaw browser tool.
+VIRUSTOTAL_ENABLED=0
+VIRUSTOTAL_ALLOW_UPLOADS=0
+VIRUSTOTAL_URLS=""
+VIRUSTOTAL_FILES=""
+
+# List allowed Docker container names, separated by spaces.
+# Leave empty to force the audit to report unmanaged running containers.
+ALLOWED_DOCKER_CONTAINERS=""
+
+# Security thresholds.
+DISK_THRESHOLD_PERCENT=80
+MAX_FAILED_LOGIN_ATTEMPTS=25
+AUTO_SECURITY_UPDATES_REQUIRED=1
+
+# Remediation controls.
+AUTO_REMEDIATE=1
+REMEDIATE_UNEXPECTED_PORTS=0
+ALLOW_DOCKER_PRUNE=0

package/skills/openclaw-security-audit/scripts/install_cron.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+AUDIT_SCRIPT="${SCRIPT_DIR}/openclaw_security_audit.sh"
+LOG_PATH="${OPENCLAW_AUDIT_LOG:-${HOME}/openclaw-security-audit.log}"
+
+if [[ ! -x "${AUDIT_SCRIPT}" ]]; then
+  chmod +x "${AUDIT_SCRIPT}"
+fi
+
+START_MARKER="# OPENCLAW_SECURITY_AUDIT_START"
+END_MARKER="# OPENCLAW_SECURITY_AUDIT_END"
+CRON_LINE="0 23 * * * /bin/bash ${AUDIT_SCRIPT} >> ${LOG_PATH} 2>&1"
+
+CURRENT_CRONTAB="$(mktemp)"
+UPDATED_CRONTAB="$(mktemp)"
+
+trap 'rm -f "${CURRENT_CRONTAB}" "${UPDATED_CRONTAB}"' EXIT
+
+crontab -l 2>/dev/null > "${CURRENT_CRONTAB}" || true
+awk -v start="${START_MARKER}" -v end="${END_MARKER}" '
+  $0 == start { skip = 1; next }
+  $0 == end { skip = 0; next }
+  skip != 1 { print }
+' "${CURRENT_CRONTAB}" > "${UPDATED_CRONTAB}"
+
+{
+  cat "${UPDATED_CRONTAB}"
+  printf '%s\n' "${START_MARKER}"
+  printf '%s\n' "${CRON_LINE}"
+  printf '%s\n' "${END_MARKER}"
+} | crontab -
+
+printf 'Installed nightly cron at 23:00.\n'
+printf 'Log file: %s\n' "${LOG_PATH}"

package/skills/openclaw-security-audit/scripts/openclaw_security_audit.sh

@@ -0,0 +1,752 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SKILL_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+CONFIG_FILE="${OPENCLAW_AUDIT_CONFIG:-}"
+if [[ -z "${CONFIG_FILE}" ]]; then
+  for candidate in \
+    "/etc/openclaw-security-audit.conf" \
+    "${SKILL_DIR}/references/openclaw-security-audit.conf" \
+    "${SKILL_DIR}/references/openclaw-security-audit.conf.example"
+  do
+    if [[ -f "${candidate}" ]]; then
+      CONFIG_FILE="${candidate}"
+      break
+    fi
+  done
+fi
+
+EXPECTED_TCP_PORTS="80 443 2222"
+EXPECTED_UDP_PORTS=""
+SSH_EXPECTED_PORT="2222"
+SSH_PORT_IN_USE=1
+SSH_REQUIRE_KEYS_ONLY=1
+ENABLE_SSH_PORT_REMEDIATION=0
+VIRUSTOTAL_ENABLED=0
+VIRUSTOTAL_ALLOW_UPLOADS=0
+VIRUSTOTAL_URLS=""
+VIRUSTOTAL_FILES=""
+ALLOWED_DOCKER_CONTAINERS=""
+DISK_THRESHOLD_PERCENT=80
+MAX_FAILED_LOGIN_ATTEMPTS=25
+AUTO_SECURITY_UPDATES_REQUIRED=1
+AUTO_REMEDIATE=1
+REMEDIATE_UNEXPECTED_PORTS=0
+ALLOW_DOCKER_PRUNE=0
+
+if [[ -n "${CONFIG_FILE}" && -f "${CONFIG_FILE}" ]]; then
+  # shellcheck disable=SC1090
+  source "${CONFIG_FILE}"
+fi
+
+declare -a ISSUES=()
+declare -a ACTIONS=()
+declare -a WARNINGS=()
+
+log() {
+  printf '[INFO] %s\n' "$*"
+}
+
+warn() {
+  WARNINGS+=("$*")
+  printf '[WARN] %s\n' "$*"
+}
+
+issue() {
+  ISSUES+=("$*")
+  printf '[FAIL] %s\n' "$*"
+}
+
+action() {
+  ACTIONS+=("$*")
+  printf '[FIX] %s\n' "$*"
+}
+
+command_exists() {
+  command -v "$1" >/dev/null 2>&1
+}
+
+is_root() {
+  [[ "${EUID}" -eq 0 ]]
+}
+
+run_privileged() {
+  if is_root; then
+    "$@"
+  elif command_exists sudo && sudo -n true >/dev/null 2>&1; then
+    sudo "$@"
+  else
+    return 126
+  fi
+}
+
+contains_word() {
+  local needle="$1"
+  local haystack="$2"
+  local item
+  for item in ${haystack}; do
+    if [[ "${item}" == "${needle}" ]]; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+if [[ "${SSH_PORT_IN_USE}" -eq 1 ]] && ! contains_word "${SSH_EXPECTED_PORT}" "${EXPECTED_TCP_PORTS}"; then
+  EXPECTED_TCP_PORTS="${EXPECTED_TCP_PORTS} ${SSH_EXPECTED_PORT}"
+fi
+
+service_is_active() {
+  local service="$1"
+  command_exists systemctl && systemctl is-active --quiet "${service}"
+}
+
+safe_systemctl_enable_now() {
+  local service="$1"
+  if run_privileged systemctl enable --now "${service}" >/dev/null 2>&1; then
+    action "Enabled ${service}."
+    return 0
+  fi
+  return 1
+}
+
+detect_firewall_backend() {
+  if command_exists ufw; then
+    echo "ufw"
+    return 0
+  fi
+  if command_exists firewall-cmd; then
+    echo "firewalld"
+    return 0
+  fi
+  if command_exists nft; then
+    echo "nftables"
+    return 0
+  fi
+  echo "none"
+}
+
+check_firewall() {
+  local backend
+  backend="$(detect_firewall_backend)"
+
+  case "${backend}" in
+    ufw)
+      if ufw status 2>/dev/null | grep -q "^Status: active"; then
+        log "Firewall active via ufw."
+      elif [[ "${AUTO_REMEDIATE}" -eq 1 ]] && run_privileged ufw --force enable >/dev/null 2>&1; then
+        action "Enabled ufw."
+      else
+        issue "ufw is installed but not active."
+      fi
+      ;;
+    firewalld)
+      if service_is_active firewalld; then
+        log "Firewall active via firewalld."
+      elif [[ "${AUTO_REMEDIATE}" -eq 1 ]] && safe_systemctl_enable_now firewalld; then
+        :
+      else
+        issue "firewalld is installed but not active."
+      fi
+      ;;
+    nftables)
+      if nft list ruleset 2>/dev/null | grep -q "table"; then
+        log "Firewall appears active via nftables."
+      else
+        issue "nftables is present but no active ruleset was found."
+      fi
+      ;;
+    *)
+      issue "No supported firewall manager was found."
+      ;;
+  esac
+}
+
+fail2ban_banned_total() {
+  local total=0
+  local jail
+  local jails
+
+  if ! command_exists fail2ban-client; then
+    echo "0"
+    return 0
+  fi
+
+  jails="$(fail2ban-client status 2>/dev/null | sed -n 's/.*Jail list:[[:space:]]*//p' | tr ',' ' ')"
+  if [[ -z "${jails}" ]]; then
+    echo "0"
+    return 0
+  fi
+
+  for jail in ${jails}; do
+    local count
+    count="$(fail2ban-client status "${jail}" 2>/dev/null | sed -n 's/.*Total banned:[[:space:]]*//p' | tail -n1)"
+    if [[ "${count}" =~ ^[0-9]+$ ]]; then
+      total=$((total + count))
+    fi
+  done
+
+  echo "${total}"
+}
+
+check_fail2ban() {
+  if ! command_exists fail2ban-client && ! service_is_active fail2ban; then
+    issue "fail2ban is not installed or not available."
+    return 0
+  fi
+
+  if service_is_active fail2ban; then
+    log "fail2ban is active. Total banned IPs: $(fail2ban_banned_total)."
+  elif [[ "${AUTO_REMEDIATE}" -eq 1 ]] && safe_systemctl_enable_now fail2ban; then
+    log "fail2ban is active. Total banned IPs: $(fail2ban_banned_total)."
+  else
+    issue "fail2ban is installed but inactive."
+  fi
+}
+
+ssh_effective_value() {
+  local key="$1"
+  if command_exists sshd; then
+    sshd -T 2>/dev/null | awk -v target="${key}" '$1 == target { print $2; exit }'
+    return 0
+  fi
+  awk -v target="${key}" '
+    BEGIN { IGNORECASE=1 }
+    $1 == target { value = $2 }
+    END { if (value != "") print tolower(value) }
+  ' /etc/ssh/sshd_config 2>/dev/null
+}
+
+remediate_ssh_password_auth() {
+  local drop_in="/etc/ssh/sshd_config.d/99-openclaw-hardening.conf"
+  local tmp_file
+
+  tmp_file="$(mktemp)"
+  cat >"${tmp_file}" <<'EOF'
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+ChallengeResponseAuthentication no
+EOF
+
+  if run_privileged mkdir -p /etc/ssh/sshd_config.d \
+    && run_privileged install -m 0644 "${tmp_file}" "${drop_in}" \
+    && run_privileged sshd -t \
+    && (run_privileged systemctl reload sshd >/dev/null 2>&1 || run_privileged systemctl reload ssh >/dev/null 2>&1); then
+    rm -f "${tmp_file}"
+    action "Disabled SSH password authentication with ${drop_in}."
+    return 0
+  fi
+
+  rm -f "${tmp_file}"
+  return 1
+}
+
+ssh_effective_ports() {
+  if command_exists sshd; then
+    sshd -T 2>/dev/null | awk '$1 == "port" { print $2 }'
+    return 0
+  fi
+
+  awk '
+    BEGIN { IGNORECASE=1 }
+    $1 == "Port" { print $2 }
+  ' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf 2>/dev/null
+}
+
+ssh_key_auth_enabled() {
+  local key_auth
+  key_auth="$(ssh_effective_value pubkeyauthentication)"
+  [[ -z "${key_auth}" || "${key_auth}" == "yes" ]]
+}
+
+remediate_ssh_port() {
+  local desired_port="$1"
+  local drop_in="/etc/ssh/sshd_config.d/98-openclaw-port.conf"
+  local tmp_file
+
+  if [[ -z "${desired_port}" || "${desired_port}" == "22" ]]; then
+    return 1
+  fi
+
+  tmp_file="$(mktemp)"
+  cat >"${tmp_file}" <<EOF
+Port ${desired_port}
+EOF
+
+  if ! run_privileged mkdir -p /etc/ssh/sshd_config.d; then
+    rm -f "${tmp_file}"
+    return 1
+  fi
+
+  if ! run_privileged install -m 0644 "${tmp_file}" "${drop_in}"; then
+    rm -f "${tmp_file}"
+    return 1
+  fi
+
+  rm -f "${tmp_file}"
+
+  if ! run_privileged sshd -t; then
+    return 1
+  fi
+
+  if ! run_privileged systemctl reload sshd >/dev/null 2>&1 \
+    && ! run_privileged systemctl reload ssh >/dev/null 2>&1; then
+    return 1
+  fi
+
+  action "Configured SSH to listen on port ${desired_port}. Verify access with: ssh -p ${desired_port} <user>@<host>"
+  return 0
+}
+
+check_ssh() {
+  local password_auth
+  local ports
+  local port_ok=1
+  password_auth="$(ssh_effective_value passwordauthentication)"
+
+  if [[ "${SSH_REQUIRE_KEYS_ONLY}" -eq 1 ]]; then
+    if [[ "${password_auth}" != "no" ]]; then
+      if [[ "${AUTO_REMEDIATE}" -eq 1 ]] && remediate_ssh_password_auth; then
+        password_auth="$(ssh_effective_value passwordauthentication)"
+      fi
+    fi
+
+    if [[ "${password_auth}" != "no" ]]; then
+      issue "SSH password authentication is still enabled."
+    elif ! ssh_key_auth_enabled; then
+      issue "SSH public key authentication is not enabled."
+    else
+      log "SSH is configured for key-based authentication only."
+    fi
+
+  else
+    log "SSH key-only enforcement is disabled by configuration."
+  fi
+
+  if [[ "${SSH_PORT_IN_USE}" -ne 1 ]]; then
+    log "SSH port policy skipped because SSH_PORT_IN_USE is disabled."
+    return 0
+  fi
+
+  ports="$(ssh_effective_ports | sort -u | tr '\n' ' ')"
+  if [[ -z "${ports}" ]]; then
+    warn "Unable to determine SSH listening ports from configuration."
+    return 0
+  fi
+
+  if contains_word "22" "${ports}"; then
+    port_ok=0
+    if [[ "${AUTO_REMEDIATE}" -eq 1 && "${ENABLE_SSH_PORT_REMEDIATION}" -eq 1 ]] \
+      && remediate_ssh_port "${SSH_EXPECTED_PORT}"; then
+      ports="$(ssh_effective_ports | sort -u | tr '\n' ' ')"
+      if contains_word "22" "${ports}"; then
+        issue "SSH still exposes port 22 after remediation attempt."
+      else
+        log "SSH no longer uses port 22."
+      fi
+    else
+      issue "SSH is configured on port 22. Migrate to a non-default port such as ${SSH_EXPECTED_PORT}, allow it in the firewall, then verify with: ssh -p ${SSH_EXPECTED_PORT} <user>@<host>"
+    fi
+  fi
+
+  if ! contains_word "${SSH_EXPECTED_PORT}" "${ports}"; then
+    port_ok=0
+    issue "SSH is not configured on the expected port ${SSH_EXPECTED_PORT}. Current configured ports: ${ports}"
+  fi
+
+  if [[ "${port_ok}" -eq 1 ]]; then
+    log "SSH uses the expected non-default port ${SSH_EXPECTED_PORT}."
+  fi
+}
+
+list_listening_ports() {
+  ss -lntuH 2>/dev/null | awk '
+    {
+      split($5, parts, ":")
+      port = parts[length(parts)]
+      if (port ~ /^[0-9]+$/) {
+        print tolower($1) " " port
+      }
+    }
+  ' | sort -u
+}
+
+block_port() {
+  local proto="$1"
+  local port="$2"
+  local backend
+  backend="$(detect_firewall_backend)"
+
+  case "${backend}" in
+    ufw)
+      run_privileged ufw deny "${port}/${proto}" >/dev/null 2>&1
+      ;;
+    firewalld)
+      run_privileged firewall-cmd --permanent --remove-port="${port}/${proto}" >/dev/null 2>&1 \
+        && run_privileged firewall-cmd --reload >/dev/null 2>&1
+      ;;
+    *)
+      return 1
+      ;;
+  esac
+}
+
+check_ports() {
+  local proto
+  local port
+  local unexpected=0
+  local current
+
+  while read -r proto port; do
+    [[ -z "${proto}" || -z "${port}" ]] && continue
+
+    if [[ "${proto}" == udp* ]]; then
+      current="${EXPECTED_UDP_PORTS}"
+      proto="udp"
+    else
+      current="${EXPECTED_TCP_PORTS}"
+      proto="tcp"
+    fi
+
+    if contains_word "${port}" "${current}"; then
+      continue
+    fi
+
+    unexpected=1
+    if [[ "${AUTO_REMEDIATE}" -eq 1 && "${REMEDIATE_UNEXPECTED_PORTS}" -eq 1 ]] && block_port "${proto}" "${port}"; then
+      action "Blocked unexpected ${proto} port ${port} at the firewall."
+    else
+      issue "Unexpected listening ${proto} port detected: ${port}."
+    fi
+  done < <(list_listening_ports)
+
+  if [[ "${unexpected}" -eq 0 ]]; then
+    log "No unexpected listening ports detected."
+  fi
+}
+
+check_docker() {
+  local running
+  local name
+  local unexpected=0
+
+  if ! command_exists docker; then
+    log "Docker is not installed."
+    return 0
+  fi
+
+  if ! docker info >/dev/null 2>&1; then
+    warn "Docker is installed but unavailable to the current user."
+    return 0
+  fi
+
+  running="$(docker ps --format '{{.Names}}' 2>/dev/null)"
+  if [[ -z "${running}" ]]; then
+    log "No running Docker containers."
+    return 0
+  fi
+
+  if [[ -z "${ALLOWED_DOCKER_CONTAINERS}" ]]; then
+    issue "Running Docker containers found but ALLOWED_DOCKER_CONTAINERS is not configured."
+    printf '%s\n' "${running}" | sed 's/^/[INFO] Running container: /'
+    return 0
+  fi
+
+  while read -r name; do
+    [[ -z "${name}" ]] && continue
+    if contains_word "${name}" "${ALLOWED_DOCKER_CONTAINERS}"; then
+      continue
+    fi
+
+    unexpected=1
+    if [[ "${AUTO_REMEDIATE}" -eq 1 ]] && docker stop "${name}" >/dev/null 2>&1; then
+      action "Stopped unexpected Docker container ${name}."
+    else
+      issue "Unexpected Docker container detected: ${name}."
+    fi
+  done <<< "${running}"
+
+  if [[ "${unexpected}" -eq 0 ]]; then
+    log "Docker containers match the allowlist."
+  fi
+}
+
+cleanup_disk_space() {
+  command_exists journalctl && run_privileged journalctl --vacuum-time=7d >/dev/null 2>&1 || true
+  command_exists apt-get && run_privileged apt-get clean >/dev/null 2>&1 || true
+  command_exists dnf && run_privileged dnf clean all >/dev/null 2>&1 || true
+  command_exists yum && run_privileged yum clean all >/dev/null 2>&1 || true
+  if [[ "${ALLOW_DOCKER_PRUNE}" -eq 1 ]] && command_exists docker; then
+    docker system prune -af >/dev/null 2>&1 || true
+  fi
+}
+
+enable_auto_security_updates_apt() {
+  local periodic_file="/etc/apt/apt.conf.d/20auto-upgrades"
+  local origin_file="/etc/apt/apt.conf.d/52openclaw-unattended-upgrades"
+  local distro_id version_codename tmp_file
+
+  distro_id="$(. /etc/os-release 2>/dev/null; printf '%s' "${ID:-Ubuntu}")"
+  version_codename="$(. /etc/os-release 2>/dev/null; printf '%s' "${VERSION_CODENAME:-}")"
+  [[ -n "${version_codename}" ]] || version_codename="stable"
+
+  if ! command_exists apt-get; then
+    return 1
+  fi
+
+  run_privileged apt-get update >/dev/null 2>&1 || true
+  if ! dpkg -s unattended-upgrades >/dev/null 2>&1; then
+    run_privileged apt-get install -y unattended-upgrades >/dev/null 2>&1 || return 1
+  fi
+
+  tmp_file="$(mktemp)"
+  cat >"${tmp_file}" <<'EOF'
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+EOF
+  run_privileged install -m 0644 "${tmp_file}" "${periodic_file}" || { rm -f "${tmp_file}"; return 1; }
+
+  cat >"${tmp_file}" <<EOF
+Unattended-Upgrade::Origins-Pattern {
+        "origin=${distro_id},codename=${version_codename},label=${distro_id}-Security";
+        "origin=${distro_id},codename=${version_codename},suite=${version_codename}-security";
+        "origin=Debian,codename=${version_codename},label=Debian-Security";
+        "origin=Debian,codename=${version_codename},suite=${version_codename}-security";
+        "origin=Ubuntu,codename=${version_codename},archive=${version_codename}-security";
+};
+EOF
+  run_privileged install -m 0644 "${tmp_file}" "${origin_file}" || { rm -f "${tmp_file}"; return 1; }
+  rm -f "${tmp_file}"
+
+  if command_exists systemctl; then
+    run_privileged systemctl enable --now unattended-upgrades >/dev/null 2>&1 || true
+  fi
+
+  action "Enabled unattended-upgrades for security updates."
+  return 0
+}
+
+enable_auto_security_updates_dnf() {
+  local config_file="/etc/dnf/automatic.conf"
+  local timer_service=""
+  local tmp_file
+
+  if ! command_exists dnf; then
+    return 1
+  fi
+
+  run_privileged dnf -y install dnf-automatic >/dev/null 2>&1 || return 1
+
+  if command_exists systemctl; then
+    if systemctl list-unit-files 2>/dev/null | grep -q '^dnf-automatic-install.timer'; then
+      timer_service="dnf-automatic-install.timer"
+    elif systemctl list-unit-files 2>/dev/null | grep -q '^dnf-automatic.timer'; then
+      timer_service="dnf-automatic.timer"
+    fi
+  fi
+
+  if [[ -f "${config_file}" ]]; then
+    tmp_file="$(mktemp)"
+    awk '
+      /^\s*upgrade_type\s*=/ { print "upgrade_type = security"; next }
+      /^\s*apply_updates\s*=/ { print "apply_updates = yes"; next }
+      { print }
+    ' "${config_file}" > "${tmp_file}"
+    run_privileged install -m 0644 "${tmp_file}" "${config_file}" || { rm -f "${tmp_file}"; return 1; }
+    rm -f "${tmp_file}"
+  fi
+
+  [[ -n "${timer_service}" ]] || return 1
+  run_privileged systemctl enable --now "${timer_service}" >/dev/null 2>&1 || return 1
+  action "Enabled dnf-automatic security updates."
+  return 0
+}
+
+check_auto_security_updates() {
+  if [[ "${AUTO_SECURITY_UPDATES_REQUIRED}" -ne 1 ]]; then
+    log "Automatic security updates check is disabled by configuration."
+    return 0
+  fi
+
+  if command_exists apt-config || command_exists apt-get; then
+    if [[ -f /etc/apt/apt.conf.d/20auto-upgrades ]] \
+      && grep -Eq 'APT::Periodic::Unattended-Upgrade "1"' /etc/apt/apt.conf.d/20auto-upgrades 2>/dev/null \
+      && dpkg -s unattended-upgrades >/dev/null 2>&1; then
+      log "Automatic security updates are enabled via unattended-upgrades."
+      return 0
+    fi
+
+    if [[ "${AUTO_REMEDIATE}" -eq 1 ]] && enable_auto_security_updates_apt; then
+      return 0
+    fi
+
+    issue "Automatic security updates are not enabled on this APT host."
+    return 0
+  fi
+
+  if command_exists dnf; then
+    if command_exists systemctl \
+      && (systemctl is-enabled --quiet dnf-automatic-install.timer 2>/dev/null || systemctl is-enabled --quiet dnf-automatic.timer 2>/dev/null) \
+      && grep -Eq '^\s*upgrade_type\s*=\s*security' /etc/dnf/automatic.conf 2>/dev/null; then
+      log "Automatic security updates are enabled via dnf-automatic."
+      return 0
+    fi
+
+    if [[ "${AUTO_REMEDIATE}" -eq 1 ]] && enable_auto_security_updates_dnf; then
+      return 0
+    fi
+
+    issue "Automatic security updates are not enabled on this DNF host."
+    return 0
+  fi
+
+  warn "Automatic security update verification is not implemented for this package manager."
+}
+
+check_disk() {
+  local line
+  local usage
+  local mountpoint
+  local over_limit=0
+
+  while read -r line; do
+    usage="$(awk '{print $5}' <<< "${line}" | tr -d '%')"
+    mountpoint="$(awk '{print $6}' <<< "${line}")"
+    [[ "${usage}" =~ ^[0-9]+$ ]] || continue
+
+    if (( usage < DISK_THRESHOLD_PERCENT )); then
+      continue
+    fi
+
+    over_limit=1
+    if [[ "${AUTO_REMEDIATE}" -eq 1 ]]; then
+      cleanup_disk_space
+      usage="$(df -P "${mountpoint}" | awk 'NR==2 {gsub("%","",$5); print $5}')"
+    fi
+
+    if [[ "${usage}" =~ ^[0-9]+$ ]] && (( usage < DISK_THRESHOLD_PERCENT )); then
+      action "Reduced disk usage on ${mountpoint} to ${usage}%."
+    else
+      issue "Disk usage on ${mountpoint} is ${usage}% (threshold ${DISK_THRESHOLD_PERCENT}%)."
+    fi
+  done < <(df -P -x tmpfs -x devtmpfs 2>/dev/null | awk 'NR>1')
+
+  if [[ "${over_limit}" -eq 0 ]]; then
+    log "Disk usage is below ${DISK_THRESHOLD_PERCENT}% on persistent filesystems."
+  fi
+}
+
+failed_login_count() {
+  local count=0
+
+  if command_exists journalctl; then
+    count="$(journalctl --since '-24 hours' --no-pager 2>/dev/null | grep -Eci 'Failed password|authentication failure|Invalid user|Failed publickey')"
+    echo "${count}"
+    return 0
+  fi
+
+  if command_exists lastb; then
+    count="$(lastb -s -24hours 2>/dev/null | awk 'NF > 0 && $1 != "btmp" { total++ } END { print total + 0 }')"
+    echo "${count}"
+    return 0
+  fi
+
+  if [[ -f /var/log/auth.log ]]; then
+    count="$(find /var/log -maxdepth 1 -name 'auth.log*' -mtime -1 -print0 2>/dev/null | xargs -0 zgrep -Ehi 'Failed password|authentication failure|Invalid user|Failed publickey' 2>/dev/null | wc -l | tr -d ' ')"
+    echo "${count:-0}"
+    return 0
+  fi
+
+  echo "0"
+}
+
+check_failed_logins() {
+  local count
+  count="$(failed_login_count)"
+  log "Failed login attempts in the last 24 hours: ${count}."
+
+  if [[ "${count}" =~ ^[0-9]+$ ]] && (( count > MAX_FAILED_LOGIN_ATTEMPTS )); then
+    issue "Failed login attempts exceed the threshold (${count} > ${MAX_FAILED_LOGIN_ATTEMPTS})."
+  fi
+}
+
+check_virustotal() {
+  local helper
+  local item
+  local any_item=0
+
+  if [[ "${VIRUSTOTAL_ENABLED}" -ne 1 ]]; then
+    log "VirusTotal checks are disabled."
+    return 0
+  fi
+
+  helper="${SCRIPT_DIR}/openclaw_virustotal_check.sh"
+  if [[ ! -x "${helper}" ]]; then
+    issue "VirusTotal helper script is missing or not executable: ${helper}"
+    return 0
+  fi
+
+  for item in ${VIRUSTOTAL_URLS}; do
+    any_item=1
+    if VIRUSTOTAL_ALLOW_UPLOADS="${VIRUSTOTAL_ALLOW_UPLOADS}" \
+      "${helper}" --url "${item}"; then
+      log "VirusTotal browser review prepared for URL: ${item}"
+    else
+      issue "VirusTotal browser workflow failed for URL: ${item}"
+    fi
+  done
+
+  for item in ${VIRUSTOTAL_FILES}; do
+    any_item=1
+    if VIRUSTOTAL_ALLOW_UPLOADS="${VIRUSTOTAL_ALLOW_UPLOADS}" \
+      "${helper}" --file "${item}"; then
+      log "VirusTotal browser review prepared for file: ${item}"
+    else
+      issue "VirusTotal browser workflow failed for file: ${item}"
+    fi
+  done
+
+  if [[ "${any_item}" -eq 0 ]]; then
+    warn "VirusTotal is enabled but no VIRUSTOTAL_URLS or VIRUSTOTAL_FILES were configured."
+  fi
+}
+
+main() {
+  log "Starting OpenClaw security audit."
+  [[ -n "${CONFIG_FILE}" ]] && log "Using configuration file: ${CONFIG_FILE}"
+
+  check_firewall
+  check_fail2ban
+  check_ssh
+  check_ports
+  check_docker
+  check_disk
+  check_failed_logins
+  check_auto_security_updates
+  check_virustotal
+
+  if (( ${#ISSUES[@]} == 0 )); then
+    printf 'audit de sécurité réussi\n'
+    exit 0
+  fi
+
+  printf '\nSecurity audit found %d issue(s).\n' "${#ISSUES[@]}"
+  printf '%s\n' "${ISSUES[@]}" | sed 's/^/- /'
+
+  if (( ${#ACTIONS[@]} > 0 )); then
+    printf '\nRemediation actions applied:\n'
+    printf '%s\n' "${ACTIONS[@]}" | sed 's/^/- /'
+  fi
+
+  if (( ${#WARNINGS[@]} > 0 )); then
+    printf '\nWarnings:\n'
+    printf '%s\n' "${WARNINGS[@]}" | sed 's/^/- /'
+  fi
+
+  exit 1
+}
+
+main "$@"

package/skills/openclaw-security-audit/scripts/openclaw_virustotal_check.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VIRUSTOTAL_ALLOW_UPLOADS="${VIRUSTOTAL_ALLOW_UPLOADS:-0}"
+
+usage() {
+  cat <<'EOF'
+Usage:
+  openclaw_virustotal_check.sh --url <url>
+  openclaw_virustotal_check.sh --file <path>
+
+This helper is API-free. It prepares public VirusTotal review steps for the
+OpenClaw browser tool.
+EOF
+}
+
+fail() {
+  printf '[FAIL] %s\n' "$*" >&2
+  exit 1
+}
+
+info() {
+  printf '[INFO] %s\n' "$*"
+}
+
+warn() {
+  printf '[WARN] %s\n' "$*"
+}
+
+require_file() {
+  [[ -f "$1" ]] || fail "File not found: $1"
+}
+
+sha256_file() {
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$1" | awk '{print $1}'
+    return 0
+  fi
+  if command -v shasum >/dev/null 2>&1; then
+    shasum -a 256 "$1" | awk '{print $1}'
+    return 0
+  fi
+  fail "No SHA-256 tool found. Install sha256sum or shasum."
+}
+
+check_url() {
+  local url="$1"
+
+  [[ -n "${url}" ]] || fail "URL must not be empty."
+
+  info "VirusTotal API-free URL workflow prepared."
+  printf 'VT_BROWSER_URL=%s\n' "https://www.virustotal.com/gui/home/url"
+  printf 'VT_SUBMIT_URL=%s\n' "${url}"
+  printf 'OPENCLAW_BROWSER_COMMAND=%s\n' "browser.navigate https://www.virustotal.com/gui/home/url"
+  printf 'OPENCLAW_BROWSER_NOTE=%s\n' "Use browser.snapshot and browser.act to submit the URL and inspect detections."
+}
+
+check_file() {
+  local file_path="$1"
+  local sha256
+  local report_url
+
+  require_file "${file_path}"
+  sha256="$(sha256_file "${file_path}")"
+  report_url="https://www.virustotal.com/gui/file/${sha256}/detection"
+
+  info "VirusTotal API-free file workflow prepared."
+  printf 'VT_FILE_SHA256=%s\n' "${sha256}"
+  printf 'VT_GUI_REPORT=%s\n' "${report_url}"
+  printf 'VT_BROWSER_UPLOAD=%s\n' "https://www.virustotal.com/gui/home/upload"
+  printf 'OPENCLAW_BROWSER_NOTE=%s\n' "Open the report URL first. If no report exists and uploads are approved, use browser.upload on the upload page."
+
+  if [[ "${VIRUSTOTAL_ALLOW_UPLOADS}" -eq 1 ]]; then
+    printf 'VT_UPLOAD_ALLOWED=%s\n' "1"
+  else
+    printf 'VT_UPLOAD_ALLOWED=%s\n' "0"
+    warn "Website upload is disabled unless the user explicitly approves it."
+  fi
+  printf 'USER_DECISION_REQUIRED=%s\n' "If VirusTotal flags this file, ask the user whether to keep or remove it."
+}
+
+main() {
+  case "${1:-}" in
+    --url)
+      [[ $# -eq 2 ]] || { usage; exit 1; }
+      check_url "$2"
+      ;;
+    --file)
+      [[ $# -eq 2 ]] || { usage; exit 1; }
+      check_file "$2"
+      ;;
+    *)
+      usage
+      exit 1
+      ;;
+  esac
+}
+
+main "$@"