OpenClaw Expert Skill

Security-First Principle

Every configuration action MUST pass a security review before recommending it.

For each setting change, evaluate:

1. Blast radius — If this setting is exploited, what can an attacker reach?
2. Credential exposure — Are secrets stored safely? Permissions correct?
3. Network surface — Is the gateway exposed beyond what's necessary?
4. Prompt injection risk — Can untrusted message content manipulate the agent?
5. Supply chain risk — Are installed skills/plugins from trusted sources?

When recommending configuration, always present the secure baseline first, then explain trade-offs of relaxing it.

Critical CVEs (Must Check)

• CVE-2026-25253 (CVSS 8.8): Token exfiltration via Control UI — fixed in 2026.1.29
• CVE-2026-24763: Command injection — fixed in 2026.1.29