Find security holes in your OpenClaw gateway config before attackers do.
One command. Ten checks. Zero dependencies. Nothing leaves your machine.
npx milo-scanThat's it. You'll get a letter grade (A–F) and actionable fix commands for every issue found.
Most OpenClaw and NanoClaw setups ship with default configs that are wide open — no auth, no TLS, gateway bound to 0.0.0.0. We've seen it hundreds of times.
milo-scan catches the 10 most dangerous misconfigurations in seconds, so you can fix them before they become incidents.
| # | Check | Severity | What It Catches |
|---|---|---|---|
| 1 | Gateway binding | 🔴 Critical | Gateway exposed to all network interfaces |
| 2 | Authentication | 🔴 Critical | Missing or weak auth tokens |
| 3 | TLS/HTTPS | 🔴 Critical | Unencrypted traffic on public-facing gateways |
| 4 | Hardcoded secrets | 🔴 Critical | API keys or tokens sitting in your config file |
| 5 | Exec permissions | 🟡 Warning | Skills with unrestricted command execution |
| 6 | CORS policy | 🟡 Warning | Cross-origin requests wide open |
| 7 | Rate limiting | 🟡 Warning | No abuse protection configured |
| 8 | Port config | 🔵 Info | Default or privileged port usage |
| 9 | Logging | 🔵 Info | Access logs not enabled |
| 10 | Memory encryption | 🔵 Info | Agent memory stored unencrypted |
npx milo-scanAutomatically finds gateway.yaml, gateway.yml, or config/gateway.yaml in your project.
npx milo-scan ./path/to/gateway.yamlnpm install -g milo-scan
milo-scan| Grade | Score | Meaning |
|---|---|---|
| A | 90–100 | Well hardened. Ship it. |
| B | 75–89 | Solid, minor improvements possible. |
| C | 60–74 | Real issues. Fix before deploying. |
| D | 40–59 | Significant security gaps. |
| F | 0–39 | Critical exposure. Fix immediately. |
🔒 Milo Scan — OpenClaw Security Audit
Scanning: ./gateway.yaml
🚨 CRITICAL (2)
✗ Gateway bound to 0.0.0.0
Your gateway is accessible from any network interface.
Fix: Set host: 127.0.0.1
✗ No authentication configured
Anyone who can reach your gateway can control your agent.
Fix: Add auth_token: <random-32-char-string>
⚠ WARNINGS (1)
⚠ No rate limiting
No rate limiting detected.
Fix: Add rate_limit configuration
✓ PASSED (4)
✓ TLS/HTTPS
✓ Exec permissions
✓ No hardcoded secrets
✓ CORS policy
────────────────────────────
Security Grade: D
────────────────────────────
🔗 Need help fixing these? → https://getmilo.dev/security
- Zero dependencies — single file, nothing to audit but one script
- Runs locally — your config never leaves your machine
- No telemetry — no analytics, no tracking, no network calls
- MIT licensed — use it however you want
Got your grade? Here's the path forward:
| Your Grade | Recommended Next Step |
|---|---|
| A or B | Set up Milo Watch for continuous monitoring (free) |
| C or D | Walk through each fix yourself, or get a professional audit → |
| F | Your gateway is exposed. Fix it now → |
📖 Full guide: Beyond Scanning — What Comes Next
| Tool | What It Does | Cost |
|---|---|---|
| milo-scan (this) | One-time config audit | Free |
| Milo Watch | Daily automated scans + alerts | Free |
| Milo Shield | Auto-fix misconfigurations in real time | Free |
| Web Scanner | Browser-based OpenClaw scanner | Free |
| Professional Audit | Full security review + hardening | From $199 |
| AI Agent Teams | Agents that handle scheduling, follow-up, ops | From $399 |
Found a check we should add? Open an issue or PR. We're especially interested in:
- New security checks for OpenClaw/NanoClaw configurations
- Support for additional config formats
- Integration with CI/CD pipelines
MIT — Milo
