Your OpenClaw agent is probably misconfigured. Mantou finds out in 10 seconds — on your machine, with zero telemetry.
OpenClaw gives your agent shell access, file access, channels, and a gateway. Every one of those is a misconfiguration waiting to happen. Mantou is the security linter for that config.
It runs locally in seconds, never phones home, and tells you exactly what to fix — not just what's wrong.
Mantou 2026.03.15 — OpenClaw Security Posture Scan
Findings: 7 total (5 critical 1 high 1 medium)
[CRITICAL] CFG-018 Small model requires sandboxing — web tools must be disabled
[CRITICAL] CHN-005 Discord group/guild policy is open — any server can message your agent
[CRITICAL] CHN-007 Open groupPolicy with runtime + filesystem tools exposed
[CRITICAL] TOOL-001 Shell denylist absent — agent can run arbitrary binaries
[CRITICAL] TOOL-005 Filesystem deny list missing sensitive paths
[HIGH] TOOL-002 No confirm-before-exec list defined
[MEDIUM] TOOL-006 safeBins includes interpreters without explicit runtime profiles
pipx install git+https://github.com/peeweeh/mantou.gitRequires Python 3.11+.
pipxkeeps it isolated.pip installalso works.
# Full scan (config + tools)
mantou scan --text
# Static only — no tool invocations
mantou scan --text --skip-tools
# Only show things worth fixing today
mantou scan --text --min-severity medium
# Fail CI on critical findings
mantou scan --exit-on criticalScan output is also available as JSON for piping into SIEM, Slack, or whatever you pipe things into:
mantou scan --json | jq '.findings[] | select(.severity == "critical")'69 rules across every attack surface of an OpenClaw deployment:
| Family | What it looks for |
|---|---|
CFG- |
Gateway hardening, model sandboxing, auth presence |
CHN- |
Channel access boundaries — Discord, Telegram, open groups |
AGT- |
Per-agent safeBins escapes, workspace isolation, approval rules |
TOOL- |
Shell denylists, filesystem path limits, exec confirmation |
PERM- |
Sensitive file and directory permissions |
PROMPT- |
Hardcoded secrets and credentials in prompt documents |
CRED- |
Inline keys and tokens in openclaw.json |
ISO- |
Container isolation and sandbox enforcement |
OS- |
Runtime version and patch hygiene |
ADV- |
Manual-verification advisories for things that can't be automated |
Every finding ships with a plain-English remediation step. No vague "consider hardening this" — just what to change.
CLI → Scanner → Rule Engine → Finders → Findings
|
JSON rules (mantou/rules/*.json)
Mantou runs in three phases:
- Phase 1 — Static: Reads
openclaw.jsonand local files. No processes spawned. Fast. - Phase 2 — Tool-based: Invokes read-only system commands (
ps,uname, permission checks). Skippable with--skip-tools. - Phase 3 — LLM-assisted: (coming soon) Deep semantic analysis of prompt files and agent instructions.
All rules are declarative JSON. No magic. Easy to audit, easy to extend.
mantou rules list
mantou rules show CFG-018Drop a JSON file next to your config and point Mantou at it:
mantou scan --rules ./my-org-rules[{
"id": "MY-001",
"enabled": true,
"description": "Disallow debug mode in production",
"target": { "type": "json", "file": "openclaw.json", "path": "$.debug" },
"probe": { "type": "value" },
"condition": { "operator": "equals", "value": true },
"finding": {
"severity": "high",
"category": "config",
"title": "Debug mode enabled",
"detail": "debug=true exposes internal state",
"remediation": "Set debug to false or remove the key."
}
}]git clone https://github.com/peeweeh/mantou.git
cd mantou
python3.11 -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest tests/ -qBranch strategy: nightly gets daily commits → main gets CalVer releases (YYYY.MM.DD).
Rule PRs are the highest-value contribution. A good rule is:
- Deterministic — same config, same result, always
- Low noise — don't fire unless it actually matters
- Actionable — ships with a concrete remediation step
- Tested — fixture in
tests/fixtures/
Open an issue first if you're unsure whether something belongs in the default ruleset.
MIT — use it, fork it, embed it in your own tooling.