Fleet Capabilities
Fleet Capabilities

Security Scanning

Compliance scoring, credential leak detection, extension drift monitoring, and security hardening checks—the AI-specific security layer that sits on top of your existing infrastructure.

Compliance Scoring

A 0–100 composite score across 7 configuration checks. Each check is weighted equally. A score below 70 triggers a YELLOW warning; below 50 triggers RED.

CheckWhat It Validates
Network BindingGateway binds to localhost only, not exposed externally
AuthenticationAPI authentication enabled and properly configured
Sandbox ModeAgent sandbox restrictions active for code execution
DM PolicyTelegram direct message policy set to deny-all by default
Exec ModeCode execution mode restricted to sandboxed environments
Version CurrencyOpenClaw version is current and not known-vulnerable
Multi-User IsolationSession isolation prevents cross-agent data leakage

Credential Scanning

20 regex patterns scan workspace files for accidentally exposed secrets: API keys, tokens, private keys, passwords. Results are redacted in output to prevent secondary exposure.

Known credential locations (openclaw.env, GOG keyring, fleet-credentials.json) are checked for permission correctness (600/700) rather than flagged as leaks. The credential scan targets unexpected locations: session files, memory files, agent workspace output, logs.

Extension Drift Detection

SHA-256 baselines are computed for every file in the extensions directory. On subsequent scans, Mighty Mark compares current hashes against the baseline. Any drift indicates either a legitimate upgrade (update the baseline) or unauthorized modification (investigate).

What We Do vs. What We Don't

What We Do
  • AI agent config hygiene and hardening
  • Credential leak detection in workspace files
  • Extension binary drift (SHA-256 baselines)
  • Session isolation enforcement
  • Fleet-specific permission checks (600/700)
  • Compliance scoring for AI governance config
What We Don't Do
  • General infrastructure vulnerability scanning (SAST/DAST)
  • Network penetration testing
  • SIEM log aggregation and correlation
  • Endpoint detection and response (EDR)
  • Container image scanning
  • Cloud IAM policy auditing

Complementing Your Security Stack

No existing SIEM tool knows whether your AI agent's Telegram DM policy is set to deny-all. No vulnerability scanner checks whether extension binaries have drifted from their last known-good SHA-256. No EDR solution validates whether session isolation is properly enforced for a multi-agent AI fleet.

Mighty Mark's security scanning is the AI-specific layer that fills the gap your existing infrastructure security can't reach. It doesn't replace your SAST, DAST, or SIEM—it complements them with governance-aware checks that only matter when you're running autonomous AI agents in production.

CLI Reference

Security Scanning Commands
# mighty-mark v0.7.x

# Run full security scan
mighty-mark security-scan

# Run with extension drift detection
mighty-mark security-scan --drift

Health Check Battery

Full 138+ check breakdown

Governance & Authority

Read-only constraint and patent backing