moltbot-preflight

Pre-startup security scanner for Moltbot configurations. Run before starting your gateway to catch misconfigs before you're exposed.

Why

The built-in moltbot security audit runs inside Moltbot - meaning if your config is dangerous, you're already exposed by the time it runs. This tool audits your config before startup.

Install

git clone https://github.com/meridianix/moltbot-preflight
cd moltbot-preflight

No dependencies. Pure Python 3.

Usage

# Audit default config (~/.clawdbot/moltbot.json)
python3 moltbot_preflight.py

# Audit specific config
python3 moltbot_preflight.py --config /path/to/moltbot.json

# JSON output for CI/CD
python3 moltbot_preflight.py --json

# Disable colors
python3 moltbot_preflight.py --no-color

Exit code 1 on CRITICAL/HIGH findings, 0 otherwise.

What It Checks

Gateway & Network

• Dangerous bind settings (0.0.0.0, all, *)
• Missing or weak authentication
• Port exposure
• Missing trustedProxies for reverse proxy
• Insecure controlUi flags
• Verbose mDNS discovery

Access Control

• Open dmPolicy without allowlist
• Open groupPolicy
• Missing channel allowlists
• Wildcard allowlist entries
• Tailnet bind without token auth

Execution & Isolation

• Elevated tools without allowFrom
• Missing sandbox mode with elevated tools
• Browser evaluateEnabled
• Weak session isolation

Filesystem

• Config file permissions (should be 600)
• State directory permissions (should be 700)
• Credential file permissions

Logging

• Disabled log redaction

CI/CD Integration

python3 moltbot_preflight.py --json && moltbot start

Fails fast if config has CRITICAL or HIGH issues.

Tests

python3 -m unittest test_moltbot_preflight -v

31 tests covering all checks.

License

MIT