nox-openclaw-hunter
v1.0.3
Published
OpenClaw Detection & Removal CLI by OpenClaw Hunter
Maintainers
arampcReadme
OpenClaw Hunter
Hunt, purge, and isolate OpenClaw AI agents across your fleet.
TL;DR — This tool works with all MDMs or locally on your endpoint: use npm for local install and scripts for MDM deployment.
Installation
npm install -g nox-openclaw-huntergit clone https://github.com/Arampc/OpenClaw-Hunter.git
cd OpenClaw-Hunter
npm install && npm run build && npm linkDeploy via your MDM (Jamf, Intune, JumpCloud) using the script sources below. Upload the script to your MDM as a command/policy, then assign to device groups. See MDM Deployment for platform-specific steps.
| Script | Platform | Source | |--------|----------|--------| | Scan (detect) | macOS / Linux | nox-scan.sh | | Scan (detect) | Windows | nox-scan.ps1 | | Purge | macOS / Linux | nox-purge.sh | | Purge | Windows | nox-purge.ps1 |
Requires Node.js 18+
Commands
nox scan
Hunt for OpenClaw installations on the system.
nox scan # Scan current user
nox scan --all-users # Scan all users (requires sudo)
nox scan --json # Output as JSON
nox scan --yaml # Output as YAMLExample output (when OpenClaw is detected):
┌────────────────────┬──────────────────────────────────────────────────┐
│ Status │ Installed & Running │
├────────────────────┼──────────────────────────────────────────────────┤
│ Hostname │ {Hostname} │
├────────────────────┼──────────────────────────────────────────────────┤
│ Platform │ {Type} │
├────────────────────┼──────────────────────────────────────────────────┤
│ Timestamp │ 2026-02-04T13:35:09.008Z │
└────────────────────┴──────────────────────────────────────────────────┘
Detection Details:
┌───────────────┬───────────────┬────────────────────────────────────────┐
│ Component │ Status │ Details │
├───────────────┼───────────────┼────────────────────────────────────────┤
│ CLI Binary │ Found │ /Users/{path} │
├───────────────┼───────────────┼────────────────────────────────────────┤
│ App Bundle │ {} │ - │
├───────────────┼───────────────┼────────────────────────────────────────┤
│ State Dir │ Found │ /Users/{path}/.openclaw │
├───────────────┼───────────────┼────────────────────────────────────────┤
│ Config │ Found │ /Users/{path}/.openclaw/opencl… │
├───────────────┼───────────────┼────────────────────────────────────────┤
│ AI Model │ Configured │ google/gemini-3-flash-preview (e.g.) │
├───────────────┼───────────────┼────────────────────────────────────────┤
│ Autonomous │ ENABLED │ Agent has autonomous execution │
├───────────────┼───────────────┼────────────────────────────────────────┤
│ Service │ Running │ ai.openclaw.gateway │
├───────────────┼───────────────┼────────────────────────────────────────┤
│ Gateway │ Listening │ Port 18789 │
├───────────────┼───────────────┼────────────────────────────────────────┤
│ Docker │ Not found │ - │
└───────────────┴───────────────┴────────────────────────────────────────┘
Agent Permissions:
┌──────────────────────────────────────────────────┐
│ Granted Permissions │
├──────────────────────────────────────────────────┤
│ workspace: /Users/{path}/.openclaw/works… │
└──────────────────────────────────────────────────┘
Running Processes:
┌──────┬──────────────────┬──────┬─────────┐
│ PID │ Name │ User │ Memory │
├──────┼──────────────────┼──────┼─────────┤
│ 6688 │ openclaw-gateway │ - │ 385.1MB │
├──────┼──────────────────┼──────┼─────────┤
│ 4861 │ openclaw │ - │ 54.9MB │
├──────┼──────────────────┼──────┼─────────┤
│ 4888 │ openclaw-onboard │ - │ 381.8MB │
└──────┴──────────────────┴──────┴─────────┘nox purge
Purge all OpenClaw components from the system.
nox purge --dry-run # Preview what will be purged
sudo nox purge # Execute purge
sudo nox purge --force # Skip confirmationExample output (after a successful purge):
Enforcement Results:
┌────────────────┬────────────────────────────────┬──────────┬────────────┐
│ Action │ Target │ Status │ Details │
├────────────────┼────────────────────────────────┼──────────┼────────────┤
│ process-kill │ openclaw-gateway │ Success │ │
├────────────────┼────────────────────────────────┼──────────┼────────────┤
│ process-kill │ openclaw │ Success │ │
├────────────────┼────────────────────────────────┼──────────┼────────────┤
│ process-kill │ openclaw-onboard │ Success │ │
├────────────────┼────────────────────────────────┼──────────┼────────────┤
│ service-stop │ ai.openclaw.gateway │ Success │ │
├────────────────┼────────────────────────────────┼──────────┼────────────┤
│ binary-remove │ /usr/local/bin/openclaw │ Success │ │
├────────────────┼────────────────────────────────┼──────────┼────────────┤
│ config-remove │ /Users/{user}/.openclaw │ Success │ │
└────────────────┴────────────────────────────────┴──────────┴────────────┘
Summary:
Total: 6
Success: 6
Failed: 0
Skipped: 0nox isolate
Isolate the device by blocking ports, quarantining files, and preventing reinstallation.
nox isolate --dry-run # Preview isolation actions
sudo nox isolate # Apply isolation
sudo nox isolate revert # Revert isolation
nox isolate list # List quarantined itemsnox export
Generate MDM deployment scripts for fleet-wide hunting.
nox export --platform jamf --mode detect
nox export --platform intune --mode purge
nox export --platform jumpcloud --mode detect --webhook https://siem.example.comSupported platforms: jamf, intune, jumpcloud
What It Detects
| Component | Detection Method |
|-----------|------------------|
| CLI Binary | Known paths, which lookup |
| App Bundle | /Applications/OpenClaw.app (macOS) |
| Config | ~/.openclaw, ~/.clawdbot, ~/.moltbot |
| Gateway | TCP port scan (auto-detects port) |
| Processes | Process name matching |
| Service | launchctl / systemctl / sc |
| Docker | Containers and images |
MDM Deployment
OpenClaw Hunter can be deployed across your fleet via MDM (Mobile Device Management). Use nox export to generate scripts (or download the scripts nox-scan, nox-purge.sh), then add them to your MDM.
Supported MDMs:
| MDM | Platforms | Modes | |-----|-----------|--------| | Jamf | macOS | detect, purge | | Intune | Windows, macOS | detect, purge | | JumpCloud | Windows, macOS, Linux | detect, purge (enforce) |
JumpCloud
Step 1 — Use the scripts
Use nox-scan.sh and nox-scan.ps1 for detection, and nox-purge.sh and nox-purge.ps1 for purge.
Step 2 — Create a command in JumpCloud
| # | What to do |
|---|------------|
| 1 | In JumpCloud go to Device Management → Commands. |
| 2 | Click + (Add Command). |
| 3 | Name: e.g. Nox OpenClaw Detection (macOS). |
| 4 | Command: Paste the full contents of nox-scan.sh. |
| 5 | Command Type: Mac (or Linux / Windows for the matching script). |
| 6 | Run As: Root (required for full detection). |
| 7 | Timeout: 120 seconds. |
| 8 | Launch Options: Trigger (e.g. nox-openclaw-detect) or Schedule (e.g. daily). |
| 9 | Click Save. |
Step 3 — Repeat for each OS (and optionally purge)
| OS | Command type | Script |
|----|--------------|--------|
| macOS | Mac | nox-scan.sh |
| Linux | Linux | nox-scan.sh |
| Windows | Windows, Shell = PowerShell, Run As = Administrator | nox-scan.ps1 |
For purge, use nox-purge.sh / nox-purge.ps1; set Timeout to 300 seconds.
Step 4 — Assign to devices
Open the command → Device Groups or Systems tab → select the groups or systems → Save.
Step 5 — Run the command
- Manual run: Open the command → Systems tab → select one or more systems → Run (or use Run from the Commands list).
- Scheduled: If you set a Schedule in Step 2, the command runs automatically (e.g. daily).
- Trigger: If you set a Trigger, run it via the JumpCloud API using the trigger name.
- View results: Open the command → Results tab to see exit codes and output per system (e.g.
0= clean,1= OpenClaw detected).
Exit Codes
| Code | Status | Description |
|------|--------|-------------|
| 0 | CLEAN | Not detected |
| 1 | DETECTED | OpenClaw found |
| 2 | ERROR | Runtime error |
| 3 | REMEDIATED | Purge successful |
| 4 | PURGE_FAILED | Purge failed |
| 5 | ISOLATED | Isolation applied |
Platform Support
- macOS — Full support (CLI, app bundle, launchd services)
- Linux — Full support (CLI, systemd services)
- Windows — Full support (CLI, Windows services)
License
MIT
Support: [email protected], [email protected]
Issues: github.com/Arampc/OpenClaw-Hunter/issues
OpenClaw Hunter ©