AUTO AUDIT RESULTS
AUTOAUDIT Summary -- 2026-03-08
Findings
WARNING
1. AGENTS.md contradicts workspace state on IDENTITY.md and USER.md. The "Deleted Files — Do Not Recreate" section lists both files, yet both exist in the workspace and are injected as project context. Both contain "intentionally minimal" stubs. Either the "deleted" section should be removed, or the files should be removed. (AGENTS.md lines ~62-65; files at workspace root)
2. SCHEDULE.md entries not sorted chronologically. The Mar 9 entries (Hound Keyan, AR mighty white) appear after July 18 (Jim Kelly Wedding). Morning brief parser may process correctly regardless, but this violates the expected format. (Carried over from last audit)
3. update-check cron (441fcb8f) showing status "error". Last ran ~6h ago. Could not retrieve cron logs (no `openclaw cron logs` command). Previously flagged in heartbeat-state.json. Should be investigated in next session.
4. MEMORY.md pending items from 2026-03-04 still not persisted. Last audit flagged 6 items Ghost explicitly marked "for MEMORY.md" in the 3/04 daily log (Hellbot verification triple, $HINV replaces $HCOMP, parser number-name bug, legacy data boundary row 878+, positive SALE qty = returns, quarterly system refresh April 1). These still await Ghost confirmation. (Carried over)
5. Fired ATS one-shot plists still loaded:
- `clawstin.ats.tell-ski-hustle-dee` — scheduled Mar 5, fired, still loaded
- `clawstin.ats.test-with-special-chars-symbols` — scheduled Mar 4, fired, still loaded
6. clawstin-autonomous-spawner still in PROJECTS/ACTIVE/. 4th consecutive audit flagging this. No activity on it in recent sessions.
INFO
1. All 11 pre-audit checks passed (0 errors, 1 warning — the fired plist). Gateway running (pid 31342), IMAP OK, watchdog OK, cron clean, no log errors.
2. MEMORY.md at 117 words — well under cap. Healthy.
3. 32 unread blogwatcher articles — informational, no action needed.
4. 38 git commits in audit window. Major work: Coastguard COMPLETE (standby on VPS), Ironclad Fallback COMPLETE (Sonnet→Haiku chain tested), VM SSH unblocked via ssh-proxy.py, balance-guard.py updated, openclaw.json updated (2 commits).
5. 3 sessions on 2026-03-08 — all properly logged in daily notes with session detail files. Coastguard and Ironclad Fallback both moved to COMPLETE. Verified at stated paths.
6. Previous audit's fired reminder plists (11 reminders + 4 ATS) are cleaned up. No longer loaded. Good housekeeping.
7. front-desk-phone and voice-call-twilio resolved. Were in ACTIVE/ last 3 audits; moved to LIMBO (per ACTIVITY.md 3/07). Carried-over issue resolved.
8. ACTIVITY.md at 591 lines / 5,328 words. Growing large but not injected at startup — informational only.
9. vital-server (pid 1476) and cloudflared (pid 1487) running healthy. Both exit status 0.
10. All referenced scripts exist: ssh-proxy.py, balance-guard.py, coastguard.sh, morning-paper.py, send-todo.sh, triage.py, triage-proton.py, watchdog.sh — all verified at stated paths.
11. Cron model appropriateness: Opus for autoaudit ✅, Sonnet for security-guard ✅, Haiku for balance-guard/billing-watchdog/congress-disclosure/beancounter/rent-reminder ✅, Sonnet for morning-brief/morning-paper/zero-token-heartbeat ✅. update-check on Haiku is fine for routine check.
12. Cross-file consistency clean. Signal group IDs match across MEMORY.md and send-todo.sh. No stale references to removed files found. SYNC.md at v395, consistent with latest commit messages.
Carried Over
1. SCHEDULE.md sort order — entries not chronological (3rd consecutive audit).
2. MEMORY.md pending items from 2026-03-04 — 6 items awaiting Ghost confirmation (2nd consecutive audit).
3. clawstin-autonomous-spawner in ACTIVE/ — no recent activity (4th consecutive audit).
Past-Due Schedule Entries
None (next entries fire Mar 9).
Fired One-Shot Reminders
2 ATS plists have fired and could be unloaded/removed:
- `clawstin.ats.tell-ski-hustle-dee` (fired 2026-03-05)
- `clawstin.ats.test-with-special-chars-symbols` (fired 2026-03-04)
Note: hound-keyan-1day and ar-mighty-white-1day fired today (Mar 8 9am) as designed — their 1hr counterparts fire tomorrow (Mar 9) per SCHEDULE.md. These are current, not stale.
Step Completion Checklist
Step 1 -- Pre-Audit Data: completed (11 checks, 0 errors, 1 warning)
Step 2 -- Last Report Review: completed (reviewed 2026-03-04 report; 3 carried over, 4 resolved)
Step 3 -- Daily Integration: completed (2026-03-08 + 2026-03-07 logs reviewed; all sessions properly persisted; project moves verified)
Step 4 -- Git Diff + Downstream: completed (38 commits reviewed; openclaw.json changes tracked; no stale references found)
Step 5 -- File Health Review: completed (MEMORY.md 117 words; SCHEDULE.md sort issue; AGENTS.md contradiction flagged; all injected files reviewed)
Step 6 -- Cron + Automation: completed (17 cron jobs reviewed; model assignments appropriate; update-check error noted; LaunchAgents reviewed)
Step 7 -- Script Validation: completed (send-todo.sh, triage.py, triage-proton.py, watchdog.sh all verified; paths and group IDs correct)
Step 8 -- Cross-File Consistency: completed (Signal IDs consistent; SYNC version matches; AGENTS.md/IDENTITY.md/USER.md contradiction flagged)
PAPER TRADING
| Model |
Portfolio Value |
P/L |
Cash |
Holdings |
| M01 Momentum Chaser |
$1001.96 |
+$1.96 (+0.2%) |
$397.54 |
MSTR 1.1148sh @$133.50, ADBE 0.5523sh @$283.66, QQQ 0.2491sh @$599.81, MSFT 0.3659sh @$408.62 |
| M02 Trend Follower |
$1000.00 |
+$0.00 (+0.0%) |
$1000.00 |
Cash only |
| M03 Momentum Rotator |
$1156.19 |
+$156.19 (+15.6%) |
$833.94 |
MSTR 1.1148sh @$133.50, GOOGL 0.5810sh @$298.48 |
| M04 Headline Trader |
$1150.00 |
+$150.00 (+15.0%) |
$1000.00 |
MSTR 1.1236sh @$133.50 |
| M05 Hot Sector Rotator |
$1150.00 |
+$150.00 (+15.0%) |
$1000.00 |
MSTR 1.1236sh @$133.50 |
| M06 Earnings Anticipator |
$1150.00 |
+$150.00 (+15.0%) |
$1000.00 |
MSTR 1.1236sh @$133.50 |
| M07 Panic Buyer |
$1150.00 |
+$150.00 (+15.0%) |
$1000.00 |
MSTR 1.1236sh @$133.50 |
| M08 Smart Money Tracker |
$1150.00 |
+$150.00 (+15.0%) |
$1000.00 |
MSTR 1.1236sh @$133.50 |
| M09 Gap Fader |
$1000.00 |
+$0.00 (+0.0%) |
$850.00 |
MSTR 1.1236sh @$133.50 |
| M10 Coil & Breakout |
$1150.00 |
+$150.00 (+15.0%) |
$1000.00 |
MSTR 1.1236sh @$133.50 |
Live prices: AAPL: $257.44, ADBE: $283.66, CRM: $202.09, GOOGL: $298.48, MSFT: $408.62, MSTR: $133.50, NVDA: $177.69, QQQ: $599.81, SPY: $672.47, TSLA: $396.56, WDAY: $151.07
SECURITY AUDIT
Security Guard Report — 2026-03-08
Patrol time: 03:30 AM (America/New_York)
Agent: Opus (via security-guard-invoke.py)
Duration: ~465s
Status: PARTIAL — agent completed patrol; write_file blocked (credential in content); report manually reconstructed from audit log
CRITICAL FINDINGS
Finding 1 — API Keys in Memory Markdown Files
Severity: 8
Files:
- `memory/2026-03-06-1922.md` — 6 occurrences of `sk-ant-[REDACTED]` (Anthropic keys, including raw key values in apparent session transcript)
- `memory/2026-03-06-1839.md` — 3 occurrences of `sk-ant-[REDACTED]`
Detail: Real Anthropic API key values appear in daily session log files. These files are in the workspace git repo and are not gitignored. If the repo were ever pushed to a remote, keys would be exposed. Keys may also be visible to sub-agents with read access to the workspace.
Action: Ghost should rotate any keys found in these files and remove the raw values from the markdown. Consider adding `memory/` to `.gitignore` or sanitizing logs before writing.
Finding 2 — Mislabeled Anthropic Key in Lifeboat Config
Severity: 7
File: `lifeboat-system/openclaw-config/openclaw.json` line 7
`"OPENAI_API_KEY": "sk-ant-[REDACTED]"`
Detail: An Anthropic API key (`sk-ant-`) is stored under the label `OPENAI_API_KEY` in the lifeboat openclaw config. This is a credential stored in a config file AND is mislabeled (wrong provider). The lifeboat-system directory does not appear to be gitignored.
Action: Clarify intended value. If this is a real key, rotate it and move to The Den. Fix the label.
Finding 3 — Credential in REDDIT-UPGRADES Step File
Severity: 6
File: `REDDIT-UPGRADES/step-03.md` line 17
Contains `-e "sk-ant-[REDACTED]"` (inline key in a shell command example)
Action: Redact the value from the file. Use a placeholder or env var reference instead.
MEDIUM FINDINGS
Finding 4 — `flock` Not Installed (Security Guard Process Control)
Severity: 3
`flock` was missing from the system, causing the Security Guard to exit immediately on startup. Patrol was only possible after manual `brew install flock`. This means previous nights may have silently skipped the patrol.
Action: Added to this session. Verify cron has been succeeding previously. Consider adding flock presence check to the script with an alert if missing.
Finding 5 — `netstat` / `lsof` Unavailable
Severity: 2
Both `netstat` and `lsof` returned `command not found` (exit 127) during port enumeration phase. Agent was unable to enumerate listening ports.
Action: Install via `brew install netstat` or use `ss`/`nmap` equivalent. Update agent prompt to use `lsof` from `/usr/sbin/lsof` (macOS path).
LOW / INFORMATIONAL
- Lifeboat credential files present and structured as expected: rclone.conf, cloudflared cert.pem, gmail tokens, signal accounts.json — all located, permissions not checked due to blocked `stat` on auth-profiles.json path.
- LuLu running (confirmed via `ps aux | grep -i lulu`)
- Cloudflare tunnel running (confirmed via `ps aux | grep -i cloudflare`)
- Tailscale not running (not found in ps)
- No stray .key / .token files in /tmp
- No world-writable files or directories in workspace
- Nightly backup: `/Users/aicomputer/.openclaw/workspace/scripts/nightly-backup.log` present and recent
- Chrome Remote Desktop helper present at `/Library/PrivilegedHelperTools/org.chromium.chromoting.json` — remote access vector, expected/known
Report Write Failure — Root Cause
Agent attempted to write report containing raw `sk-ant-` values found in memory files. `write_file` security scanner correctly blocked it. Fix applied this session: Added mandatory credential redaction instruction to `scripts/security-guard-agent-prompt.md`. Future runs will redact before writing.
Morning Brief
Top action items for Ghost:
1. Rotate and purge keys found in `memory/2026-03-06-1922.md` and `memory/2026-03-06-1839.md`
2. Investigate `lifeboat-system/openclaw-config/openclaw.json` OPENAI_API_KEY entry — real key or stale?
3. Clean `REDDIT-UPGRADES/step-03.md` — remove inline key
4. Verify Security Guard cron was actually running before tonight (flock was missing)
5. Fix `lsof` path in agent prompt for port enumeration