Inspiration Security tools are built for security experts — but the people running AI agents locally are mostly developers who configured their setup once and never audited again. When we saw that 17,500 OpenClaw instances were found exposed on the internet with 1,800 leaking API keys and credentials, we realized the audit tool already exists (openclaw security audit --deep) — the problem is that nobody reads a wall of JSON. We asked: what if understanding your security posture felt like exploring a dungeon instead of parsing a spreadsheet?
What it does Security Quest renders your OpenClaw security audit as a 16-bit pixel-art dungeon. Each room represents a subsystem — Gateway Tower, File Vaults, Tool Forge, Browser Lookout, and more. Rooms glow red, amber, or blue based on their worst finding severity. A wizard sprite patrols between threatened rooms. Click a room to see its findings with plain-English explanations, technical details, and one-click remediation — either copy the fix command or send it directly to your OpenClaw agent for execution. Drop in a new audit JSON file anytime to refresh the map. Score history persists across sessions so you can track your security posture over time.
How we built it React + Vite single-page app with zero external dependencies beyond React. Custom pixel-art assets generated with AI image tools and downscaled to 128px PNGs. A Sprite component with automatic fallback — if a PNG exists in public/sprites/, it renders the image; if not, it falls back to emoji. The OpenClaw gateway integration uses the HTTP /v1/chat/completions endpoint (OpenAI-compatible) to send remediation prompts, with graceful degradation to CLI command generation when the API is unavailable. All state is local — audit data is pasted or dropped, tokens are in localStorage, nothing leaves your machine.
Challenges we ran into Getting the layout right was the biggest struggle. We went through three iterations — boxed tiles (looked like a webapp), a pannable canvas (broke the UI layering), and finally a scrollable full-width map with overlay controls. Balancing the "game feel" with actual usability was constant tension: the dungeon metaphor is fun but findings need to be scannable and fixes need to be one click away. We also had to design the remediation flow carefully — auto-fixing security configs is dangerous, so we built three tiers (understand, copy, send-to-agent) with confirmation at every step.
Accomplishments that we're proud of The Sprite fallback system lets us develop with emoji and swap in pixel art without touching component code — just drop PNGs in a folder. The three-tier remediation flow (plain English explanation, copy command, send to agent with confirmation) respects user autonomy while making fixes frictionless. The dungeon metaphor actually works — "Gateway Tower is on fire" communicates severity faster than gateway.bind_no_auth: critical. And we built the whole thing in under two hours with hot-reload iteration.
What we learned Security visualization is a UX problem, not a security problem. The data was already there — OpenClaw's audit is thorough. The gap was making that data legible to non-experts. We also learned that game metaphors carry real cognitive benefits: spatial memory helps users build a mental model of their system's attack surface in a way that flat lists never can. On the technical side, we learned that trying to build a pannable game canvas in CSS is a trap — simple scrollable layouts with native browser behavior beat clever implementations every time.
What's next for Security Quest Embed as a widget in OpenClaw's Control UI so every user sees their dungeon on their dashboard. Add watch mode that re-scans on config changes and animates room transitions. Support other agent frameworks — Claude Code, LangChain, CrewAI all have security-relevant configs that could map to dungeon rooms. Build audit history diffing so users can see what changed between scans. And community-contributed room sprites and finding translations to make security literacy accessible across languages.
Log in or sign up for Devpost to join the conversation.