


























@@ -126,6 +126,65 @@ Use this as the quick model when triaging risk:
126126| Node pairing and node commands | Operator-level remote execution on paired devices | "Remote device control should be treated as untrusted user access by default" |
127127| `gateway.nodes.pairing.autoApproveCidrs` | Opt-in trusted-network node enrollment policy | "A disabled-by-default allowlist is an automatic pairing vulnerability" |
128128129+## Multi-agent and sub-agent boundaries
130+131+OpenClaw can run many agents inside one Gateway, but those agents still sit
132+inside the same trusted-operator boundary unless you split the deployment by
133+Gateway, OS user, host, or sandbox. Treat sub-agent delegation as a tool-policy
134+and sandboxing decision, not as a hostile multi-tenant authorization layer.
135+136+Expected behavior inside one trusted Gateway:
137+138+- An authenticated operator can route work to sessions and agents they are
139+ allowed to use by config.
140+- `sessionKey`, session id, labels, and sub-agent session keys select
141+ conversation context. They are not bearer credentials and are not per-user
142+ authorization boundaries.
143+- Sub-agents have separate sessions by default. Native `sessions_spawn` uses
144+ isolated context unless the caller explicitly asks for `context: "fork"`;
145+ thread-bound follow-up sessions use forked context because they continue the
146+ conversation thread.
147+- A forked sub-agent can see the transcript context it was deliberately given.
148+ That is expected. It becomes a security issue only if it receives context that
149+ policy said it must not receive.
150+- Tool access comes from the effective profile, channel/group/provider policy,
151+ sandbox policy, per-agent policy, and the sub-agent restriction layer. A broad
152+ tool profile intentionally gives broad capability.
153+- Sub-agent auth profiles are resolved by target agent id. Main-agent auth can
154+ be available as fallback unless you split credentials/deployments; do not rely
155+ on sub-agent identity alone for strong secret isolation.
156+157+What counts as a real boundary bypass:
158+159+- `sessions_spawn` works even though the effective tool policy denied it.
160+- A child runs unsandboxed even though the requester is sandboxed or the call
161+ required `sandbox: "require"`.
162+- A child receives session tools, system tools, or target-agent access that the
163+ resolved config denied.
164+- A leaf sub-agent controls, kills, steers, or messages sibling sessions that it
165+ did not spawn.
166+- A sub-agent sees transcript, memory, credentials, or files that were excluded
167+ by an explicit policy or sandbox boundary.
168+- A Gateway/API caller without the required Gateway auth or trusted-proxy/device
169+ identity can trigger agent or tool execution.
170+171+Hardening knobs:
172+173+- Keep `sessions_spawn` denied unless an agent truly needs delegation.
174+- Prefer `tools.profile: "messaging"` or another narrow profile for agents that
175+ talk to external channels.
176+- Set `agents.list[].subagents.requireAgentId: true` for agents that may spawn
177+ work, so target selection is explicit.
178+- Keep `agents.defaults.subagents.allowAgents` and
179+`agents.list[].subagents.allowAgents` narrow; avoid `["*"]` for agents that
180+ receive untrusted input.
181+- Use `tools.subagents.tools.allow` to make sub-agent tools allow-only instead
182+ of inheriting a broad parent profile.
183+- For workflows that must remain sandboxed, use `sessions_spawn` with
184+`sandbox: "require"`.
185+- Use separate gateways, OS users, hosts, browser profiles, and credentials when
186+ agents or users are mutually untrusted.
187+129188## Not vulnerabilities by design
130189131190<Accordion title="Common findings that are out of scope">
@@ -139,6 +198,10 @@ a real boundary bypass is demonstrated:
139198- Claims that classify normal operator read-path access (for example
140199`sessions.list` / `sessions.preview` / `chat.history`) as IDOR in a
141200 shared-gateway setup.
201+- Claims that treat expected `context: "fork"` transcript inheritance as a
202+ boundary bypass when the requester explicitly forked that context.
203+- Claims that treat broad sub-agent tool access as a bypass when the configured
204+ profile or allowlist intentionally granted those tools.
142205- Localhost-only deployment findings (for example HSTS on a loopback-only
143206 gateway).
144207- Discord inbound webhook signature findings for inbound paths that do not
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。