


























@@ -5,16 +5,15 @@ read_when:
55title: "Security"
66---
778-# Security
9-108<Warning>
11-**Personal assistant trust model:** this guidance assumes one trusted operator boundary per gateway (single-user/personal assistant model).
12-OpenClaw is **not** a hostile multi-tenant security boundary for multiple adversarial users sharing one agent/gateway.
13-If you need mixed-trust or adversarial-user operation, split trust boundaries (separate gateway + credentials, ideally separate OS users/hosts).
9+**Personal assistant trust model.** This guidance assumes one trusted
10+ operator boundary per gateway (single-user, personal-assistant model).
11+ OpenClaw is **not** a hostile multi-tenant security boundary for multiple
12+ adversarial users sharing one agent or gateway. If you need mixed-trust or
13+ adversarial-user operation, split trust boundaries (separate gateway +
14+ credentials, ideally separate OS users or hosts).
1415</Warning>
151616-**On this page:** [Trust model](#scope-first-personal-assistant-security-model) | [Quick audit](#quick-check-openclaw-security-audit) | [Hardened baseline](#hardened-baseline-in-60-seconds) | [DM access model](#dm-access-model-pairing-allowlist-open-disabled) | [Configuration hardening](#configuration-hardening-examples) | [Incident response](#incident-response)
17-1817## Scope first: personal assistant security model
19182019OpenClaw security guidance assumes a **personal assistant** deployment: one trusted operator boundary, potentially many agents.
@@ -115,15 +114,27 @@ Use this as the quick model when triaging risk:
115114116115## Not vulnerabilities by design
117116118-These patterns are commonly reported and are usually closed as no-action unless a real boundary bypass is shown:
119-120-- Prompt-injection-only chains without a policy/auth/sandbox bypass.
121-- Claims that assume hostile multi-tenant operation on one shared host/config.
122-- Claims that classify normal operator read-path access (for example `sessions.list`/`sessions.preview`/`chat.history`) as IDOR in a shared-gateway setup.
123-- Localhost-only deployment findings (for example HSTS on loopback-only gateway).
124-- Discord inbound webhook signature findings for inbound paths that do not exist in this repo.
125-- Reports that treat node pairing metadata as a hidden second per-command approval layer for `system.run`, when the real execution boundary is still the gateway's global node command policy plus the node's own exec approvals.
126-- "Missing per-user authorization" findings that treat `sessionKey` as an auth token.
117+<Accordion title="Common findings that are out of scope">
118+ These patterns get reported often and are usually closed as no-action unless
119+ a real boundary bypass is demonstrated:
120+121+- Prompt-injection-only chains without a policy, auth, or sandbox bypass.
122+- Claims that assume hostile multi-tenant operation on one shared host or
123+ config.
124+- Claims that classify normal operator read-path access (for example
125+`sessions.list` / `sessions.preview` / `chat.history`) as IDOR in a
126+ shared-gateway setup.
127+- Localhost-only deployment findings (for example HSTS on a loopback-only
128+ gateway).
129+- Discord inbound webhook signature findings for inbound paths that do not
130+ exist in this repo.
131+- Reports that treat node pairing metadata as a hidden second per-command
132+ approval layer for `system.run`, when the real execution boundary is still
133+ the gateway's global node command policy plus the node's own exec
134+ approvals.
135+- "Missing per-user authorization" findings that treat `sessionKey` as an
136+ auth token.
137+</Accordion>
127138128139## Hardened baseline in 60 seconds
129140@@ -313,7 +324,7 @@ production.
313324</Accordion>
314325</AccordionGroup>
315326316-## Reverse Proxy Configuration
327+## Reverse proxy configuration
317328318329If you run the Gateway behind a reverse proxy (nginx, Caddy, Traefik, etc.), configure
319330`gateway.trustedProxies` for proper forwarded-client IP handling.
@@ -405,7 +416,7 @@ OpenClaw can refresh the skills list mid-session:
405416406417Treat skill folders as **trusted code** and restrict who can modify them.
407418408-## The Threat Model
419+## The threat model
409420410421Your AI assistant can:
411422@@ -481,9 +492,7 @@ Plugins run **in-process** with the Gateway. Treat them as trusted code:
481492482493Details: [Plugins](/tools/plugin)
483494484-<a id="dm-access-model-pairing-allowlist-open-disabled"></a>
485-486-## DM access model (pairing / allowlist / open / disabled)
495+## DM access model: pairing, allowlist, open, disabled
487496488497All current DM-capable channels support a DM policy (`dmPolicy` or `*.dm.policy`) that gates inbound DMs **before** the message is processed:
489498@@ -526,7 +535,7 @@ Treat the snippet above as **secure DM mode**:
526535527536If you run multiple accounts on the same channel, use `per-account-channel-peer` instead. If the same person contacts you on multiple channels, use `session.identityLinks` to collapse those DM sessions into one canonical identity. See [Session Management](/concepts/session) and [Configuration](/gateway/configuration).
528537529-## Allowlists (DM + groups) - terminology
538+## Allowlists for DMs and groups
530539531540OpenClaw has two separate “who can trigger me?” layers:
532541@@ -656,9 +665,7 @@ Recommendations:
656665- When running small models, **enable sandboxing for all sessions** and **disable web_search/web_fetch/browser** unless inputs are tightly controlled.
657666- For chat-only personal assistants with trusted input and no tools, smaller models are usually fine.
658667659-<a id="reasoning-verbose-output-in-groups"></a>
660-661-## Reasoning & verbose output in groups
668+## Reasoning and verbose output in groups
662669663670`/reasoning`, `/verbose`, and `/trace` can expose internal reasoning, tool
664671output, or plugin diagnostics that
@@ -671,7 +678,7 @@ Guidance:
671678- If you enable them, do so only in trusted DMs or tightly controlled rooms.
672679- Remember: verbose and trace output can include tool args, URLs, plugin diagnostics, and data the model saw.
673680674-## Configuration Hardening (examples)
681+## Configuration hardening examples
675682676683### File permissions
677684@@ -1224,7 +1231,7 @@ Common use cases:
12241231}
12251232```
122612331227-## Incident Response
1234+## Incident response
1228123512291236If your AI does something bad:
12301237@@ -1254,7 +1261,7 @@ If your AI does something bad:
12541261- What the attacker sent + what the agent did
12551262- Whether the Gateway was exposed beyond loopback (LAN/Tailscale Funnel/Serve)
125612631257-## Secret Scanning (detect-secrets)
1264+## Secret scanning with detect-secrets
1258126512591266CI runs the `detect-secrets` pre-commit hook in the `secrets` job.
12601267Pushes to `main` always run an all-files scan. Pull requests use a changed-file
@@ -1287,7 +1294,7 @@ otherwise. If it fails, there are new candidates not yet in the baseline.
1287129412881295Commit the updated `.secrets.baseline` once it reflects the intended state.
128912961290-## Reporting Security Issues
1297+## Reporting security issues
1291129812921299Found a vulnerability in OpenClaw? Please report responsibly:
12931300此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。