diff --git a/.github/codeql/codeql-android-critical-security.yml b/.github/codeql/codeql-android-critical-security.yml
index 30b1f7b5e03..00a1430dcb2 100644
--- a/.github/codeql/codeql-android-critical-security.yml
+++ b/.github/codeql/codeql-android-critical-security.yml
@@ -9,6 +9,10 @@ query-filters:
   # Android canvas intentionally runs trusted A2UI JavaScript; keep this profile focused on exploitable WebView edges.
   - exclude:
       id: java/android/websettings-javascript-enabled
+  # Gateway TLS already pins verified certificate SHA-256 fingerprints. OkHttp CertificatePinner pins SPKI hashes,
+  # so this query is noisy for OpenClaw's TOFU/local-gateway trust model and does not belong in the critical profile.
+  - exclude:
+      id: java/android/missing-certificate-pinning
 
 paths:
   - apps/android/app/src/main