vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-04 16:00:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: refresh security fix refs

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-04 13:35:42 +01:00
parent f2b3b3d912
commit 375bd73ce1
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/cli/security.md
View File

@@ -2,7 +2,7 @@
summary: "CLI reference for `openclaw security` (audit and fix common security footguns)"
read_when:
- You want to run a quick security audit on config/state
- You want to apply safe “fix” suggestions (chmod, tighten defaults)
- You want to apply safe “fix” suggestions (permissions, tighten defaults)
title: "security"
---
@@ -68,8 +68,15 @@ openclaw security audit --fix --json | jq '{fix: .fix.ok, summary: .report.summa
`--fix` applies safe, deterministic remediations:
- flips common `groupPolicy="open"` to `groupPolicy="allowlist"` (including account variants in supported channels)
- when WhatsApp group policy flips to `allowlist`, seeds `groupAllowFrom` from
the stored `allowFrom` file when that list exists and config does not already
define `allowFrom`
- sets `logging.redactSensitive` from `"off"` to `"tools"`
- tightens permissions for state/config and common sensitive files (`credentials/*.json`, `auth-profiles.json`, `sessions.json`, session `*.jsonl`)
- tightens permissions for state/config and common sensitive files
(`credentials/*.json`, `auth-profiles.json`, `sessions.json`, session
`*.jsonl`)
- also tightens config include files referenced from `openclaw.json`
- uses `chmod` on POSIX hosts and `icacls` resets on Windows
`--fix` does **not**:

5
docs/gateway/security/index.md
View File

@@ -39,6 +39,11 @@ openclaw security audit --fix
openclaw security audit --json
```
`security audit --fix` stays intentionally narrow: it flips common open group
policies to allowlists, restores `logging.redactSensitive: "tools"`, tightens
state/config/include-file permissions, and uses Windows ACL resets instead of
POSIX `chmod` when running on Windows.
It flags common footguns (Gateway auth exposure, browser control exposure, elevated allowlists, filesystem permissions, permissive exec approvals, and open-channel tool exposure).
OpenClaw is both a product and an experiment: youre wiring frontier-model behavior into real messaging surfaces and real tools. **There is no “perfectly secure” setup.** The goal is to be deliberate about: