docs: document stdio env filter, enforceOwnerForCommands, OPENCLAW_* .env blocking

2026-05-06 17:31:06 +00:00 · 2026-04-21 13:21:34 -07:00
parent 32ccf27e60
commit b4a59be9b6
3 changed files with 18 additions and 1 deletions
--- a/docs/cli/mcp.md
+++ b/docs/cli/mcp.md
@@ -428,6 +428,12 @@ Launches a local child process and communicates over stdin/stdout.
 | `env`                      | Extra environment variables       |
 | `cwd` / `workingDirectory` | Working directory for the process |

+#### Stdio env safety filter
+
+OpenClaw rejects interpreter-startup env keys that can alter how a stdio MCP server starts up before the first RPC, even if they appear in a server's `env` block. Blocked keys include `NODE_OPTIONS`, `PYTHONSTARTUP`, `PYTHONPATH`, `PERL5OPT`, `RUBYOPT`, `SHELLOPTS`, `PS4`, and similar runtime-control variables. Startup rejects these with a configuration error so they cannot inject an implicit prelude, swap the interpreter, or enable a debugger against the stdio process. Ordinary credential, proxy, and server-specific env vars (`GITHUB_TOKEN`, `HTTP_PROXY`, custom `*_API_KEY`, etc.) are unaffected.
+
+If your MCP server genuinely needs one of the blocked variables, set it on the gateway host process instead of under the stdio server's `env`.
+
 ### SSE / HTTP transport

 Connects to a remote MCP server over HTTP Server-Sent Events.