Use this file to discover all available pages before exploring further.

Security

text
`openclaw security`

Security tools (audit + optional fixes).

Security guide: Security

Audit


bash
openclaw security audit
openclaw security audit --deep
openclaw security audit --deep --password <password>
openclaw security audit --deep --token <token>
openclaw security audit --fix
openclaw security audit --json

The audit warns when multiple DM senders share the main session and recommends secure DM mode:

text

session.dmScope="per-channel-peer"

(or

text

per-account-channel-peer

for multi-account channels) for shared inboxes. This is for cooperative/shared inbox hardening. A single Gateway shared by mutually untrusted/adversarial operators is not a recommended setup; split trust boundaries with separate gateways (or separate OS users/hosts). It also emits

text

security.trust_model.multi_user_heuristic

when config suggests likely shared-user ingress (for example open DM/group policy, configured group targets, or wildcard sender rules), and reminds you that OpenClaw is a personal-assistant trust model by default. For intentional shared-user setups, the audit guidance is to sandbox all sessions, keep filesystem access workspace-scoped, and keep personal/private identities or credentials off that runtime. It also warns when small models (

text

<=300B

) are used without sandboxing and with web/browser tools enabled. For webhook ingress, it warns when

text

hooks.token

reuses the Gateway token, when

text

hooks.token

is short, when

text

hooks.path="/"

, when

text

hooks.defaultSessionKey

is unset, when

text

hooks.allowedAgentIds

is unrestricted, when request

text

sessionKey

overrides are enabled, and when overrides are enabled without

text

hooks.allowedSessionKeyPrefixes

. It also warns when sandbox Docker settings are configured while sandbox mode is off, when

text

gateway.nodes.denyCommands

uses ineffective pattern-like/unknown entries (exact node command-name matching only, not shell-text filtering), when

text

gateway.nodes.allowCommands

explicitly enables dangerous node commands, when global

text

tools.profile="minimal"

is overridden by agent tool profiles, when open groups expose runtime/filesystem tools without sandbox/workspace guards, and when installed plugin tools may be reachable under permissive tool policy. It also flags

text

gateway.allowRealIpFallback=true

(header-spoofing risk if proxies are misconfigured) and

text

discovery.mdns.mode="full"

(metadata leakage via mDNS TXT records). It also warns when sandbox browser uses Docker

text

bridge

network without

text

sandbox.browser.cdpSourceRange

. It also flags dangerous sandbox Docker network modes (including

text

host

and

text

container:*

namespace joins). It also warns when existing sandbox browser Docker containers have missing/stale hash labels (for example pre-migration containers missing

text

openclaw.browserConfigEpoch

) and recommends

text

openclaw sandbox recreate --browser --all

. It also warns when npm-based plugin/hook install records are unpinned, missing integrity metadata, or drift from currently installed package versions. It warns when channel allowlists rely on mutable names/emails/tags instead of stable IDs (Discord, Slack, Google Chat, Microsoft Teams, Mattermost, IRC scopes where applicable). It warns when

text

gateway.auth.mode="none"

leaves Gateway HTTP APIs reachable without a shared secret (

text

/tools/invoke

plus any enabled

text

/v1/*

endpoint). Settings prefixed with

text

dangerous

text

dangerously

are explicit break-glass operator overrides; enabling one is not, by itself, a security vulnerability report. For the complete dangerous-parameter inventory, see the "Insecure or dangerous flags summary" section in Security.

SecretRef behavior:

text
security audit
resolves supported SecretRefs in read-only mode for its targeted paths.
If a SecretRef is unavailable in the current command path, audit continues and reports
text
secretDiagnostics
(instead of crashing).
text
--token
and
text
--password
only override deep-probe auth for that command invocation; they do not rewrite config or SecretRef mappings.

JSON output

Use

text

--json

for CI/policy checks:


bash
openclaw security audit --json | jq '.summary'
openclaw security audit --deep --json | jq '.findings[] | select(.severity=="critical") | .checkId'

text

--fix

and

text

--json

are combined, output includes both fix actions and final report:


bash
openclaw security audit --fix --json | jq '{fix: .fix.ok, summary: .report.summary}'

What
text
`--fix`
changes

text

--fix

applies safe, deterministic remediations:

flips common
text
groupPolicy="open"
to
text
groupPolicy="allowlist"
(including account variants in supported channels)
when WhatsApp group policy flips to
text
allowlist
, seeds
text
groupAllowFrom
from the stored
text
allowFrom
file when that list exists and config does not already define
text
allowFrom
sets
text
logging.redactSensitive
from
text
"off"
to
text
"tools"
tightens permissions for state/config and common sensitive files (
text
credentials/*.json
,
text
auth-profiles.json
,
text
sessions.json
, session
text
*.jsonl
)
also tightens config include files referenced from
text
openclaw.json
uses
text
chmod
on POSIX hosts and
text
icacls
resets on Windows

text

--fix

does not:

rotate tokens/passwords/API keys
disable tools (
text
gateway
,
text
cron
,
text
exec
, etc.)
change gateway bind/auth/network exposure choices
remove or rewrite plugins/skills

OpenClaw Docs

Security

text
`openclaw security`

Audit

JSON output

What
text
`--fix`
changes

Related

OpenClaw Docs

Security

textCopyopenclaw security

Audit

JSON output

What textCopy--fix changes

Related

text
`openclaw security`

What
text
`--fix`
changes