Use this file to discover all available pages before exploring further.

Security audit checks

text

openclaw security audit

emits structured findings keyed by

text

checkId

. This page is the reference catalog for those IDs. For the high-level threat model and hardening guidance, see Security.

High-signal

text

checkId

values you will most likely see in real deployments (not exhaustive):

text `checkId`	Severity	Why it matters	Primary fix key/path	Auto-fix
text `fs.state_dir.perms_world_writable`	critical	Other users/processes can modify full OpenClaw state	filesystem perms on text `~/.openclaw`	yes
text `fs.state_dir.perms_group_writable`	warn	Group users can modify full OpenClaw state	filesystem perms on text `~/.openclaw`	yes
text `fs.state_dir.perms_readable`	warn	State dir is readable by others	filesystem perms on text `~/.openclaw`	yes
text `fs.state_dir.symlink`	warn	State dir target becomes another trust boundary	state dir filesystem layout	no
text `fs.config.perms_writable`	critical	Others can change auth/tool policy/config	filesystem perms on text `~/.openclaw/openclaw.json`	yes
text `fs.config.symlink`	warn	Symlinked config files are unsupported for writes and add another trust boundary	replace with a regular config file or point text `OPENCLAW_CONFIG_PATH` at the real file	no
text `fs.config.perms_group_readable`	warn	Group users can read config tokens/settings	filesystem perms on config file	yes
text `fs.config.perms_world_readable`	critical	Config can expose tokens/settings	filesystem perms on config file	yes
text `fs.config_include.perms_writable`	critical	Config include file can be modified by others	include-file perms referenced from text `openclaw.json`	yes
text `fs.config_include.perms_group_readable`	warn	Group users can read included secrets/settings	include-file perms referenced from text `openclaw.json`	yes
text `fs.config_include.perms_world_readable`	critical	Included secrets/settings are world-readable	include-file perms referenced from text `openclaw.json`	yes
text `fs.auth_profiles.perms_writable`	critical	Others can inject or replace stored model credentials	text `agents/<agentId>/agent/auth-profiles.json` perms	yes
text `fs.auth_profiles.perms_readable`	warn	Others can read API keys and OAuth tokens	text `agents/<agentId>/agent/auth-profiles.json` perms	yes
text `fs.credentials_dir.perms_writable`	critical	Others can modify channel pairing/credential state	filesystem perms on text `~/.openclaw/credentials`	yes
text `fs.credentials_dir.perms_readable`	warn	Others can read channel credential state	filesystem perms on text `~/.openclaw/credentials`	yes
text `fs.sessions_store.perms_readable`	warn	Others can read session transcripts/metadata	session store perms	yes
text `fs.log_file.perms_readable`	warn	Others can read redacted-but-still-sensitive logs	gateway log file perms	yes
text `fs.synced_dir`	warn	State/config in iCloud/Dropbox/Drive broadens token/transcript exposure	move config/state off synced folders	no
text `gateway.bind_no_auth`	critical	Remote bind without shared secret	text `gateway.bind` , text `gateway.auth.*`	no
text `gateway.loopback_no_auth`	critical	Reverse-proxied loopback may become unauthenticated	text `gateway.auth.*` , proxy setup	no
text `gateway.trusted_proxies_missing`	warn	Reverse-proxy headers are present but not trusted	text `gateway.trustedProxies`	no
text `gateway.http.no_auth`	warn/critical	Gateway HTTP APIs reachable with text `auth.mode="none"`	text `gateway.auth.mode` , text `gateway.http.endpoints.*`	no
text `gateway.http.session_key_override_enabled`	info	HTTP API callers can override text `sessionKey`	text `gateway.http.allowSessionKeyOverride`	no
text `gateway.tools_invoke_http.dangerous_allow`	warn/critical	Re-enables dangerous tools over HTTP API	text `gateway.tools.allow`	no
text `gateway.nodes.allow_commands_dangerous`	warn/critical	Enables high-impact node commands (camera/screen/contacts/calendar/SMS)	text `gateway.nodes.allowCommands`	no
text `gateway.nodes.deny_commands_ineffective`	warn	Pattern-like deny entries do not match shell text or groups	text `gateway.nodes.denyCommands`	no
text `gateway.tailscale_funnel`	critical	Public internet exposure	text `gateway.tailscale.mode`	no
text `gateway.tailscale_serve`	info	Tailnet exposure is enabled via Serve	text `gateway.tailscale.mode`	no
text `gateway.control_ui.allowed_origins_required`	critical	Non-loopback Control UI without explicit browser-origin allowlist	text `gateway.controlUi.allowedOrigins`	no
text `gateway.control_ui.allowed_origins_wildcard`	warn/critical	text `allowedOrigins=["*"]` disables browser-origin allowlisting	text `gateway.controlUi.allowedOrigins`	no
text `gateway.control_ui.host_header_origin_fallback`	warn/critical	Enables Host-header origin fallback (DNS rebinding hardening downgrade)	text `gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback`	no
text `gateway.control_ui.insecure_auth`	warn	Insecure-auth compatibility toggle enabled	text `gateway.controlUi.allowInsecureAuth`	no
text `gateway.control_ui.device_auth_disabled`	critical	Disables device identity check	text `gateway.controlUi.dangerouslyDisableDeviceAuth`	no
text `gateway.real_ip_fallback_enabled`	warn/critical	Trusting text `X-Real-IP` fallback can enable source-IP spoofing via proxy misconfig	text `gateway.allowRealIpFallback` , text `gateway.trustedProxies`	no
text `gateway.token_too_short`	warn	Short shared token is easier to brute force	text `gateway.auth.token`	no
text `gateway.auth_no_rate_limit`	warn	Exposed auth without rate limiting increases brute-force risk	text `gateway.auth.rateLimit`	no
text `gateway.trusted_proxy_auth`	critical	Proxy identity now becomes the auth boundary	text `gateway.auth.mode="trusted-proxy"`	no
text `gateway.trusted_proxy_no_proxies`	critical	Trusted-proxy auth without trusted proxy IPs is unsafe	text `gateway.trustedProxies`	no
text `gateway.trusted_proxy_no_user_header`	critical	Trusted-proxy auth cannot resolve user identity safely	text `gateway.auth.trustedProxy.userHeader`	no
text `gateway.trusted_proxy_no_allowlist`	warn	Trusted-proxy auth accepts any authenticated upstream user	text `gateway.auth.trustedProxy.allowUsers`	no
text `gateway.trusted_proxy_allow_loopback`	warn	Trusted-proxy auth accepts explicitly allowed loopback proxy sources	text `gateway.auth.trustedProxy.allowLoopback`	no
text `gateway.probe_auth_secretref_unavailable`	warn	Deep probe could not resolve auth SecretRefs in this command path	deep-probe auth source / SecretRef availability	no
text `gateway.probe_failed`	warn/critical	Live Gateway probe failed	gateway reachability/auth	no
text `discovery.mdns_full_mode`	warn/critical	mDNS full mode advertises text `cliPath` / text `sshPort` metadata on local network	text `discovery.mdns.mode` , text `gateway.bind`	no
text `config.insecure_or_dangerous_flags`	warn	Any insecure/dangerous debug flags enabled	multiple keys (see finding detail)	no
text `config.secrets.gateway_password_in_config`	warn	Gateway password is stored directly in config	text `gateway.auth.password`	no
text `config.secrets.hooks_token_in_config`	warn	Hook bearer token is stored directly in config	text `hooks.token`	no
text `hooks.token_reuse_gateway_token`	critical	Hook ingress token also unlocks Gateway auth	text `hooks.token` , text `gateway.auth.token`	no
text `hooks.token_too_short`	warn	Easier brute force on hook ingress	text `hooks.token`	no
text `hooks.default_session_key_unset`	warn	Hook agent runs fan out into generated per-request sessions	text `hooks.defaultSessionKey`	no
text `hooks.allowed_agent_ids_unrestricted`	warn/critical	Authenticated hook callers may route to any configured agent	text `hooks.allowedAgentIds`	no
text `hooks.request_session_key_enabled`	warn/critical	External caller can choose sessionKey	text `hooks.allowRequestSessionKey`	no
text `hooks.request_session_key_prefixes_missing`	warn/critical	No bound on external session key shapes	text `hooks.allowedSessionKeyPrefixes`	no
text `hooks.path_root`	critical	Hook path is text `/` , making ingress easier to collide or misroute	text `hooks.path`	no
text `hooks.installs_unpinned_npm_specs`	warn	Hook install records are not pinned to immutable npm specs	hook install metadata	no
text `hooks.installs_missing_integrity`	warn	Hook install records lack integrity metadata	hook install metadata	no
text `hooks.installs_version_drift`	warn	Hook install records drift from installed packages	hook install metadata	no
text `logging.redact_off`	warn	Sensitive values leak to logs/status	text `logging.redactSensitive`	yes
text `browser.control_invalid_config`	warn	Browser control config is invalid before runtime	text `browser.*`	no
text `browser.control_no_auth`	critical	Browser control exposed without token/password auth	text `gateway.auth.*`	no
text `browser.remote_cdp_http`	warn	Remote CDP over plain HTTP lacks transport encryption	browser profile text `cdpUrl`	no
text `browser.remote_cdp_private_host`	warn	Remote CDP targets a private/internal host	browser profile text `cdpUrl` , text `browser.ssrfPolicy.*`	no
text `sandbox.docker_config_mode_off`	warn	Sandbox Docker config present but inactive	text `agents.*.sandbox.mode`	no
text `sandbox.bind_mount_non_absolute`	warn	Relative bind mounts can resolve unpredictably	text `agents.*.sandbox.docker.binds[]`	no
text `sandbox.dangerous_bind_mount`	critical	Sandbox bind mount targets blocked system, credential, or Docker socket paths	text `agents.*.sandbox.docker.binds[]`	no
text `sandbox.dangerous_network_mode`	critical	Sandbox Docker network uses text `host` or text `container:*` namespace-join mode	text `agents.*.sandbox.docker.network`	no
text `sandbox.dangerous_seccomp_profile`	critical	Sandbox seccomp profile weakens container isolation	text `agents.*.sandbox.docker.securityOpt`	no
text `sandbox.dangerous_apparmor_profile`	critical	Sandbox AppArmor profile weakens container isolation	text `agents.*.sandbox.docker.securityOpt`	no
text `sandbox.browser_cdp_bridge_unrestricted`	warn	Sandbox browser bridge is exposed without source-range restriction	text `sandbox.browser.cdpSourceRange`	no
text `sandbox.browser_container.non_loopback_publish`	critical	Existing browser container publishes CDP on non-loopback interfaces	browser sandbox container publish config	no
text `sandbox.browser_container.hash_label_missing`	warn	Existing browser container predates current config-hash labels	text `openclaw sandbox recreate --browser --all`	no
text `sandbox.browser_container.hash_epoch_stale`	warn	Existing browser container predates current browser config epoch	text `openclaw sandbox recreate --browser --all`	no
text `tools.exec.host_sandbox_no_sandbox_defaults`	warn	text `exec host=sandbox` fails closed when sandbox is off	text `tools.exec.host` , text `agents.defaults.sandbox.mode`	no
text `tools.exec.host_sandbox_no_sandbox_agents`	warn	Per-agent text `exec host=sandbox` fails closed when sandbox is off	text `agents.list[].tools.exec.host` , text `agents.list[].sandbox.mode`	no
text `tools.exec.security_full_configured`	warn/critical	Host exec is running with text `security="full"`	text `tools.exec.security` , text `agents.list[].tools.exec.security`	no
text `tools.exec.auto_allow_skills_enabled`	warn	Exec approvals trust skill bins implicitly	text `~/.openclaw/exec-approvals.json`	no
text `tools.exec.allowlist_interpreter_without_strict_inline_eval`	warn	Interpreter allowlists permit inline eval without forced reapproval	text `tools.exec.strictInlineEval` , text `agents.list[].tools.exec.strictInlineEval` , exec approvals allowlist	no
text `tools.exec.safe_bins_interpreter_unprofiled`	warn	Interpreter/runtime bins in text `safeBins` without explicit profiles broaden exec risk	text `tools.exec.safeBins` , text `tools.exec.safeBinProfiles` , text `agents.list[].tools.exec.*`	no
text `tools.exec.safe_bins_broad_behavior`	warn	Broad-behavior tools in text `safeBins` weaken the low-risk stdin-filter trust model	text `tools.exec.safeBins` , text `agents.list[].tools.exec.safeBins`	no
text `tools.exec.safe_bin_trusted_dirs_risky`	warn	text `safeBinTrustedDirs` includes mutable or risky directories	text `tools.exec.safeBinTrustedDirs` , text `agents.list[].tools.exec.safeBinTrustedDirs`	no
text `skills.workspace.symlink_escape`	warn	Workspace text `skills/**/SKILL.md` resolves outside workspace root (symlink-chain drift)	workspace text `skills/**` filesystem state	no
text `plugins.extensions_no_allowlist`	warn	Plugins are installed without an explicit plugin allowlist	text `plugins.allowlist`	no
text `plugins.installs_unpinned_npm_specs`	warn	Plugin index records are not pinned to immutable npm specs	plugin install metadata	no
text `plugins.installs_missing_integrity`	warn	Plugin index records lack integrity metadata	plugin install metadata	no
text `plugins.installs_version_drift`	warn	Plugin index records drift from installed packages	plugin install metadata	no
text `plugins.code_safety`	warn/critical	Plugin code scan found suspicious or dangerous patterns	plugin code / install source	no
text `plugins.code_safety.entry_path`	warn	Plugin entry path points into hidden or text `node_modules` locations	plugin manifest text `entry`	no
text `plugins.code_safety.entry_escape`	critical	Plugin entry escapes the plugin directory	plugin manifest text `entry`	no
text `plugins.code_safety.scan_failed`	warn	Plugin code scan could not complete	plugin path / scan environment	no
text `skills.code_safety`	warn/critical	Skill installer metadata/code contains suspicious or dangerous patterns	skill install source	no
text `skills.code_safety.scan_failed`	warn	Skill code scan could not complete	skill scan environment	no
text `security.exposure.open_channels_with_exec`	warn/critical	Shared/public rooms can reach exec-enabled agents	text `channels..dmPolicy` , text `channels..groupPolicy` , text `tools.exec.` , text `agents.list[].tools.exec.`	no
text `security.exposure.open_groups_with_elevated`	critical	Open groups + elevated tools create high-impact prompt-injection paths	text `channels..groupPolicy` , text `tools.elevated.`	no
text `security.exposure.open_groups_with_runtime_or_fs`	critical/warn	Open groups can reach command/file tools without sandbox/workspace guards	text `channels..groupPolicy` , text `tools.profile/deny` , text `tools.fs.workspaceOnly` , text `agents..sandbox.mode`	no
text `security.trust_model.multi_user_heuristic`	warn	Config looks multi-user while gateway trust model is personal-assistant	split trust boundaries, or shared-user hardening ( text `sandbox.mode` , tool deny/workspace scoping`)	no
text `tools.profile_minimal_overridden`	warn	Agent overrides bypass global minimal profile	text `agents.list[].tools.profile`	no
text `plugins.tools_reachable_permissive_policy`	warn	Extension tools reachable in permissive contexts	text `tools.profile` + tool allow/deny	no
text `models.legacy`	warn	Legacy model families are still configured	model selection	no
text `models.weak_tier`	warn	Configured models are below current recommended tiers	model selection	no
text `models.small_params`	critical/info	Small models + unsafe tool surfaces raise injection risk	model choice + sandbox/tool policy	no
text `summary.attack_surface`	info	Roll-up summary of auth, channel, tool, and exposure posture	multiple keys (see finding detail)	no

OpenClaw Docs

Security audit checks

Related