OpenClaw upstream refs (pulled 2026-02-10) — manifest + excerpts Upstream URLs: https://docs.openclaw.ai/gateway/security https://docs.openclaw.ai/gateway/configuration https://github.com/openclaw/openclaw/blob/main/README.md https://github.com/openclaw/openclaw/blob/main/SECURITY.md Downloaded files + sha256: fa3e70435b0f76afeef3953dd0fb6f7abc84a6bdea32976c479b0dc49058ca8b docs_gateway_security.html d2e6d0ad2e8c3404deb7e0cf5e54c2d3281b9d3e1d10abc0b57c7a72008f0758 docs_gateway_configuration.html 96eda4a1835e8713a480ef79221f8dd318e74867b0fbe208a130e3c83636c2d5 github_README.md 9dad389bc250dcb98f252f5315cfca6febc36611c6897488d6a1ee1d1f9aa3fb github_SECURITY.md ------------------------------------------------------------ README excerpts (local copy: github_README.md) ------------------------------------------------------------ [DM policy / pairing] 100 101 # Dev loop (auto-reload on TS changes) 102 pnpm gateway:watch 103 ``` 104 105 Note: `pnpm openclaw ...` runs TypeScript directly (via `tsx`). `pnpm build` produces `dist/` for running via Node / the packaged `openclaw` binary. 106 107 ## Security defaults (DM access) 108 109 OpenClaw connects to real messaging surfaces. Treat inbound DMs as **untrusted input**. 110 111 Full security guide: [Security](https://docs.openclaw.ai/gateway/security) 112 113 Default behavior on Telegram/WhatsApp/Signal/iMessage/Microsoft Teams/Discord/Google Chat/Slack: 114 115 - **DM pairing** (`dmPolicy="pairing"` / `channels.discord.dm.policy="pairing"` / `channels.slack.dm.policy="pairing"`): unknown senders receive a short pairing code and the bot does not process their message. 116 - Approve with: `openclaw pairing approve ` (then the sender is added to a local allowlist store). 117 - Public inbound DMs require an explicit opt-in: set `dmPolicy="open"` and include `"*"` in the channel allowlist (`allowFrom` / `channels.discord.dm.allowFrom` / `channels.slack.dm.allowFrom`). 118 119 Run `openclaw doctor` to surface risky/misconfigured DM policies. 120 121 ## Highlights 122 123 - **[Local-first Gateway](https://docs.openclaw.ai/gateway)** — single control plane for sessions, channels, tools, and events. 124 - **[Multi-channel inbox](https://docs.openclaw.ai/channels)** — WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, BlueBubbles (iMessage), iMessage (legacy), Microsoft Teams, Matrix, Zalo, Zalo Personal, WebChat, macOS, iOS/Android. 125 - **[Multi-agent routing](https://docs.openclaw.ai/gateway/configuration)** — route inbound channels/accounts/peers to isolated agents (workspaces + per-agent sessions). 126 - **[Voice Wake](https://docs.openclaw.ai/nodes/voicewake) + [Talk Mode](https://docs.openclaw.ai/nodes/talk)** — always-on speech for macOS/iOS/Android with ElevenLabs. 127 - **[Live Canvas](https://docs.openclaw.ai/platforms/mac/canvas)** — agent-driven visual workspace with [A2UI](https://docs.openclaw.ai/platforms/mac/canvas#canvas-a2ui). 128 - **[First-class tools](https://docs.openclaw.ai/tools)** — browser, canvas, nodes, cron, sessions, and Discord/Slack actions. 129 - **[Companion apps](https://docs.openclaw.ai/platforms/macos)** — macOS menu bar app + iOS/Android [nodes](https://docs.openclaw.ai/nodes). 130 - **[Onboarding](https://docs.openclaw.ai/start/wizard) + [skills](https://docs.openclaw.ai/tools/skills)** — wizard-driven setup with bundled/managed/workspace skills. 131 132 ## Star History 133 134 [![Star History Chart](https://api.star-history.com/svg?repos=openclaw/openclaw&type=date&legend=top-left)](https://www.star-history.com/#openclaw/openclaw&type=date&legend=top-left) 135 136 ## Everything we built so far 137 138 ### Core platform 139 140 - [Gateway WS control plane](https://docs.openclaw.ai/gateway) with sessions, presence, config, cron, webhooks, [Control UI](https://docs.openclaw.ai/web), and [Canvas host](https://docs.openclaw.ai/platforms/mac/canvas#canvas-a2ui). [Gateway bind/auth notes (serve/funnel)] 200 201 - **[Gateway WebSocket network](https://docs.openclaw.ai/concepts/architecture)** — single WS control plane for clients, tools, and events (plus ops: [Gateway runbook](https://docs.openclaw.ai/gateway)). 202 - **[Tailscale exposure](https://docs.openclaw.ai/gateway/tailscale)** — Serve/Funnel for the Gateway dashboard + WS (remote access: [Remote](https://docs.openclaw.ai/gateway/remote)). 203 - **[Browser control](https://docs.openclaw.ai/tools/browser)** — openclaw‑managed Chrome/Chromium with CDP control. 204 - **[Canvas + A2UI](https://docs.openclaw.ai/platforms/mac/canvas)** — agent‑driven visual workspace (A2UI host: [Canvas/A2UI](https://docs.openclaw.ai/platforms/mac/canvas#canvas-a2ui)). 205 - **[Voice Wake](https://docs.openclaw.ai/nodes/voicewake) + [Talk Mode](https://docs.openclaw.ai/nodes/talk)** — always‑on speech and continuous conversation. 206 - **[Nodes](https://docs.openclaw.ai/nodes)** — Canvas, camera snap/clip, screen record, `location.get`, notifications, plus macOS‑only `system.run`/`system.notify`. 207 208 ## Tailscale access (Gateway dashboard) 209 210 OpenClaw can auto-configure Tailscale **Serve** (tailnet-only) or **Funnel** (public) while the Gateway stays bound to loopback. Configure `gateway.tailscale.mode`: 211 212 - `off`: no Tailscale automation (default). 213 - `serve`: tailnet-only HTTPS via `tailscale serve` (uses Tailscale identity headers by default). 214 - `funnel`: public HTTPS via `tailscale funnel` (requires shared password auth). 215 216 Notes: 217 218 - `gateway.bind` must stay `loopback` when Serve/Funnel is enabled (OpenClaw enforces this). 219 - Serve can be forced to require a password by setting `gateway.auth.mode: "password"` or `gateway.auth.allowTailscale: false`. 220 - Funnel refuses to start unless `gateway.auth.mode: "password"` is set. 221 - Optional: `gateway.tailscale.resetOnExit` to undo Serve/Funnel on shutdown. 222 223 Details: [Tailscale guide](https://docs.openclaw.ai/gateway/tailscale) · [Web surfaces](https://docs.openclaw.ai/web) 224 225 ## Remote Gateway (Linux is great) 226 227 It’s perfectly fine to run the Gateway on a small Linux instance. Clients (macOS app, CLI, WebChat) can connect over **Tailscale Serve/Funnel** or **SSH tunnels**, and you can still pair device nodes (macOS/iOS/Android) to execute device‑local actions when needed. 228 229 - **Gateway host** runs the exec tool and channel connections by default. 230 - **Device nodes** run device‑local actions (`system.run`, camera, screen recording, notifications) via `node.invoke`. 231 In short: exec runs where the Gateway lives; device actions run where the device lives. 232 233 Details: [Remote access](https://docs.openclaw.ai/gateway/remote) · [Nodes](https://docs.openclaw.ai/nodes) · [Security](https://docs.openclaw.ai/gateway/security) 234 235 ## macOS permissions via the Gateway protocol [Elevated access toggles] 235 ## macOS permissions via the Gateway protocol 236 237 The macOS app can run in **node mode** and advertises its capabilities + permission map over the Gateway WebSocket (`node.list` / `node.describe`). Clients can then execute local actions via `node.invoke`: 238 239 - `system.run` runs a local command and returns stdout/stderr/exit code; set `needsScreenRecording: true` to require screen-recording permission (otherwise you’ll get `PERMISSION_MISSING`). 240 - `system.notify` posts a user notification and fails if notifications are denied. 241 - `canvas.*`, `camera.*`, `screen.record`, and `location.get` are also routed via `node.invoke` and follow TCC permission status. 242 243 Elevated bash (host permissions) is separate from macOS TCC: 244 245 - Use `/elevated on|off` to toggle per‑session elevated access when enabled + allowlisted. 246 - Gateway persists the per‑session toggle via `sessions.patch` (WS method) alongside `thinkingLevel`, `verboseLevel`, `model`, `sendPolicy`, and `groupActivation`. 247 248 Details: [Nodes](https://docs.openclaw.ai/nodes) · [macOS app](https://docs.openclaw.ai/platforms/macos) · [Gateway protocol](https://docs.openclaw.ai/concepts/architecture) 249 250 ## Agent to Agent (sessions\_\* tools) 251 252 - Use these to coordinate work across sessions without jumping between chat surfaces. 253 - `sessions_list` — discover active sessions (agents) and their metadata. 254 - `sessions_history` — fetch transcript logs for a session. 255 - `sessions_send` — message another session; optional reply‑back ping‑pong + announce step (`REPLY_SKIP`, `ANNOUNCE_SKIP`). 256 257 Details: [Session tools](https://docs.openclaw.ai/concepts/session-tool) 258 259 ## Skills registry (ClawHub) 260 261 ClawHub is a minimal skill registry. With ClawHub enabled, the agent can search for skills automatically and pull in new ones as needed. 262 263 [ClawHub](https://clawhub.com) 264 265 ## Chat commands 266 267 Send these in WhatsApp/Telegram/Slack/Google Chat/Microsoft Teams/WebChat (group commands are owner-only): 268 269 - `/status` — compact session status (model + tokens, cost when available) 270 - `/new` or `/reset` — reset the session 271 - `/compact` — compact session context (summary) 272 - `/think ` — off|minimal|low|medium|high|xhigh (GPT-5.2 + Codex models only) 273 - `/verbose on|off` 274 - `/usage off|tokens|full` — per-response usage footer 275 - `/restart` — restart the gateway (owner-only in groups) [Sandbox defaults + main session runs on host] 315 Minimal `~/.openclaw/openclaw.json` (model + defaults): 316 317 ```json5 318 { 319 agent: { 320 model: "anthropic/claude-opus-4-6", 321 }, 322 } 323 ``` 324 325 [Full configuration reference (all keys + examples).](https://docs.openclaw.ai/gateway/configuration) 326 327 ## Security model (important) 328 329 - **Default:** tools run on the host for the **main** session, so the agent has full access when it’s just you. 330 - **Group/channel safety:** set `agents.defaults.sandbox.mode: "non-main"` to run **non‑main sessions** (groups/channels) inside per‑session Docker sandboxes; bash then runs in Docker for those sessions. 331 - **Sandbox defaults:** allowlist `bash`, `process`, `read`, `write`, `edit`, `sessions_list`, `sessions_history`, `sessions_send`, `sessions_spawn`; denylist `browser`, `canvas`, `nodes`, `cron`, `discord`, `gateway`. 332 333 Details: [Security guide](https://docs.openclaw.ai/gateway/security) · [Docker + sandboxing](https://docs.openclaw.ai/install/docker) · [Sandbox config](https://docs.openclaw.ai/gateway/configuration) 334 335 ### [WhatsApp](https://docs.openclaw.ai/channels/whatsapp) 336 337 - Link the device: `pnpm openclaw channels login` (stores creds in `~/.openclaw/credentials`). 338 - Allowlist who can talk to the assistant via `channels.whatsapp.allowFrom`. 339 - If `channels.whatsapp.groups` is set, it becomes a group allowlist; include `"*"` to allow all. 340 341 ### [Telegram](https://docs.openclaw.ai/channels/telegram) 342 343 - Set `TELEGRAM_BOT_TOKEN` or `channels.telegram.botToken` (env wins). 344 - Optional: set `channels.telegram.groups` (with `channels.telegram.groups."*".requireMention`); when set, it is a group allowlist (include `"*"` to allow all). Also `channels.telegram.allowFrom` or `channels.telegram.webhookUrl` + `channels.telegram.webhookSecret` as needed. 345 346 ```json5 347 { 348 channels: { 349 telegram: { 350 botToken: "123456:ABCDEF", 351 }, 352 }, 353 } 354 ``` 355 ------------------------------------------------------------ SECURITY.md excerpts (local copy: github_SECURITY.md) ------------------------------------------------------------ [Hardening + audit command + footguns] 35 **Jamieson O'Reilly** ([@theonejvo](https://twitter.com/theonejvo)) is Security & Trust at OpenClaw. Jamieson is the founder of [Dvuln](https://dvuln.com) and brings extensive experience in offensive security, penetration testing, and security program development. 36 37 ## Bug Bounties 38 39 OpenClaw is a labor of love. There is no bug bounty program and no budget for paid reports. Please still disclose responsibly so we can fix issues quickly. 40 The best way to help the project right now is by sending PRs. 41 42 ## Out of Scope 43 44 - Public Internet Exposure 45 - Using OpenClaw in ways that the docs recommend not to 46 - Prompt injection attacks 47 48 ## Operational Guidance 49 50 For threat model + hardening guidance (including `openclaw security audit --deep` and `--fix`), see: 51 52 - `https://docs.openclaw.ai/gateway/security` 53 54 ### Web Interface Safety 55 56 OpenClaw's web interface is intended for local use only. Do **not** bind it to the public internet; it is not hardened for public exposure. 57 58 ## Runtime Requirements 59 60 ### Node.js Version 61 62 OpenClaw requires **Node.js 22.12.0 or later** (LTS). This version includes important security patches: 63 64 - CVE-2025-59466: async_hooks DoS vulnerability 65 - CVE-2026-21636: Permission model bypass vulnerability 66 67 Verify your Node.js version: 68 69 ```bash 70 node --version # Should be v22.12.0 or later 71 ``` 72 73 ### Docker Security 74 75 When running OpenClaw in Docker: 76 77 1. The official image runs as a non-root user (`node`) for reduced attack surface 78 2. Use `--read-only` flag when possible for additional filesystem protection 79 3. Limit container capabilities with `--cap-drop=ALL` 80 81 Example secure Docker run: 82 83 ```bash 84 docker run --read-only --cap-drop=ALL \ 85 -v openclaw-data:/app/data \ 86 openclaw/openclaw:latest 87 ``` 88 89 ## Security Scanning 90 91 This project uses `detect-secrets` for automated secret detection in CI/CD. 92 See `.detect-secrets.cfg` for configuration and `.secrets.baseline` for the baseline. 93 94 Run locally: 95 [Container hardening flags + token storage paths] 75 When running OpenClaw in Docker: 76 77 1. The official image runs as a non-root user (`node`) for reduced attack surface 78 2. Use `--read-only` flag when possible for additional filesystem protection 79 3. Limit container capabilities with `--cap-drop=ALL` 80 81 Example secure Docker run: 82 83 ```bash 84 docker run --read-only --cap-drop=ALL \ 85 -v openclaw-data:/app/data \ 86 openclaw/openclaw:latest 87 ``` 88 89 ## Security Scanning 90 91 This project uses `detect-secrets` for automated secret detection in CI/CD. 92 See `.detect-secrets.cfg` for configuration and `.secrets.baseline` for the baseline. 93 94 Run locally: 95 96 ```bash 97 pip install detect-secrets==1.5.0 98 detect-secrets scan --baseline .secrets.baseline 99 ``` [Transcripts/logs location] [DM access model + pairing approval commands] [Plugins run in-process (treat as trusted code)]