source/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-02-08 21:09:23 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
9a7160786a7dbd21469fad73992158e415e4686e
openclaw/SECURITY.md
Peter Steinberger 9a7160786a refactor: rename to openclaw
2026-01-30 03:16:21 +01:00

1.6 KiB
Raw Blame History

Security Policy

If you believe you've found a security issue in OpenClaw, please report it privately.

Reporting

  • Email: steipete@gmail.com
  • What to include: reproduction steps, impact assessment, and (if possible) a minimal PoC.

Operational Guidance

For threat model + hardening guidance (including openclaw security audit --deep and --fix), see:

  • https://docs.openclaw.ai/gateway/security

Web Interface Safety

OpenClaw's web interface is intended for local use only. Do not bind it to the public internet; it is not hardened for public exposure.

Runtime Requirements

Node.js Version

OpenClaw requires Node.js 22.12.0 or later (LTS). This version includes important security patches:

  • CVE-2025-59466: async_hooks DoS vulnerability
  • CVE-2026-21636: Permission model bypass vulnerability

Verify your Node.js version:

node --version  # Should be v22.12.0 or later

Docker Security

When running OpenClaw in Docker:

  1. The official image runs as a non-root user (node) for reduced attack surface
  2. Use --read-only flag when possible for additional filesystem protection
  3. Limit container capabilities with --cap-drop=ALL

Example secure Docker run:

docker run --read-only --cap-drop=ALL \
  -v openclaw-data:/app/data \
  openclaw/openclaw:latest

Security Scanning

This project uses detect-secrets for automated secret detection in CI/CD. See .detect-secrets.cfg for configuration and .secrets.baseline for the baseline.

Run locally:

pip install detect-secrets==1.5.0
detect-secrets scan --baseline .secrets.baseline
Reference in New Issue View Git Blame Copy Permalink