negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(security): audit gateway HTTP no-auth exposure

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 14:25:45 +01:00
parent 808a60d3bd
commit e3e0ffd801
7 changed files with 130 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/cli/security.md
View File

@@ -27,6 +27,7 @@ The audit warns when multiple DM senders share the main session and recommends *
It also warns when small models (`<=300B`) are used without sandboxing and with web/browser tools enabled.
For webhook ingress, it warns when `hooks.defaultSessionKey` is unset, when request `sessionKey` overrides are enabled, and when overrides are enabled without `hooks.allowedSessionKeyPrefixes`.
It also warns when sandbox Docker settings are configured while sandbox mode is off, when `gateway.nodes.denyCommands` uses ineffective pattern-like/unknown entries, when global `tools.profile="minimal"` is overridden by agent tool profiles, and when installed extension plugin tools may be reachable under permissive tool policy.
It warns when `gateway.auth.mode="none"` leaves Gateway HTTP APIs reachable without a shared secret (`/tools/invoke` plus any enabled `/v1/*` endpoint).
## JSON output