Security Model
OpenClaw's security model ensures that the AI's operational permissions are properly controlled in a multi-channel, multi-session environment -- especially in groups and public channels.
Source Location
src/security/
├── audit.ts # Security audit logging (core module)
├── audit-extra.ts # Extended audit context
├── audit-fs.ts # File system audit
├── fix.ts # Security fixes
├── skill-scanner.ts # Skill security scanning
├── windows-acl.ts # Windows ACL management
├── external-content.ts # External content validation
└── channel-metadata.ts # Channel security contextSecurity Layers
Execution Environments
| Session Type | Execution Environment | Trust Level |
|---|---|---|
| main (1:1 DM) | Direct host execution | Full trust |
| group (no sandbox) | Host + tool policy | Restricted trust |
| group (sandbox) | Docker container | Minimal trust |
Docker Sandbox
Non-main sessions (groups/channels) can enable Docker sandbox mode. Inside the sandbox:
- Tools execute in an isolated container
- No access to the host file system
- Network access is restricted
- Resource usage is capped
Channel Allowlists
Source: src/channels/channel-config.ts
Each channel can configure allowFrom to restrict who can send messages:
typescript
// AllowFrom configuration
interface AllowFromConfig {
// List of allowed sender IDs
// Supports wildcards and patterns
// Per-channel and per-group configuration
}Node Command Policy
Source: src/gateway/node-command-policy.ts
Remote nodes (iOS/Android devices) have a dedicated policy controlling command execution:
typescript
// Node command policy (simplified)
// Controls what commands remote nodes can execute
// Validates command against allowed patterns
// Prevents unauthorized host access from remote devicesSecurity Audit
Source: src/security/audit.ts
The audit module records all security-relevant events:
| Audit Event | Description |
|---|---|
| Authentication attempts | Successful/failed auth |
| Tool execution | Tool name, arguments, results |
| File access | Read/write operations |
| Configuration changes | Config modification records |
| Permission changes | Allowlist, role changes |
Skill Scanner
Source: src/security/skill-scanner.ts
Before installing skills, a security scan is performed:
typescript
// Skill scanner
// - Check for suspicious patterns
// - Validate manifest integrity
// - Scan for known vulnerabilitiesSummary
- Three-layer security model: authentication -> access control -> execution isolation
- Docker sandbox provides isolated execution for non-main sessions
- Channel allowlists (allowFrom) control message sources
- Node command policy restricts execution permissions for remote devices
- Security audit records all security-critical events
- Skill scanning checks security before installation
Next: Logging System