Gateway 导读
安全守门员 audit checks:总控室这一层在盯什么
安全守门员 audit checks 属于网关总控室里的一角。先看它卡在哪个位置、会拨动哪些客户端和工具、旋钮一拧会影响哪片区域,然后再看命令细节。原文最响的一记鼓点,其实是:openclaw 安全守门员 audit emits structured findings keyed by checkId. This page is the refer…。
先听这页的人话版
Security audit checks
这一页不是在堆术语,它像把“安全守门员 audit checks”这台小机器搬到桌上,当着你的面拆开给你看。你先不用全记住,先抓住它到底在忙什么:openclaw 安全守门员 audit emits structured findings keyed by checkId. This page is the reference cat…。
如果把这页当成“给普通人看的版本”,你最应该带走的是:它到底在教你一件什么事、什么时候要这样做、以及哪里最容易踩坑。
第 1 站
Start Here
这一节主要在解释“Start Here”到底是干什么的,以及你什么时候会遇到它。
这段在解决什么
这一节主要在解释“Start Here”到底是干什么的,以及你什么时候会遇到它。
为什么值得看
如果你是第一次接触 OpenClaw,这一节最值得看的不是术语本身,而是它背后的使用场景和限制。
真要动手时
真正动手时,先看它有没有默认值、有没有必须打开的选项、以及会不会影响安全边界。
先别急着背术语
如果把这一段摆成一个小场景,你会看到几样东西正在互相打招呼、拦路或者传东西。别急着记名词,先抓住它此刻到底在发生什么:openclaw 安全守门员 audit emits structured findings keyed by checkId. This page is the reference catalog for those IDs. For…。
像讲绘本
如果把这一段摆成一个小场景,你会看到几样东西正在互相打招呼、拦路或者传东西。别急着记名词,先抓住它此刻到底在发生什么:openclaw 安全守门员 audit emits structured findings keyed by checkId. This page is the reference catalog for those IDs. For…。
原文小纸条
openclaw security audit emits structured findings keyed by checkId. This page is the reference catalog for those IDs. For the high-level threat model and hardening guidance, see Security.
像讲绘本
如果把这一段摆成一个小场景,你会看到几样东西正在互相打招呼、拦路或者传东西。别急着记名词,先抓住它此刻到底在发生什么:High-signal checkId values you will most likely see in real deployments (not exhaustive):。
原文小纸条
High-signal checkId values you will most likely see in real deployments (not exhaustive):
像整理表格
这段是在把几种选项排成表格,左边像标签,右边像说明。手机上可以横向滑动原文表格。
原文表格
checkId | Severity | Why it matters | Primary fix key/path | Auto-fix |
|---|---|---|---|---|
fs.state_dir.perms_world_writable | critical | Other users/processes can modify full OpenClaw state | filesystem perms on ~/.openclaw | yes |
fs.state_dir.perms_group_writable | warn | Group users can modify full OpenClaw state | filesystem perms on ~/.openclaw | yes |
fs.state_dir.perms_readable | warn | State dir is readable by others | filesystem perms on ~/.openclaw | yes |
fs.state_dir.symlink | warn | State dir target becomes another trust boundary | state dir filesystem layout | no |
fs.config.perms_writable | critical | Others can change auth/tool policy/config | filesystem perms on ~/.openclaw/openclaw.json | yes |
fs.config.symlink | warn | Symlinked config files are unsupported for writes and add another trust boundary | replace with a regular config file or point OPENCLAW_CONFIG_PATH at the real file | no |
fs.config.perms_group_readable | warn | Group users can read config tokens/settings | filesystem perms on config file | yes |
fs.config.perms_world_readable | critical | Config can expose tokens/settings | filesystem perms on config file | yes |
fs.config_include.perms_writable | critical | Config include file can be modified by others | include-file perms referenced from openclaw.json | yes |
fs.config_include.perms_group_readable | warn | Group users can read included secrets/settings | include-file perms referenced from openclaw.json | yes |
fs.config_include.perms_world_readable | critical | Included secrets/settings are world-readable | include-file perms referenced from openclaw.json | yes |
fs.auth_profiles.perms_writable | critical | Others can inject or replace stored model credentials | agents/<agentId>/agent/auth-profiles.json perms | yes |
fs.auth_profiles.perms_readable | warn | Others can read API keys and OAuth tokens | agents/<agentId>/agent/auth-profiles.json perms | yes |
fs.credentials_dir.perms_writable | critical | Others can modify channel pairing/credential state | filesystem perms on ~/.openclaw/credentials | yes |
fs.credentials_dir.perms_readable | warn | Others can read channel credential state | filesystem perms on ~/.openclaw/credentials | yes |
fs.sessions_store.perms_readable | warn | Others can read session transcripts/metadata | session store perms | yes |
fs.log_file.perms_readable | warn | Others can read redacted-but-still-sensitive logs | gateway log file perms | yes |
fs.synced_dir | warn | State/config in iCloud/Dropbox/Drive broadens token/transcript exposure | move config/state off synced folders | no |
gateway.bind_no_auth | critical | Remote bind without shared secret | gateway.bind, gateway.auth.* | no |
gateway.loopback_no_auth | critical | Reverse-proxied loopback may become unauthenticated | gateway.auth.*, proxy setup | no |
gateway.trusted_proxies_missing | warn | Reverse-proxy headers are present but not trusted | gateway.trustedProxies | no |
gateway.http.no_auth | warn/critical | Gateway HTTP APIs reachable with auth.mode="none" | gateway.auth.mode, gateway.http.endpoints.*, plugins.entries.admin-http-rpc | no |
gateway.http.session_key_override_enabled | info | HTTP API callers can override sessionKey | gateway.http.allowSessionKeyOverride | no |
gateway.tools_invoke_http.dangerous_allow | warn/critical | Re-enables dangerous tools over HTTP API | gateway.tools.allow | no |
gateway.nodes.allow_commands_dangerous | warn/critical | Enables high-impact node commands (camera/screen/contacts/calendar/SMS) | gateway.nodes.allowCommands | no |
gateway.nodes.deny_commands_ineffective | warn | Pattern-like deny entries do not match shell text or groups | gateway.nodes.denyCommands | no |
gateway.tailscale_funnel | critical | Public internet exposure | gateway.tailscale.mode | no |
gateway.tailscale_serve | info | Tailnet exposure is enabled via Serve | gateway.tailscale.mode | no |
gateway.control_ui.allowed_origins_required | critical | Non-loopback Control UI without explicit browser-origin allowlist | gateway.controlUi.allowedOrigins | no |
gateway.control_ui.allowed_origins_wildcard | warn/critical | allowedOrigins=["*"] disables browser-origin allowlisting | gateway.controlUi.allowedOrigins | no |
gateway.control_ui.host_header_origin_fallback | warn/critical | Enables Host-header origin fallback (DNS rebinding hardening downgrade) | gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback | no |
gateway.control_ui.insecure_auth | warn | Insecure-auth compatibility toggle enabled | gateway.controlUi.allowInsecureAuth | no |
gateway.control_ui.device_auth_disabled | critical | Disables device identity check | gateway.controlUi.dangerouslyDisableDeviceAuth | no |
gateway.real_ip_fallback_enabled | warn/critical | Trusting X-Real-IP fallback can enable source-IP spoofing via proxy misconfig | gateway.allowRealIpFallback, gateway.trustedProxies | no |
gateway.token_too_short | warn | Short shared token is easier to brute force | gateway.auth.token | no |
gateway.auth_no_rate_limit | warn | Exposed auth without rate limiting increases brute-force risk | gateway.auth.rateLimit | no |
gateway.trusted_proxy_auth | critical | Proxy identity now becomes the auth boundary | gateway.auth.mode="trusted-proxy" | no |
gateway.trusted_proxy_no_proxies | critical | Trusted-proxy auth without trusted proxy IPs is unsafe | gateway.trustedProxies | no |
gateway.trusted_proxy_no_user_header | critical | Trusted-proxy auth cannot resolve user identity safely | gateway.auth.trustedProxy.userHeader | no |
gateway.trusted_proxy_no_allowlist | warn | Trusted-proxy auth accepts any authenticated upstream user | gateway.auth.trustedProxy.allowUsers | no |
gateway.trusted_proxy_allow_loopback | warn | Trusted-proxy auth accepts explicitly allowed loopback proxy sources | gateway.auth.trustedProxy.allowLoopback | no |
gateway.probe_auth_secretref_unavailable | warn | Deep probe could not resolve auth SecretRefs in this command path | deep-probe auth source / SecretRef availability | no |
gateway.probe_failed | warn/critical | Live Gateway probe failed | gateway reachability/auth | no |
discovery.mdns_full_mode | warn/critical | mDNS full mode advertises cliPath/sshPort metadata on local network | discovery.mdns.mode, gateway.bind | no |
config.insecure_or_dangerous_flags | warn | One insecure/dangerous debug flag is enabled | key named in finding detail | no |
security.audit.suppressions.active | info | Audit output has configured suppressions and may be filtered | security.audit.suppressions | no |
config.secrets.gateway_password_in_config | warn | Gateway password is stored directly in config | gateway.auth.password | no |
config.secrets.hooks_token_in_config | warn | Hook bearer token is stored directly in config | hooks.token | no |
hooks.token_reuse_gateway_token | critical | Hook ingress token also unlocks Gateway auth | hooks.token, gateway.auth.token | no |
hooks.token_too_short | warn | Easier brute force on hook ingress | hooks.token | no |
hooks.default_session_key_unset | warn | Hook agent runs fan out into generated per-request sessions | hooks.defaultSessionKey | no |
hooks.allowed_agent_ids_unrestricted | warn/critical | Authenticated hook callers may route to any configured agent | hooks.allowedAgentIds | no |
hooks.request_session_key_enabled | warn/critical | External caller can choose sessionKey | hooks.allowRequestSessionKey | no |
hooks.request_session_key_prefixes_missing | warn/critical | No bound on external session key shapes | hooks.allowedSessionKeyPrefixes | no |
hooks.path_root | critical | Hook path is /, making ingress easier to collide or misroute | hooks.path | no |
hooks.installs_unpinned_npm_specs | warn | Hook install records are not pinned to immutable npm specs | hook install metadata | no |
hooks.installs_missing_integrity | warn | Hook install records lack integrity metadata | hook install metadata | no |
hooks.installs_version_drift | warn | Hook install records drift from installed packages | hook install metadata | no |
logging.redact_off | warn | Sensitive values leak to logs/status | logging.redactSensitive | yes |
browser.control_invalid_config | warn | Browser control config is invalid before runtime | browser.* | no |
browser.control_no_auth | critical | Browser control exposed without token/password auth | gateway.auth.* | no |
browser.remote_cdp_http | warn | Remote CDP over plain HTTP lacks transport encryption | browser profile cdpUrl | no |
browser.remote_cdp_private_host | warn | Remote CDP targets a private/internal host | browser profile cdpUrl, browser.ssrfPolicy.* | no |
sandbox.docker_config_mode_off | warn | Sandbox Docker config present but inactive | agents.*.sandbox.mode | no |
sandbox.bind_mount_non_absolute | warn | Relative bind mounts can resolve unpredictably | agents.*.sandbox.docker.binds[] | no |
sandbox.dangerous_bind_mount | critical | Sandbox bind mount targets blocked system, credential, or Docker socket paths | agents.*.sandbox.docker.binds[] | no |
sandbox.dangerous_network_mode | critical | Sandbox Docker network uses host or container:* namespace-join mode | agents.*.sandbox.docker.network | no |
sandbox.dangerous_seccomp_profile | critical | Sandbox seccomp profile weakens container isolation | agents.*.sandbox.docker.securityOpt | no |
sandbox.dangerous_apparmor_profile | critical | Sandbox AppArmor profile weakens container isolation | agents.*.sandbox.docker.securityOpt | no |
sandbox.browser_cdp_bridge_unrestricted | warn | Sandbox browser bridge is exposed without source-range restriction | sandbox.browser.cdpSourceRange | no |
sandbox.browser_container.non_loopback_publish | critical | Existing browser container publishes CDP on non-loopback interfaces | browser sandbox container publish config | no |
sandbox.browser_container.hash_label_missing | warn | Existing browser container predates current config-hash labels | openclaw sandbox recreate --browser --all | no |
sandbox.browser_container.hash_epoch_stale | warn | Existing browser container predates current browser config epoch | openclaw sandbox recreate --browser --all | no |
tools.exec.host_sandbox_no_sandbox_defaults | warn | exec host=sandbox fails closed when sandbox is off | tools.exec.host, agents.defaults.sandbox.mode | no |
tools.exec.host_sandbox_no_sandbox_agents | warn | Per-agent exec host=sandbox fails closed when sandbox is off | agents.list[].tools.exec.host, agents.list[].sandbox.mode | no |
tools.exec.security_full_configured | warn/critical | Host exec is running with security="full" | tools.exec.security, agents.list[].tools.exec.security | no |
tools.exec.fs_tools_disabled_but_exec_enabled | warn | Filesystem tool policy does not make shell execution read-only | tools.deny, agents.list[].tools.deny, agents.*.sandbox.workspaceAccess | no |
tools.exec.auto_allow_skills_enabled | warn | Exec approvals trust skill bins implicitly | ~/.openclaw/exec-approvals.json | no |
tools.exec.allowlist_interpreter_without_strict_inline_eval | warn | Interpreter allowlists permit inline eval without forced reapproval | tools.exec.strictInlineEval, agents.list[].tools.exec.strictInlineEval, exec approvals allowlist | no |
tools.exec.safe_bins_interpreter_unprofiled | warn | Interpreter/runtime bins in safeBins without explicit profiles broaden exec risk | tools.exec.safeBins, tools.exec.safeBinProfiles, agents.list[].tools.exec.* | no |
tools.exec.safe_bins_broad_behavior | warn | Broad-behavior tools in safeBins weaken the low-risk stdin-filter trust model | tools.exec.safeBins, agents.list[].tools.exec.safeBins | no |
tools.exec.safe_bin_trusted_dirs_risky | warn | safeBinTrustedDirs includes mutable or risky directories | tools.exec.safeBinTrustedDirs, agents.list[].tools.exec.safeBinTrustedDirs | no |
skills.workspace.symlink_escape | warn | Workspace skills/**/SKILL.md resolves outside workspace root (symlink-chain drift) | workspace skills/** filesystem state | no |
plugins.extensions_no_allowlist | warn | Plugins are installed without an explicit plugin allowlist | plugins.allowlist | no |
plugins.installs_unpinned_npm_specs | warn | Plugin index records are not pinned to immutable npm specs | plugin install metadata | no |
plugins.installs_missing_integrity | warn | Plugin index records lack integrity metadata | plugin install metadata | no |
plugins.installs_version_drift | warn | Plugin index records drift from installed packages | plugin install metadata | no |
plugins.code_safety | warn/critical | Plugin code scan found suspicious or dangerous patterns | plugin code / install source | no |
plugins.code_safety.entry_path | warn | Plugin entry path points into hidden or node_modules locations | plugin manifest entry | no |
plugins.code_safety.entry_escape | critical | Plugin entry escapes the plugin directory | plugin manifest entry | no |
plugins.code_safety.scan_failed | warn | Plugin code scan could not complete | plugin path / scan environment | no |
skills.code_safety | warn/critical | Skill installer metadata/code contains suspicious or dangerous patterns | skill install source | no |
skills.code_safety.scan_failed | warn | Skill code scan could not complete | skill scan environment | no |
security.exposure.open_channels_with_exec | warn/critical | Shared/public rooms can reach exec-enabled agents | channels.*.dmPolicy, channels.*.groupPolicy, tools.exec.*, agents.list[].tools.exec.* | no |
security.exposure.open_groups_with_elevated | critical | Open groups + elevated tools create high-impact prompt-injection paths | channels.*.groupPolicy, tools.elevated.* | no |
security.exposure.open_groups_with_runtime_or_fs | critical/warn | Open groups can reach command/file tools without sandbox/workspace guards | channels.*.groupPolicy, tools.profile/deny, tools.fs.workspaceOnly, agents.*.sandbox.mode | no |
security.trust_model.multi_user_heuristic | warn | Config looks multi-user while gateway trust model is personal-assistant | split trust boundaries, or shared-user hardening (sandbox.mode, tool deny/workspace scoping`) | no |
tools.profile_minimal_overridden | warn | Agent overrides bypass global minimal profile | agents.list[].tools.profile | no |
plugins.tools_reachable_permissive_policy | warn | Extension tools reachable in permissive contexts | tools.profile + tool allow/deny | no |
models.legacy | warn | Legacy model families are still configured | model selection | no |
models.weak_tier | warn | Configured models are below current recommended tiers | model selection | no |
models.small_params | critical/info | Small models + unsafe tool surfaces raise injection risk | model choice + sandbox/tool policy | no |
summary.attack_surface | info | Roll-up summary of auth, channel, tool, and exposure posture | multiple keys (see finding detail) | no |
第 2 站
Related
这一节主要在解释“Related”到底是干什么的,以及你什么时候会遇到它。
这段在解决什么
这一节主要在解释“Related”到底是干什么的,以及你什么时候会遇到它。
为什么值得看
如果你是第一次接触 OpenClaw,这一节最值得看的不是术语本身,而是它背后的使用场景和限制。
真要动手时
真正动手时,先看它有没有默认值、有没有必须打开的选项、以及会不会影响安全边界。
先别急着背术语
如果把这一段摆成一个小场景,你会看到几样东西正在互相打招呼、拦路或者传东西。别急着记名词,先抓住它此刻到底在发生什么:---。
像准备清单
这一串条目别硬背,把它当成“Related”门口贴出来的几张便签就行。它们在提醒你先备好什么、别漏掉什么、哪里最容易走错:安全守门员、设置说明书uration、Trusted proxy auth。
像讲绘本
如果把这一段摆成一个小场景,你会看到几样东西正在互相打招呼、拦路或者传东西。别急着记名词,先抓住它此刻到底在发生什么:---。
原文小纸条
---
AdSense 连接验证已经放在页面头部;广告单元等站点审批通过后再启用。
google-adsense-account: ca-pub-3833673520933536