1779054669 og image

Where OpenClaw Security Is Heading — OpenClaw Blog

by

Our goal is to make OpenCL a reliable way to run a powerful AI personal assistant.

OpenClaw can read files, run commands, install plugins, talk to the network, and perform tasks on a real machine for a real user. It is easy to call such power dangerous. The concern is justified. Powerful does not mean blind, unobstructed, or impossible to audit.

Some of it has come down. something going on. Some are still in flight. There is some research. I want to be clear about the difference, because posts that blur those lines mislead readers.

File System Limits and FS-Safe

OpenClaw runs on your machine. This means it can touch your documents, your codebase, and your photos.

The first file system vulnerability people usually run into is path traversal. This risk is real, but it’s just one symptom of a larger class of bugs: unclear boundaries. The code thinks it’s writing inside one root, then a symlink, absolute path, collection extraction, or sloppy join makes it cross to another.

fs-safe There is an answer to this. This is the set of secure file system patterns that OpenClaw was already developing, pulled into a shared library so that core code, plugins, and adjacent services can use the same root-bound primitives.

This is not a sandbox. A plugin that is allowed to run arbitrary shell commands can still do arbitrary shell-command things. fs-safe Protects against boundary-crossing bugs in file system code.

Writing inside the plugin workspace should work. Traversal and absolute-path writing outside that scope should fail. Plugin authors should not re-implement those checks.

Terminal output showing fs-safe allows in-workspace writes and prevents traversal and absolute-path writes with outside-workspace errors.
Writing inside the plugin workspace is successful. Traversal and absolute-path writes are refused outside-workspace.

The next step is to also make these primitives the expected patterns for plugins on ClawHub. Bypassing them is not automatically malicious, but it is security-relevant. Over time, that type of liking should count against the plugin’s trust status.

The safest file system call is still the one we don’t make. This is the security motivation behind the in-flight SQLite runtime-state refactor. Sessions, transcripts, scheduler state, and plugin state are in typed databases with clear ownership and transactions, not in loose files. Moving runtime state to SQLite removes entire ranges of file system access from the runtime path.

Network egress and proxyline

Agent systems make SSRF harder than a normal web service. In normal service, user-controlled URLs are often the exception. In the agent runtime, user-controlled or model-influenced URLs are common product behavior. “Get this URL because someone, or something, asked for it” is the usual thing.

We started with the obvious approach: verify URLs before fetching them. that’s not enough. Validation resolves DNS, fetch resolves DNS again, and the answer may change between the two. A host that points to a public IP during validation may still point to the metadata endpoint by the time the request goes out.

The correction has to go closer to the exit.

ProxyLine is our node-process routing layer for that. This node establishes process-global routing for networking surfaces and sends traffic through the proxy you configure. The configured proxy is where the connect-time policy should live: block metadata addresses, private ranges, loopback canaries, and whatever else your environment needs to block.

Proxyline route. Implements proxy.

It also provides observation capabilities to operators. If you already run a managed proxy, you can route OpenClaw through it and see destinations, rates, and blocking attempts from the infrastructure you already trust.

ProxyLine is not a perfect cage for every possible byte. Raw sockets, native modules, unusual transports, early captured agents, and non-OpenClaw child processes can still bypass node-level guardrails. But for general OpenClause network paths, moving the control point from “A wrapper remembered to verify this URL” to “Egress flow through proxy policy” is a better shape.

The verification path is simple: example.com must pass, must the loopback canary fail, and openclaw proxy validate This should prove that the configured route behaves the same way.

Terminal output showing opencl proxy validate allowing example.com, denying loopback canary and passing validation.
Allows local filtering proxy example.comBlocks the loopback canary, and openclaw proxy validate passes.

Plugin trust on ClawHub

When a plugin comes from ClawHub, ClawHub must be the authority for plugin trust and provenance. OpenCL should consume those signals during installs and updates, not just rely on local inspection after the fact.

The CloHub pipeline is a mix of signals: CloScan, VirusTotal, static analysis, metadata checking, provenance, and manual moderation. None of this is magic. Scanners make noise in different ways, and a pipeline that screams about everything teaches users to ignore it.

This is where Clawhub can do something that the local install flow can’t. It can attach a trust proof to a specific package version. It may say that this release is clean, suspicious, stopped, isolated, aborted, or malicious. It may block downloads for malicious or quarantined releases. It can show users what changed and why.

Plugins can come from GitHub, a private registry, or a file someone sent you. This isn’t going away, and OpenCL shouldn’t pretend that users don’t own machines.

What we can do is improve safe passage. Publish on ClawHub. Get scanned. Attach evidence. Let users weigh that evidence before installing.

We’re also looking for high-trust levels above the baseline: official packages, trusted publishers, and packages held to rigorous review expectations. For plugins that exist outside of Clawhub, we’d also like to have scanning to access them, but the exact product size still needs work.

If ClawHub flags a release as malicious and quarantined, the ClawHub install path should reject it. That’s the bar.

Terminal output showing that OpenClaw is refusing to install the Clawhub release that has been marked as malicious and quarantined.
ClawHub flags a release as malicious and stores it; OpenClaw refused to install.

Order Approval and Quick Fatigue

The signals arrive so fast that no one can read them. After a few minutes, users turn on YOLO mode so work can continue. At that point the prompts train the user to stop reading.

Fixing this means less signal and better signal.

The accuracy part starts with parsing. String matching is not enough. If an allow list or block list only sees external commands, the wrappers become bypassed. a policy that understands rm but can’t see inside bash -c "rm -rf ~/something" This is not a policy that users should rely on.

Shell approval path now evaluates internal command chains for normal shells -c Rapper. If the inner chain contains an executable that is not allowed, the wrapper should not make it safe. OpenClaw also uses the command highlighter tree-sitter to surface what it found inside the wrapper.

The openclaw execution approval dialog highlights executables inside Python commands, including nested bash and rm.
The command highlighter identifies the executable inside the wrapper payload, including the internal destructuring commands.

Powershell has its own traps; We fail to close forms we don’t understand, and broader support is on the roadmap.

Parsing is the easy half. The hardest part is deciding when to ask.

A static approval policy either hints at everything that might be risky, or relies on a fixed allow/deny list that cannot tell whether an order fits the task at hand.

The question users really care about: Did I want this to happen?

That’s why we are experimenting with relevant approvals. The goal is not to “never prompt.” The goal is that the prompts mean something – and when they do, the user should stop and read.

For OpenAI users we highlight Auto Review, a codex-specific feature that replaces manual approval at the sandbox boundary with a separate reviewer agent.

static analysis

OpenClaw has lots of GitHub security advice. The first task was to close the hole. The next task is to ensure that the same bug class does not return.

After an advice has been patched, it’s tempting to call it done. GHSA is evidence about a bug class, not just a bug. The question after testing is: can we find all the code that looks like this?

For that, we use OpenGrep with an exact rulepack. Each rule is linked to an advice, report or review conclusion. The underlying goal is to detect regression: if the same weak shape returns, the CI catches it before review. The better goal is variant detection: catching nearby versions of the same mistake.

Precision is everything. A noise rule is worse than no rule at all, because it teaches the team to ignore the channel.

The exact OpenGrep rulepack checked in today contains 148 rules. It runs on PR intervals, and a full scan can be run manually. Newly patched advice becomes candidates for the new rules.

Terminal output showing an OpenGrep rule finding the GHSA-derived unsafe secure-bin profile fallback pattern.
An OpenGrep rule catching previous GHSA-sized bugs locally.

CodeQL runs side-by-side for deep semantic coverage. It is slow and noisy to maintain; We use both.

What does this mean for OpenClaw users

OpenClaw is not becoming less powerful. We’re making it easier to see and defend borders.

We’re not going to promise risk-free agents. Anyone making promises is selling something, or has not yet sent a sufficient quantity of goods.

What we can promise is direction. OpenClaw can be more defensive while still remaining powerful. This is what we are building.



<a href

10 thoughts on “Where OpenClaw Security Is Heading — OpenClaw Blog”

Leave a Comment