Only the most recent stable release of OpenClaw is officially supported with security updates. We also accept security reports for the main branch.

We take security seriously. If you discover a security vulnerability in OpenClaw, please do not open a public issue. Instead:

1. Email your findings to tellikoroma@gmail.com (or specific address if desired).
2. Include a description of the vulnerability, steps to reproduce, and potential impact.
3. We will acknowledge receipt within 48 hours.
4. We will coordinate a fix and release timeline with you.

• Sandbox escapes: Reading/writing files outside allowed directories (AllowedReadRoots/AllowedWriteRoots).
• Remote Code Execution (RCE): Executing unauthorized code or commands (when AllowShell=false or beyond tool scope).
• Authentication bypass: Accessing the gateway without a valid OPENCLAW_AUTH_TOKEN (on public binds).
• Approval hijacking: Approving a pending tool action from a different sender/channel on public deployments.
• Data leakage: Exposure of sensitive environment variables or file contents through unintended channels.
• Denial of Service (DoS): Crashing the gateway with malformed input (NativeAOT panic).

• "Self-XSS": Executing JS in the user's own browser console.
• LLM hallucinations: The model generating incorrect or biased content (this is an upstream provider issue).
• Social engineering: Phishing or tricking users into running dangerous commands via shell tool (when authorized).
• Resource exhaustion: When limits (SessionTokenBudget, RateLimit) are explicitly disabled by configuration.

When running OpenClaw in production:

1. Always set OPENCLAW_AUTH_TOKEN: Especially when binding to 0.0.0.0.
2. Use TLS: Run behind a reverse proxy (Caddy/nginx) or configure Kestrel HTTPS.
3. Restrict Tools: Set AllowShell=false unless strictly necessary.
4. Isolate Scope: Run in a container with minimal privileges (non-root).
5. Monitor Logs: Watch for EventId=Security warnings in structured logs.
6. Limit Roots: Configure AllowedReadRoots and AllowedWriteRoots to specific subdirectories.
7. Set Budgets: Use SessionTokenBudget to prevent runaway costs.
8. Sign Webhooks: Keep Twilio/Telegram/WhatsApp signature checks enabled and set webhook HMAC secrets for /webhooks/{name} endpoints.
9. Avoid Query Tokens Publicly: Prefer Authorization: Bearer and keep AllowQueryStringToken=false unless required by your client.
10. Plan Retention Storage: If enabling OpenClaw:Memory:Retention, ensure ArchivePath has strict filesystem permissions and enough capacity.
11. Run Retention Dry-Run First: Use POST /memory/retention/sweep?dryRun=true before enabling destructive sweeps in production.
12. Treat Archives as Sensitive Data: Archive files are plaintext JSON payloads in this phase; encrypt at rest via host-level controls if required by policy.

By design, OpenClaw executes tools (shell, git, code_exec) that can be dangerous.

• delegate_agent: Sub-agents inherit the permissions of the parent session.
• shell: Disabled by default in Production environment.
• read_file/write_file: Path traversal is blocked, but ensure roots are scoped correctly.

We use dotnet list package --vulnerable in CI to check for known vulnerabilities in dependencies. Docker images are rebuilt weekly to pick up OS security patches in the base image.