OpenClaw Security Controls Beyond NemoClaw's Scope

View as Markdown

NemoClaw provides infrastructure-layer security through sandbox isolation, network policy, filesystem restrictions, SSRF validation, and credential handling. It delegates all application-layer security to OpenClaw. This page documents areas where NemoClaw adds no independent protection beyond what OpenClaw already provides.

The details below reflect the OpenClaw documentation at the time of writing. Consult the OpenClaw Security docs for current OpenClaw behavior.

Prompt Injection Detection and Prevention

OpenClaw detects and neutralizes prompt injection attempts before they reach the agent.

ControlDetail
Regex detectionPattern matching detects common injection vectors such as “ignore all previous instructions” and <system> tag spoofing.
Boundary wrappingOpenClaw wraps untrusted input in randomized XML boundary markers.
Unicode foldingHomoglyph folding normalizes bracket variants to prevent visual spoofing.
Invisible character strippingOpenClaw removes zero-width invisible characters from input.
Boundary sanitizationOpenClaw sanitizes fake boundary markers to prevent marker injection.
Auto-wrappingOpenClaw automatically wraps web fetch and search results as untrusted external content.

Tool Access Control and Policy Pipeline

OpenClaw enforces a multi-layer tool policy pipeline that gates every tool call.

ControlDetail
Deny listOpenClaw blocks high-risk tools (exec, spawn, shell, fs_write, fs_delete, and others) from Gateway HTTP by default.
Policy pipelineThe multi-layer pipeline evaluates tool calls through profile, provider, agent, sandbox, and per-provider policies.
Fail-closed semanticsTool call hooks block execution on any error.
Loop detectionAn optional guard detects and blocks repeated identical tool call patterns. It is disabled by default and opt-in via tools.loopDetection.enabled.
Plugin approvalThe approval workflow defaults to deny on timeout.

Authentication Rate Limiting and Flood Protection

OpenClaw rate-limits authentication attempts and guards against connection floods.

ControlDetail
Auth rate limiterA sliding-window rate limiter tracks failed authentication attempts per IP and per scope.
Control plane limiterOpenClaw applies per-device write rate limiting for control plane operations.
WebSocket flood guardOpenClaw closes connections after repeated unauthorized attempts.
Pre-auth budgetOpenClaw limits connections before authentication completes.

Environment Variable Security Policy

OpenClaw blocks environment variables that could enable code injection, privilege escalation, or credential theft.

CategoryDetail
Always-blocked keysOpenClaw blocks keys such as NODE_OPTIONS, LD_PRELOAD, shell injection vectors, crypto mining variables, and GIT_* hijacking paths.
Override-blocked keysOpenClaw blocks additional keys unless you explicitly override them.
Blocked prefixesOpenClaw blocks prefixes such as GIT_CONFIG_, NPM_CONFIG_, CARGO_REGISTRIES_, and TF_VAR_.
Universal blocked prefixesOpenClaw blocks DYLD_, LD_, and BASH_FUNC_.

Security Audit Framework

OpenClaw runs more than 50 distinct automated security checks that cover configuration, credential handling, and sandbox posture. Run openclaw security audit to see all findings for your deployment.

The following checks run as part of the audit:

  • Synced-folder leak detection.
  • Plaintext secrets in configuration files.
  • Hooks hardening verification.
  • Gateway no-auth detection.
  • Sandbox misconfiguration scanning.
  • Weak-model susceptibility assessment.
  • Multi-user exposure matrix.
  • Node command policy validation.
  • Dangerous config flag scanning (allowInsecureAuth, dangerouslyDisableDeviceAuth, and similar flags).

Skill and Extension Supply Chain Scanning

OpenClaw scans skills and extensions with a built-in static analysis scanner before installation. Critical findings block installation by default.

The scanner checks for patterns including:

  • Direct process execution calls.
  • Dynamic code execution (eval, new Function, and similar constructs).
  • Cryptocurrency mining patterns.
  • Unexpected network activity.
  • Potential data exfiltration (file read combined with network calls).
  • Obfuscated code.
  • Environment variable harvesting combined with network calls.

DM and Group Messaging Access Policy

OpenClaw controls who can interact with the agent through direct messages and group channels.

ControlDetail
DM policy modesOpenClaw supports four modes: open, disabled, pairing, and allowlist.
Group policiesOpenClaw applies per-group access rules.
Per-sender authorizationOpenClaw gates individual senders.
Command authorizationOpenClaw applies command-level access control.
Multi-user detectionOpenClaw uses a heuristic that detects multi-user scenarios.

Context Visibility and Output Controls

OpenClaw restricts what supplemental context the agent can see and how it can modify outputs.

ControlDetail
Mode-based restrictionsOpenClaw limits visibility of history, threads, quotes, and forwarded messages based on the active mode.
Sender-based restrictionsOpenClaw limits visibility based on who sent the message.
Plugin output hooksPlugin hooks intercept and modify tool results before they reach the user.

Safe Regex (ReDoS Prevention)

OpenClaw includes safe regex compilation to prevent regular expression denial of service (ReDoS) attacks. The implementation detects unsafe nested quantifiers, bounds input length, and caches results.

Next Steps