OpenClaw 模块 3:安全与权限
目标:把 OpenClaw 官方安全文档里的建议,落成一份可反复执行的安全检查清单。
先在可控环境里演练审计与修复,再把结果沉淀给公司安全团队评估。
实操步骤(可直接执行)
每一步都先执行命令,再记录结果和问题。
步骤 1:Run a baseline security audit
Start with a human-readable report:
openclaw security audit
For deeper checks (DM scopes, sandbox, hooks, webhooks, plugins):
openclaw security audit --deep
Skim the summary and note any high or critical warnings (shared DM scopes, open group policies, sandbox disabled with browser tools, etc.).
openclaw security auditopenclaw security audit --deep步骤 2:Export findings for CI / policy checks
Produce JSON output you can feed into scripts:
openclaw security audit --json | jq ' .summary '
openclaw security audit --deep --json | jq ' .findings[] | select(.severity=="critical") | .checkId '
Store these reports under your ops or security repository so you can track drift over time.
openclaw security audit --json | jq ' .summary 'openclaw security audit --deep --json | jq ' .findings[] | select(.severity=="critical") | .checkId '步骤 3:Apply safe automatic fixes where possible
Let OpenClaw apply deterministic remediations:
openclaw security audit --fix
Or combine with JSON output:
openclaw security audit --fix --json | jq ' {fix: .fix.ok, summary: .report.summary} '
--fix focuses on safe changes: tightening file permissions, enabling logging.redactSensitive, closing obvious group-policy oversharing, etc. It does not remove plugins, rotate keys, or change gateway exposure on its own.
openclaw security audit --fixopenclaw security audit --fix --json | jq ' {fix: .fix.ok, summary: .report.summary} '步骤 4:Re-run `openclaw doctor` after fixes
After applying fixes, run:
openclaw doctor --deep
Confirm that gateway, sandbox, and channels all look healthy, and that any remaining warnings are either acceptable or queued for manual remediation.
openclaw doctor --deep