From a374325fc2edd64bc1fd22873fef84e46cd4f1eb Mon Sep 17 00:00:00 2001 From: Agent Date: Sun, 1 Mar 2026 22:34:29 +0000 Subject: [PATCH] docs(security): clarify local link-priming reports as out-of-scope --- SECURITY.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index d7e4977e600..c260074e76c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -56,6 +56,7 @@ These are frequently reported but are typically closed with no code change: - Reports that assume per-user multi-tenant authorization on a shared gateway host/config. - Reports that only show differences in heuristic detection/parity (for example obfuscation-pattern detection on one exec path but not another, such as `node.invoke -> system.run` parity gaps) without demonstrating bypass of auth, approvals, allowlist enforcement, sandboxing, or other documented trust boundaries. - ReDoS/DoS claims that require trusted operator configuration input (for example catastrophic regex in `sessionFilter` or `logging.redactPatterns`) without a trust-boundary bypass. +- Archive/install extraction claims that require pre-existing local filesystem priming in trusted state (for example planting symlink/hardlink aliases under destination directories such as skills/tools paths) without showing an untrusted path that can create/control that primitive. - Missing HSTS findings on default local/loopback deployments. - Slack webhook signature findings when HTTP mode already uses signing-secret verification. - Discord inbound webhook signature findings for paths not used by this repo's Discord integration. @@ -112,6 +113,7 @@ Plugins/extensions are part of OpenClaw's trusted computing base for a gateway. - Deployments where mutually untrusted/adversarial operators share one gateway host and config (for example, reports expecting per-operator isolation for `sessions.list`, `sessions.preview`, `chat.history`, or similar control-plane reads) - Prompt-injection-only attacks (without a policy/auth/sandbox boundary bypass) - Reports that require write access to trusted local state (`~/.openclaw`, workspace files like `MEMORY.md` / `memory/*.md`) +- Reports where exploitability depends on attacker-controlled pre-existing symlink/hardlink filesystem state in trusted local paths (for example extraction/install target trees) unless a separate untrusted boundary bypass is shown that creates that state. - Reports where the only demonstrated impact is an already-authorized sender intentionally invoking a local-action command (for example `/export-session` writing to an absolute host path) without bypassing auth, sandbox, or another documented boundary - Reports where the only claim is that a trusted-installed/enabled plugin can execute with gateway/host privileges (documented trust model behavior). - Any report whose only claim is that an operator-enabled `dangerous*`/`dangerously*` config option weakens defaults (these are explicit break-glass tradeoffs by design)