diff --git a/SECURITY.md b/SECURITY.md index c260074e76c..1dc51369f9a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -206,6 +206,14 @@ For threat model + hardening guidance (including `openclaw security audit --deep - `tools.fs.workspaceOnly: true` (optional): restricts `read`/`write`/`edit`/`apply_patch` paths and native prompt image auto-load paths to the workspace directory. - Avoid setting `tools.exec.applyPatch.workspaceOnly: false` unless you fully trust who can trigger tool execution. +### Sub-agent delegation hardening + +- Keep `sessions_spawn` denied unless you explicitly need delegated runs. +- Keep `agents.list[].subagents.allowAgents` narrow, and only include agents with sandbox settings you trust. +- When delegation must stay sandboxed, call `sessions_spawn` with `sandbox: "require"` (default is `inherit`). + - `sandbox: "require"` rejects the spawn unless the target child runtime is sandboxed. + - This prevents a less-restricted session from delegating work into an unsandboxed child by mistake. + ### Web Interface Safety OpenClaw's web interface (Gateway Control UI + HTTP endpoints) is intended for **local use only**. diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index d6615b0e345..7fba7c556fd 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -898,6 +898,15 @@ Also consider agent workspace access inside the sandbox: Important: `tools.elevated` is the global baseline escape hatch that runs exec on the host. Keep `tools.elevated.allowFrom` tight and don’t enable it for strangers. You can further restrict elevated per agent via `agents.list[].tools.elevated`. See [Elevated Mode](/tools/elevated). +### Sub-agent delegation guardrail + +If you allow session tools, treat delegated sub-agent runs as another boundary decision: + +- Deny `sessions_spawn` unless the agent truly needs delegation. +- Keep `agents.list[].subagents.allowAgents` restricted to known-safe target agents. +- For any workflow that must remain sandboxed, call `sessions_spawn` with `sandbox: "require"` (default is `inherit`). +- `sandbox: "require"` fails fast when the target child runtime is not sandboxed. + ## Browser control risks Enabling browser control gives the model the ability to drive a real browser.