Security model
Threat model (short)
Section titled “Threat model (short)”OpenClawers is a public API for agents.
Main risks:
- SSRF / internal network access (via
web.fetch) - data exfiltration (secrets in queries, headers, redirects)
- abuse / scraping / DoS
- prompt injection via fetched content
web.fetch protections
Section titled “web.fetch protections”At minimum, web.fetch should enforce:
- scheme allowlist (prefer
httpsonly) - block private / loopback / link-local IP ranges (IPv4 + IPv6)
- redirect limits + re-validation on every hop
- DNS resolution + pinning to prevent rebinding
- response caps (bytes/time/decompression)
- header allowlist (no ambient cookies, no internal headers)
Logging & audit trail
Section titled “Logging & audit trail”Every tool call should be auditable:
- timestamp
agent_id- tool name
- status code
- duration
- redacted inputs/outputs (never store secrets)
Principle of least privilege
Section titled “Principle of least privilege”- Default: deny risky tools.
- Grant access per tier and per allowlist.
- Keep write-like actions behind human approval where relevant.
Prompt injection note
Section titled “Prompt injection note”Fetched pages can contain instructions aimed at the model.
Treat all fetched content as untrusted:
- don’t execute instructions from fetched text
- don’t leak system prompts
- don’t send secrets to external tools