Anthony/openclaw-backups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

AI Newsletter Digest improvements: fixed QP soft line break decoding, URL extraction, and content cleaning

Browse Source
This commit is contained in:
Krilly
2026-03-04 13:29:22 +00:00
parent 29a98137a7
commit 57dd294675
13706 changed files with 2114953 additions and 237629 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
skills/openclaw-dashboard/SECURITY.md Normal file
View File

@@ -0,0 +1,65 @@
# Security Policy
## Threat Model (Summary)
- This dashboard reads local OpenClaw runtime data from `~/.openclaw/...`.
- Some operations can trigger local hooks and update workflows.
- Secrets and provider admin keys must remain opt-in and least-privilege.
## Secure Defaults
- `OPENCLAW_LOAD_KEYS_ENV=0` (disabled by default)
- `OPENCLAW_ENABLE_PROVIDER_AUDIT=0`
- `OPENCLAW_ENABLE_CONFIG_ENDPOINT=0`
- `OPENCLAW_ALLOW_ATTACHMENT_FILEPATH_COPY=0`
- `OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_TMP=0`
- `OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_WORKSPACE=0`
- `OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_OPENCLAW_HOME=0`
- `OPENCLAW_ENABLE_SYSTEMCTL_RESTART=0`
- `OPENCLAW_ENABLE_MUTATING_OPS=0`
- `DASHBOARD_HOST=127.0.0.1`
- `DASHBOARD_CORS_ORIGINS=` (empty = loopback only, no wildcard)
Mutating operations are additionally restricted to localhost callers.
## CORS Policy
CORS is restricted by default — only loopback origins (`localhost`, `127.0.0.1`) are allowed.
To allow external origins (e.g. for Tailscale Funnel access), set:
```
DASHBOARD_CORS_ORIGINS=https://your-tailscale-hostname.ts.net
```
Multiple origins: comma-separated. Use `*` only in trusted environments.
## Command Execution
All child_process calls use `execFileSync` with argument arrays (no shell interpolation).
Zero `execSync` calls exist in the codebase. The `runCmd()` helper wraps `execFileSync` with timeout and error handling.
## File Copy (FILEPATH_COPY)
When `OPENCLAW_ALLOW_ATTACHMENT_FILEPATH_COPY=1` is set:
- Source paths must match configured allowed prefixes
- Symlinks are resolved via `realpathSync` and re-checked against allowed prefixes
- Each sub-directory (`/tmp`, workspace, `.openclaw`) requires its own explicit env flag
## VirusTotal Compliance Checklist
Before each release:
1. Generate hashes:
```bash
shasum -a 256 api-server.js agent-dashboard.html SKILL.md README.md .env.example > vt-hashes.txt
```
2. Submit hashes/files to VirusTotal.
3. Record report IDs in release notes.
4. Block release if suspicious detections are unresolved.
## Reporting a Vulnerability
Open a private security report with:
- affected version
- reproduction steps
- impact assessment
- suggested mitigation