Severity Assessment

CVSS Assessment

Threat Model Alignment

Classification: security-specific

Impact

The deriveInteractionSecret function in the Mattermost extension uses a hardcoded public string as the HMAC key, making the interaction signing secret fully reproducible by anyone who knows the bot token. An attacker who obtains the bot token can forge valid _token values, craft arbitrary button-click POST requests to the gateway's interaction endpoint, and trigger agent system events (core.system.enqueueSystemEvent) as if a legitimate user clicked an approved Mattermost button.

Affected Component

File: extensions/mattermost/src/mattermost/interactions.ts:122-124

function deriveInteractionSecret(botToken: string): string {
  return createHmac("sha256", "openclaw-mattermost-interactions").update(botToken).digest("hex");
}

The derived secret is then used to sign and verify all button-click interaction tokens at interactions.ts:155-175:

export function generateInteractionToken(
  context: Record<string, unknown>,
  accountId?: string,
): string {
  const secret = getInteractionSecret(accountId);
  const payload = JSON.stringify(context, Object.keys(context).sort());
  return createHmac("sha256", secret).update(payload).digest("hex");
}

The endpoint is registered at monitor.ts:479-482 with auth: "plugin", making this HMAC check the sole access control for the route.

Technical Reproduction

1. Obtain the Mattermost bot token (available via the Mattermost admin panel, gateway environment variables, or any configuration leak).
2. Reproduce the derivation: derivedSecret = HMAC-SHA256("openclaw-mattermost-interactions", botToken) — this is deterministic and requires no further gateway access.
3. Construct an action context matching an existing interactive post, e.g., {"action_id": "approve", "post_id": "<target_post_id>", "channel_id": "<target_channel_id>"}.
4. Compute the forged token: _token = HMAC-SHA256(derivedSecret, JSON.stringify(sortedContext)).
5. POST a crafted payload to http://<gateway-host>:<gatewayPort>/mattermost/interactions/<accountId> with the forged _token field.
6. verifyInteractionToken at interactions.ts:165-175 passes; the handler dispatches core.system.enqueueSystemEvent to the agent as if a legitimate user clicked an approved button.

Demonstrated Impact

The hardcoded string "openclaw-mattermost-interactions" is published in the source repository and provides zero additional entropy. The derivation is mathematically equivalent to HMAC-SHA256(botToken, payload) with no key separation: the security of the interaction signing scheme collapses entirely to the secrecy of the bot token.

Any Mattermost workspace administrator — or anyone who can read the bot token from the Mattermost admin panel, gateway environment variables, or config files — can forge legitimate-looking button interactions. Post-token checks at interactions.ts:384-421 validate post_id and channel_id against the Mattermost API, which raises attack complexity (the attacker must know a valid post and channel), but these values are observable by any workspace member who can see the interactive message, so they do not prevent exploitation by a privileged insider or anyone with token access.

A successful forged request triggers core.system.enqueueSystemEvent (traced from monitor.ts:~448), dispatching agent system events — approvals, confirmations, or other action-gated commands associated with the original interactive message — entirely under attacker control. The /mattermost/interactions/<accountId> endpoint uses auth: "plugin" (confirmed in monitor.ts:479-482 and src/plugins/registry.ts), meaning no gateway-layer authentication sits in front of this route; the HMAC _token is the complete and sole access control.

Environment

Affected in all versions containing deriveInteractionSecret in extensions/mattermost/src/mattermost/interactions.ts. Requires a running OpenClaw gateway with the Mattermost extension enabled and at least one account configured with interactive button messages. Confirmed present in current main; deterministic derivation is also asserted by extensions/mattermost/src/mattermost/interactions.test.ts.

Remediation Advice

Replace the hardcoded HMAC key with a randomly generated, per-account secret that is created at account registration time and persisted to the gateway's secure credential store (e.g., crypto.randomBytes(32).toString("hex")). The interaction signing secret must not be derived from the bot token using a publicly known constant — the bot token already serves as the Mattermost API credential and must not double as the signing root for the interaction integrity check.