Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix `security audit` misses context leak vulnerability for insecure `session.dmScope="main"` configuration [5 pull requests, 1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#55578Fetched 2026-04-08 01:37:44
View on GitHub
Comments
1
Participants
2
Timeline
14
Reactions
0
Author
cjg20sscjg20ss
Participants
balthazar-botbalthazar-botcjg20sscjg20ss
Timeline (top)
referenced ×6cross-referenced ×5labeled ×2commented ×1

Enhance the openclaw security audit command to explicitly warn users about the privacy risks of using session.dmScope="main" in potential multi-user DM environments.

Error Message

Enhance the openclaw security audit command to explicitly warn users about the privacy risks of using session.dmScope="main" in potential multi-user DM environments. Emit a high-priority security warning or error if session.dmScope="main".

Root Cause

Because the CLI audit tool currently fails to flag this, users might rely on a "clean" audit report and falsely assume their deployment is secure. Implementing this check will proactively prevent critical privacy leaks caused by non-isolated context, save users from manual configuration oversights, and align the CLI's behavior with the framework's official security best practices.

PR fix notes

PR #55736: feat: security audit dmScope check + configurable circuit breaker

Description (problem / solution / changelog)

Summary

  • #55578security audit now warns when session.dmScope="main" with multi-user DM channels enabled. Detects the cross-user context leak risk that was previously only flagged in per-channel checks, and provides actionable remediation (openclaw config set session.dmScope "per-channel-peer").

  • #55536 — Exposes two new config options under auth.cooldowns to make the transient failure circuit breaker configurable:

    • transientFailureThreshold (default: 3) — consecutive failures before max cooldown kicks in
    • transientCooldownMinutes (default: 5) — max cooldown duration once threshold is reached

    The existing stepped backoff (30s / 1m / 5m) is preserved as the default. Users can now tune these for their deployment (e.g., { transientFailureThreshold: 5, transientCooldownMinutes: 30 } for longer cooldowns after more tolerance).

Test plan

  • pnpm vitest run src/agents/auth-profiles.markauthprofilefailure.test.ts — 12 tests pass (2 new for custom thresholds)
  • pnpm tsc --noEmit — clean
  • Manual: run openclaw security audit with session.dmScope="main" and a channel enabled — should emit session.dm_scope_main warning
  • Manual: set auth.cooldowns.transientCooldownMinutes: 30 and trigger 3+ failures — cooldown should be 30 minutes

Changed files

  • docs/.generated/config-baseline.json (modified, +20/-0)
  • docs/.generated/config-baseline.jsonl (modified, +3/-1)
  • src/agents/auth-profiles.markauthprofilefailure.test.ts (modified, +17/-0)
  • src/agents/auth-profiles/usage.ts (modified, +28/-6)
  • src/config/schema.base.generated.ts (modified, +9/-0)
  • src/config/types.auth.ts (modified, +12/-0)
  • src/config/zod-schema.ts (modified, +2/-0)
  • src/security/audit-extra.sync.ts (modified, +33/-0)
  • src/security/audit-extra.ts (modified, +1/-0)
  • src/security/audit.nondeep.runtime.ts (modified, +1/-0)
  • src/security/audit.ts (modified, +1/-0)

PR #56234: fix(security): extend audit to flag dmPolicy=open and session.dmScope=main (#55612, #55578)

Description (problem / solution / changelog)

Summary

Fixes two security audit blind spots identified in #55612 and #55578:

  1. dmPolicy="open" paritygroupPolicy="open" already triggers CRITICAL findings for elevated tools and runtime/fs exposure, but dmPolicy="open" did not. This PR extends detection to cover both policies symmetrically.

  2. session.dmScope="main" in multi-user setups — when dmScope is "main" (or unset) alongside multi-user signals (open channels, multiple accounts), cross-user context leakage is possible but was not flagged. A new CRITICAL finding security.trust_model.dm_scope_main_multi_user is added.

Changes

  • src/security/audit-extra.sync.ts: Refactored listGroupPolicyOpen into generic listPolicyOpen(cfg, policyKey) covering both groupPolicy and dmPolicy; added collectExposureMatrixFindings and collectLikelyMultiUserSetupFindings extensions
  • src/security/audit.test.ts: Integration tests for new findings
  • src/security/audit-extra.sync.test.ts: Unit tests for new collector functions

New findings

Check IDSeverityTrigger
security.exposure.open_dms_with_elevatedCRITICALdmPolicy="open" + elevated tools enabled
security.exposure.open_dms_with_runtime_or_fsCRITICALdmPolicy="open" + runtime/fs tools
security.trust_model.dm_scope_main_multi_userCRITICALsession.dmScope="main" + multi-user signals

Note: developed with AI assistance (Cursor). All logic reviewed and verified manually.

Closes #55612 Closes #55578

Changed files

  • docs/proposals/plugin-capability-model.md (added, +112/-0)
  • docs/proposals/skill-integrity-verification.md (added, +84/-0)
  • src/agents/skills-clawhub.ts (modified, +61/-7)
  • src/plugins/manifest.ts (modified, +88/-0)
  • src/security/audit-extra.async.ts (modified, +104/-0)
  • src/security/audit-extra.sync.test.ts (modified, +133/-1)
  • src/security/audit-extra.sync.ts (modified, +91/-22)
  • src/security/audit-extra.ts (modified, +1/-0)
  • src/security/audit.nondeep.runtime.ts (modified, +1/-0)
  • src/security/audit.test.ts (modified, +78/-0)
  • src/security/audit.ts (modified, +1/-0)

PR #56255: fix(security): extend audit to flag dmPolicy=open and session.dmScope=main

Description (problem / solution / changelog)

Summary

  • dmPolicy="open" parity: groupPolicy="open" triggers CRITICAL findings for elevated tools and runtime/fs exposure, but dmPolicy="open" did not — now it does
  • session.dmScope="main" detection: when dmScope is "main" alongside multi-user signals, cross-user context leakage is flagged as CRITICAL
  • Refactored listGroupPolicyOpen into generic listPolicyOpen(cfg, policyKey) to eliminate duplication

Change Type

  • Bug fix
  • Security hardening

Scope

  • Gateway / orchestration

Linked Issue/PR

Closes #55612 Closes #55578

Root Cause / Regression History

Root cause: collectExposureMatrixFindings and collectLikelyMultiUserSetupFindings only inspected groupPolicydmPolicy was never checked despite having the same security implications.

Missing detection / guardrail: No rule existed for dmPolicy="open" exposure or session.dmScope="main" in multi-user setups.

Prior context: The exposure matrix rules were added when groups were the primary multi-user surface. DM policy support was added later but the audit rules were not updated.

Regression Test Plan

  • Unit test

Target test or file: src/security/audit-extra.sync.test.ts (unit) + src/security/audit.test.ts (integration)

Scenario the test should lock in:

  1. dmPolicy="open" + elevated tools → CRITICAL open_dms_with_elevated
  2. dmPolicy="open" + runtime/fs tools → CRITICAL open_dms_with_runtime_or_fs
  3. session.dmScope="main" + multi-user signals → CRITICAL dm_scope_main_multi_user
  4. dmPolicy="pairing" (safe) → no findings

New findings

Check IDSeverityTrigger
security.exposure.open_dms_with_elevatedCRITICALdmPolicy="open" + elevated tools enabled
security.exposure.open_dms_with_runtime_or_fsCRITICALdmPolicy="open" + runtime/fs tools
security.trust_model.dm_scope_main_multi_userCRITICALsession.dmScope="main" + multi-user signals

User-visible / Behavior Changes

  • openclaw security audit now reports three additional findings when DM policies are misconfigured

Security Impact

  • New permissions/capabilities? No
  • Secrets/tokens handling changed? No
  • New/changed network calls? No
  • Command/tool execution surface changed? No
  • Data access scope changed? No

Human Verification

  • Verified: all new test cases pass expected findings with correct severity and check IDs
  • Verified: existing tests remain unchanged
  • Edge cases: dmPolicy="pairing" produces no findings; nested account-level policies are detected

Compatibility / Migration

  • Backward compatible? Yes
  • Config/env changes? No
  • Migration needed? No

Risks and Mitigations

None — additive detection rules only.

Made with AI assistance (Cursor). All logic reviewed and verified manually.

Changed files

  • src/security/audit-extra.sync.test.ts (modified, +146/-0)
  • src/security/audit-extra.sync.ts (modified, +85/-26)
  • src/security/audit.test.ts (modified, +76/-0)

PR #2: fix(security): add session.dmScope="main" context leak warning

Description (problem / solution / changelog)

Summary

Fixes #55578

Problem

When session.dmScope="main" (the default value), all DM (direct message) conversations share a single session key. This means:

  • User A's conversation history is visible to User B
  • Context and memory are shared across all DM users
  • This is a serious privacy and security risk in multi-user scenarios

Solution

Added collectDmScopeFindings() function that:

  1. Detects dmScope="main" (default or explicit)

  2. Determines severity based on context:

    ScenarioSeverity
    dmScope="main" + dmPolicy="open"CRITICAL
    dmScope="main" + multi-user signalsWARN
    dmScope="main" (single-user)INFO

  3. Provides actionable remediation:

    • Set session.dmScope="per-peer" (isolates each DM sender)
    • Or use dmScope="per-channel-peer" / "per-account-channel-peer" for finer control
    • Alternatively, set dmPolicy="allowlist" or "restricted" to limit DM access

Security Impact

  • Before: No warning when dmScope="main" is used with open DMs
  • After:
    • CRITICAL warning if open DMs + shared context
    • WARN if multi-user signals detected
    • INFO for awareness in single-user setups

Example Warning

[CRITICAL] security.session.dm_scope_main
session.dmScope="main" shares DM context across all users
Found dmPolicy="open" at:
- channels.feishu.dmPolicy
Any user sending a DM can access the conversation history and context of all other DM users.

Test Plan

  • Run pnpm test to verify existing tests pass
  • Add unit tests for collectDmScopeFindings()
  • Verify warnings appear in openclaw doctor output

Checklist

  • Code follows project style guidelines
  • Comments added for logic explanation
  • Tests added/updated
  • Documentation updated (if needed)

Changed files

  • src/security/audit-extra.sync.ts (modified, +62/-0)

PR #56964: fix(security): warn about insecure session.dmScope in multi-user setups

Description (problem / solution / changelog)

Summary

  • Add a critical security finding when multi-user signals are detected but session.dmScope is still "main" (the insecure default)
  • All DM users sharing the same session context = private messages leak between users

Root cause

The existing channel-level dmScope check in audit-channel.ts only fires when isMultiUserDm=true — meaning multiple users must already be in the allowlist. This misses the most dangerous case: dmPolicy="open" with no allowlist, where ANY user can DM the bot and share context with every other user.

Fix

Add a proactive global-level check in collectLikelyMultiUserSetupFindings() (audit-extra.sync.ts) that fires when:

  1. Multi-user signals are present (open DM policy, wildcard allowFrom, group targets)
  2. session.dmScope is still "main"

Emits a critical finding with actionable remediation: openclaw config set session.dmScope "per-channel-peer".

Test plan

  • 2 new tests in audit.test.ts:
    • Warns when dmScope=main with multi-user signals
    • Does NOT warn when dmScope=per-channel-peer
  • Format and lint clean (pre-existing no-unnecessary-type-assertion errors on main, not from this change)

Fixes #55578.

Changed files

  • src/security/audit-extra.sync.ts (modified, +22/-0)
  • src/security/audit.test.ts (modified, +25/-0)
RAW_BUFFERClick to expand / collapse

Summary

Enhance the openclaw security audit command to explicitly warn users about the privacy risks of using session.dmScope="main" in potential multi-user DM environments.

Problem to solve

Currently, running pnpm openclaw security audit --deep does not evaluate the session.dmScope configuration.

As highlighted in the official documentation, leaving this set to "main" in a multi-user setup is highly insecure. Without enabling Secure DM mode, all users share the same conversation context, which directly leads to private information leaking between different users.

Because the CLI audit tool currently fails to flag this, users might rely on a "clean" audit report and falsely assume their deployment is secure. Implementing this check will proactively prevent critical privacy leaks caused by non-isolated context, save users from manual configuration oversights, and align the CLI's behavior with the framework's official security best practices.

Reference Docs: https://docs.openclaw.ai/concepts/session#secure-dm-mode-recommended-for-multi-user-setups https://docs.openclaw.ai/gateway/security/index#dm-session-isolation-multi-user-mode https://docs.openclaw.ai/cli/security

Proposed solution

Add a validation rule within the security audit execution pipeline to inspect the session.dmScope value.

Emit a high-priority security warning or error if session.dmScope="main".

Include an actionable remediation message in the console output, recommending the developer to update the configuration to session.dmScope="per-channel-peer".

Alternatives considered

No response

Impact

Affected users: Developers building multi-user agents via OpenClaw, and the end-users interacting with those vulnerable agents. Severity: High Frequency: Always Consequence: Insecure session.dmScope configuration cause context leak among multi DM users, which may further lead to severe risks including privacy violations and cross-user prompt injection

Evidence/examples

No response

Additional information

No response

extent analysis

Fix Plan

To address the issue, we need to enhance the openclaw security audit command to check the session.dmScope configuration and warn users about potential privacy risks. Here are the concrete steps:

  • Update the security audit execution pipeline to include a validation rule for session.dmScope.
  • Check if session.dmScope is set to "main" and emit a high-priority security warning if true.
  • Include an actionable remediation message in the console output, recommending the developer to update the configuration to session.dmScope="per-channel-peer".

Example code snippet (in JavaScript):

const audit = (config) => {
  // ... existing audit logic ...
  if (config.session && config.session.dmScope === 'main') {
    console.warn('High-priority security warning: session.dmScope is set to "main", which may cause privacy leaks in multi-user environments. Update the configuration to session.dmScope="per-channel-peer" to ensure secure DM mode.');
  }
  // ... existing audit logic ...
};

Verification

To verify the fix, run the pnpm openclaw security audit --deep command with a configuration file containing session.dmScope="main". The command should output a high-priority security warning with a remediation message.

Extra Tips

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#API rate limit#retriever error#indexing error#inference speed#output truncation

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING