Security Model¶
Security is a core consideration in openclaw-rs design.
Threat Model¶
Assets Protected¶
| Asset | Protection |
|---|---|
| API Keys | Encrypted at rest, memory protection |
| User Data | Access controls, sandboxing |
| System Access | Tool sandboxing, permission model |
| Network Traffic | TLS support, origin validation |
Attack Vectors Considered¶
- Prompt Injection - AI manipulated to bypass controls
- Credential Theft - API keys exposed or stolen
- Tool Abuse - Tools used for malicious purposes
- Privilege Escalation - Breaking out of sandbox
Credential Security¶
Encrypted Storage¶
API keys are encrypted using AES-256-GCM:
pub struct CredentialStore {
path: PathBuf,
cipher: Aes256Gcm,
}
impl CredentialStore {
pub fn store(&self, provider: &str, key: &str) -> Result<()> {
let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
let ciphertext = self.cipher.encrypt(&nonce, key.as_bytes())?;
// Write encrypted data
let entry = CredentialEntry {
nonce: nonce.to_vec(),
ciphertext,
created_at: Utc::now(),
};
self.write_entry(provider, &entry)
}
}
Key Derivation¶
Master key derived from:
- Machine-specific identifier
- User-specific data
- Optional passphrase
Memory Protection¶
Sensitive data in memory:
- Cleared after use (
zeroizecrate) - Not written to logs
- Not included in error messages
Tool Sandboxing¶
Execution Environments¶
Tools execute in restricted environments:
Uses bubblewrap for sandboxing:
Uses sandbox-exec:
Uses Windows Job Objects:
- Process isolation
- Resource limits
- Handle inheritance blocked
Permission Model¶
Tools declare required capabilities:
pub struct ToolDefinition {
pub name: String,
pub description: String,
pub capabilities: Vec<Capability>,
}
pub enum Capability {
FileRead { paths: Vec<PathPattern> },
FileWrite { paths: Vec<PathPattern> },
NetworkAccess { hosts: Vec<String> },
ProcessExec { commands: Vec<String> },
}
Path Restrictions¶
File access limited to:
- Workspace directory
- Explicitly allowed paths
- No access to home directory secrets
{
"workspace": {
"path": "~/.openclaw/workspace",
"allowed_paths": ["~/projects"],
"denied_paths": ["~/.ssh", "~/.aws"]
}
}
Network Security¶
CORS Configuration¶
Control which origins can access the API:
TLS Support¶
Enable HTTPS for production:
Rate Limiting¶
Prevent abuse with rate limits:
Input Validation¶
Request Validation¶
All inputs are validated:
impl Validator for MessageRequest {
fn validate(&self) -> Result<(), ValidationError> {
// Check message count
if self.messages.is_empty() {
return Err(ValidationError::EmptyMessages);
}
// Validate content
for msg in &self.messages {
msg.validate()?;
}
// Check token limits
if self.max_tokens > MAX_ALLOWED_TOKENS {
return Err(ValidationError::TokenLimit);
}
Ok(())
}
}
Tool Input Sanitization¶
Tool arguments are sanitized:
- Path traversal prevention
- Command injection blocking
- Size limits enforced
Audit Logging¶
Security events are logged:
pub enum SecurityEvent {
CredentialAccess { provider: String, success: bool },
ToolExecution { tool: String, allowed: bool },
AuthFailure { reason: String },
RateLimitExceeded { client: String },
}
impl SecurityLogger {
pub fn log(&self, event: SecurityEvent) {
// Structured logging with timestamp
tracing::info!(
target: "security",
event = ?event,
timestamp = %Utc::now(),
);
}
}
Security Checklist¶
Deployment¶
- [ ] Use TLS in production
- [ ] Configure CORS appropriately
- [ ] Set rate limits
- [ ] Enable audit logging
- [ ] Use environment variables for secrets
Configuration¶
- [ ] Review allowed paths
- [ ] Limit tool capabilities
- [ ] Set appropriate token limits
- [ ] Configure session timeouts
Monitoring¶
- [ ] Monitor for unusual activity
- [ ] Review security logs
- [ ] Track rate limit hits
- [ ] Alert on auth failures
Reporting Vulnerabilities¶
If you discover a security vulnerability:
- Do not open a public issue
- Email security concerns privately
- Allow time for a fix before disclosure
Next Steps¶
:material-api: API Reference :material-swap-horizontal: OpenClaw Compatibility