OpenClaw v2 Security Hardening Checklist

Owner: toli + Soul Engineer Created: 2026-02-17 Status: Active -- work through in priority order

This checklist addresses every finding from the OpenClaw v2 security audit. Items are ordered by severity and blast radius. Complete each priority level fully before moving to the next.

P0 --- Do Before Anything Else (Before Re-enabling Compound Loops)#

These items represent active credential exposure, unauthenticated external endpoints, and unconstrained agent-to-agent spawn rights. None of the compound loop infrastructure should run until every P0 box is checked.

P0-1: Rotate Leaked Credentials#

API keys were committed to public git history in toli-ai/clawd. They must be rotated and the history scrubbed.

• Rotate OpenAI API key (sk-proj-EGp9ff... found in toli-ai/clawd public git history)
• Rotate OpenRouter API key (sk-or-v1-90b8... found in public git history)
• Run BFG Repo Cleaner on toli-ai/clawd: bfg --replace-text passwords.txt then force push
• Add workspace-watchdog/logs/ to rsync excludes in ~/.openclaw/scripts/git-backup.sh

P0-2: Enable Twilio Webhook Signature Verification#

The gateway currently accepts unauthenticated Twilio webhooks. Any external caller can forge inbound voice/SMS payloads.

• In /Users/agents/.openclaw/openclaw.json, remove or set to false: "skipSignatureVerification": true (around line 1172)
• Restart gateway (requires toli approval: hard rule #5)
• Test: make one inbound call to verify webhook validation works

P0-3: Restrict allowAgents Per Privilege Topology#

Every agent can currently spawn every other agent. This must be locked down before compound loops run, or a single compromised agent can cascade across the entire swarm.

For each agent in openclaw.json, set allowAgents to:

• lacie: ["gary", "jerry", "cherry", "larry", "mary", "soul-engineer"]
• soul-engineer: ["*"] (keep as-is -- infrastructure role)
• gary: ["perry", "harry", "cory"]
• jerry: ["barry"]
• cherry: []
• larry: []
• perry: []
• harry: []
• cory: []
• rory: []
• dory: []
• mary: []
• carrie: []
• ori: []
• igor: [] (CRITICAL -- external group exposure)
• barry: []
• watchdog: []
• personal (terry): []

P1 --- Address This Week#

These items fix design-level vulnerabilities in the silent approval protocol, Soul Engineer's access surface, session visibility, and tool permissions.

P1-1: Redesign Silent Approval Protocol#

The current protocol auto-ships decisions after a silence timer expires. This means a missed Telegram notification can result in irreversible actions being taken without human review.

• Decision files: implement HMAC signing using gateway token
• Morning brief: require explicit acknowledgment (single-word reply) BEFORE any RECOMMEND timer starts
• Add dual delivery: brief sent via Telegram AND email
• P0/irreversible items: add explicit check, never auto-ship regardless of silence
• Update l4-synthesis-protocol.md with new protocol

P1-2: Secure Soul Engineer's Access#

Soul Engineer can currently be triggered via Telegram and can write soul files without a confirmation step. This is the highest-privilege internal role and needs tighter controls.

• Remove Soul Engineer from Telegram bot bindings (make cron-only + Lacie-initiated)
• Require two-step soul modification: SE proposes to log -> Lacie confirms -> SE writes
• Add soul file integrity checksums (SHA-256) stored in watchdog's private directory
• Set up append-only soul modification audit log

P1-3: Session Visibility Fix#

All agents can currently read all other agents' sessions. This violates least-privilege and leaks context across trust boundaries.

• In openclaw.json, change sessions.visibility from "all" to "own"
• For Soul Engineer only: verify platform supports per-agent visibility override
• Verify morning brief cron can still access needed sessions (it uses sessions_list)

P1-4: Bridge Tool Access Restriction#

bridge_send is globally available via tools.alsoAllow. Only Jerry should have it.

• Remove bridge_send from tools.alsoAllow in openclaw.json
• Add bridge_send to Jerry's per-agent tool config only
• Verify Jerry's heartbeat still functions correctly after change
• Audit bridge logs to check if any non-Jerry agent has used bridge_send recently

P1-5: Delete secrets-reference.json#

A cleartext file containing master credentials exists on disk. It should be removed in favor of the secrets CLI.

• Delete /Users/agents/.openclaw/secrets-reference.json (it is a cleartext master key sheet)
• Verify ~/bin/secrets view works as replacement for credential reference

P2 --- Address This Month#

These items add defense-in-depth: staging directories for compound loop output, input sanitization for external channels, cryptographic bridge authentication, and log hardening.

P2-1: Compound Loop Staging Directory#

Compound loops currently write proposed soul changes directly to SOUL.md. Changes should land in a staging area for review first.

• Create .learnings/soul-patches/ directory in each agent workspace
• Update compound loop cron payloads: proposed soul changes go to soul-patches/, NOT directly to SOUL.md
• Create .learnings/PROPOSED_SOUL_CHANGES.md template in each workspace

P2-2: Input Sanitization for External Channels#

Telegram and other external inputs are passed to agents without sanitization. This is a prompt injection vector, especially for Igor who interfaces with external groups.

• Add instruction pattern detection for Telegram input (strip "ignore previous instructions", "you are now", etc.)
• Wrap external content in delimiters: <external_input>...</external_input>
• For Igor specifically: log all input patterns, flag anomalies to Watchdog

P2-3: Bridge HMAC Signatures#

Bridge messages between agents are not authenticated. A compromised agent or local process can forge messages from any sender.

• Add HMAC-SHA256 signing to bridge_send (timestamp + method + body)
• Add timestamp validation to bridge/receive (reject requests >30 seconds old)
• Bind from field to HMAC signature
• Update bridge-tools/index.ts accordingly

P2-4: AgentMail allowFrom Fix#

The allowFrom: [] setting in the AgentMail plugin config is ambiguous. It may mean "allow all" or "deny all" depending on implementation.

• Read agentmail plugin source to determine if allowFrom: [] means allow-all or deny-all
• If allow-all: add explicit allowFrom with toli's email addresses only
• If deny-all: document explicitly so future maintainers know

P2-5: Log File Permissions#

Log files are world-readable. They contain session data, tool calls, and potentially sensitive output.

• chmod 600 /Users/agents/.openclaw/logs/*.log
• chmod 600 /Users/agents/.openclaw/logs/*.jsonl
• Verify gateway can still write to log files after permission change

P3 --- Long-term (Architecture Improvements)#

These items improve auditability, establish authority ceilings, and harden key storage.

P3-1: Soul File Versioning#

Soul files have no version tracking. Changes are invisible unless someone manually diffs.

• Add version header to all SOUL.md files (soul_version, last_modified, last_patch)
• Set up git-backed history for soul file changes in clawd repo
• Configure Watchdog daily audit to diff all SOUL.md files against previous day

P3-2: Decision Authority Ceilings#

Compound loops can currently escalate their own authority over time through soul modifications. Hard ceilings must exist that loops cannot modify.

• Update l4-synthesis-protocol.md: add explicit authority ceilings per role that compound loops cannot modify
• Add quarterly authority review to Soul Engineer's standing schedule
• Define which categories are ALWAYS BLOCKED regardless of track record

P3-3: Device Private Key Migration#

The Ed25519 device key is stored as plaintext PEM inside a JSON file. macOS Keychain provides hardware-backed storage.

• Evaluate macOS Keychain storage for /Users/agents/.openclaw/identity/device.json Ed25519 key
• If platform supports Keychain access, migrate and remove PEM from JSON
• Rotate operator session token after migration

Verification Steps#

Run these checks after completing each priority level to confirm nothing is broken.

After P0 is complete:

• Run openclaw doctor
• Test one Telegram message (inbound + outbound)
• Test one voice call (inbound)

After P1 is complete:

• Test morning brief flow end-to-end (send brief -> require ack -> verify timer behavior)
• Verify Soul Engineer cannot be spawned via Telegram
• Verify session isolation (agent A cannot read agent B's sessions)

After P2 is complete:

• Test bridge with new HMAC (send message between two agents, verify signature check)
• Verify compound loop writes to soul-patches/ staging, not directly to SOUL.md
• Send a Telegram message containing an injection attempt, verify it is sanitized

After P3 is complete:

• Verify soul version headers present in all SOUL.md files
• Test Watchdog diff detection (modify a soul file, verify Watchdog flags it next day)
• Confirm device key no longer exists as plaintext in device.json