命令概述
openclaw security 命令提供全面的安全审计和管理功能,帮助你识别和修复 OpenClaw 部署中的安全风险。
安全扫描
openclaw security scan
Security Scan Report
====================
Overall Score: 85/100 (Good)
Critical (0):
No critical issues found.
High (1):
⚠ Gateway exposed without authentication
→ Enable API key authentication in security.auth config
Medium (2):
⚠ CORS configured with wildcard origin (*)
→ Restrict to specific domains
⚠ Rate limiting not configured for channel: discord-dev
→ Add rate limit configuration
Low (3):
ℹ HTTP access log not enabled
→ Enable access logging for audit trail
ℹ Secrets file permissions: 644 (recommend: 600)
→ Run: chmod 600 ~/.openclaw/secrets.enc
ℹ No IP whitelist configured
→ Consider restricting access by IP
Passed (12):
✓ TLS enabled for external connections
✓ API keys stored in encrypted secrets
✓ Sandbox enabled for code execution
✓ Content filter active
...
Run 'openclaw security fix' to auto-fix applicable issues.
自动修复
openclaw security fix
Applying security fixes:
✓ Fixed secrets file permissions (644 → 600)
✓ Enabled access logging
✗ Cannot auto-fix: Gateway authentication (manual config required)
✗ Cannot auto-fix: CORS restriction (manual config required)
Fixed 2 of 4 issues. 2 require manual attention.
审计日志
查看审计日志
openclaw security audit
openclaw security audit --since "24h"
openclaw security audit --type auth
Audit Log:
[2026-03-20 10:30:01] AUTH_SUCCESS user:admin ip:192.168.1.10
[2026-03-20 10:28:15] AUTH_FAILURE user:unknown ip:203.0.113.50
[2026-03-20 10:25:33] CONFIG_CHANGE user:admin key:models.main
[2026-03-20 10:20:01] RATE_LIMITED user:user5 channel:telegram
[2026-03-20 09:15:00] SECRET_ACCESS user:admin key:OPENAI_API_KEY
审计事件类型
AUTH_SUCCESS/AUTH_FAILURE:认证成功/失败CONFIG_CHANGE:配置修改SECRET_ACCESS:密钥访问RATE_LIMITED:触发速率限制CONTENT_BLOCKED:内容被过滤SANDBOX_VIOLATION:沙箱安全违规CHANNEL_CONNECT/CHANNEL_DISCONNECT:频道连接/断开
用户访问审计
openclaw security users
User Access Report:
User Channel Last Active Messages Blocked
─────────────────────────────────────────────────────────────
user001 telegram-main 5 min ago 1,250 No
user002 telegram-main 1 hour ago 380 No
user003 discord-dev 2 hours ago 120 No
banned_user telegram-main 3 days ago 50 Yes
内容过滤
配置和管理内容安全策略:
# 查看当前过滤规则
openclaw security filters list
# 添加过滤规则
openclaw security filters add --pattern "密码.*是" --action block
openclaw security filters add --pattern "信用卡号" --action warn
{
"security": {
"contentFilter": {
"enabled": true,
"rules": [
{"pattern": "密码.*是", "action": "block", "message": "检测到敏感信息请求"},
{"pattern": "\\b\\d{16}\\b", "action": "redact", "message": "信用卡号已屏蔽"}
]
}
}
}
密钥安全检查
openclaw security check-secrets
Secrets Security Check:
✓ OPENAI_API_KEY: encrypted, rotated 15 days ago
⚠ TELEGRAM_BOT_TOKEN: encrypted, not rotated in 120 days
✓ ANTHROPIC_API_KEY: encrypted, rotated 30 days ago
✗ No secrets appear in log files
✗ No secrets appear in config file (plaintext)
依赖安全检查
openclaw security deps
Dependency Security Scan:
✓ No known vulnerabilities in direct dependencies
⚠ 2 moderate vulnerabilities in transitive dependencies
- [email protected]: Prototype Pollution (CVE-2024-xxxx)
- [email protected]: Path Traversal (CVE-2024-yyyy)
Run 'openclaw security deps --fix' to update
生成合规报告
openclaw security report --format pdf --output security-report.pdf
openclaw security report --format json --output security-report.json
实时安全监控
openclaw security monitor
实时显示安全事件,适合在独立终端中持续运行。
安全建议清单
openclaw security recommendations
Security Recommendations:
1. [HIGH] Enable Gateway authentication
2. [MEDIUM] Configure CORS with specific origins
3. [MEDIUM] Add rate limiting to all channels
4. [LOW] Enable IP whitelist for admin API
5. [LOW] Set up automated security scanning (cron)
6. [LOW] Configure alert notifications for auth failures
总结
openclaw security 是保障 OpenClaw 安全运行的全面工具集。定期运行安全扫描、审查审计日志和检查密钥安全,是维护 AI 助手服务安全性的最佳实践。