github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-02 01:56:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: rename clawdbot to moltbot with legacy compat

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-27 12:19:58 +00:00
parent 83460df96f
commit 6d16a658e5
1839 changed files with 11250 additions and 11199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
src/security/audit.test.ts
View File

@@ -1,6 +1,6 @@
import { afterEach, beforeEach, describe, expect, it } from "vitest";
import type { ClawdbotConfig } from "../config/config.js";
import type { MoltbotConfig } from "../config/config.js";
import type { ChannelPlugin } from "../channels/plugins/types.js";
import { runSecurityAudit } from "./audit.js";
import { discordPlugin } from "../../extensions/discord/src/channel.js";
@@ -14,7 +14,7 @@ const isWindows = process.platform === "win32";
describe("security audit", () => {
it("includes an attack surface summary (info)", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
channels: { whatsapp: { groupPolicy: "open" }, telegram: { groupPolicy: "allowlist" } },
tools: { elevated: { enabled: true, allowFrom: { whatsapp: ["+1"] } } },
hooks: { enabled: true },
@@ -35,7 +35,7 @@ describe("security audit", () => {
});
it("flags non-loopback bind without auth as critical", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
bind: "lan",
auth: {},
@@ -55,7 +55,7 @@ describe("security audit", () => {
});
it("warns when loopback control UI lacks trusted proxies", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
bind: "loopback",
controlUi: { enabled: true },
@@ -79,7 +79,7 @@ describe("security audit", () => {
});
it("flags loopback control UI without auth as critical", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
bind: "loopback",
controlUi: { enabled: true },
@@ -105,7 +105,7 @@ describe("security audit", () => {
});
it("flags logging.redactSensitive=off", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
logging: { redactSensitive: "off" },
};
@@ -123,10 +123,10 @@ describe("security audit", () => {
});
it("treats Windows ACL-only perms as secure", async () => {
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-win-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-win-"));
const stateDir = path.join(tmp, "state");
await fs.mkdir(stateDir, { recursive: true });
const configPath = path.join(stateDir, "clawdbot.json");
const configPath = path.join(stateDir, "moltbot.json");
await fs.writeFile(configPath, "{}\n", "utf-8");
const user = "DESKTOP-TEST\\Tester";
@@ -160,10 +160,10 @@ describe("security audit", () => {
});
it("flags Windows ACLs when Users can read the state dir", async () => {
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-win-open-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-win-open-"));
const stateDir = path.join(tmp, "state");
await fs.mkdir(stateDir, { recursive: true });
const configPath = path.join(stateDir, "clawdbot.json");
const configPath = path.join(stateDir, "moltbot.json");
await fs.writeFile(configPath, "{}\n", "utf-8");
const user = "DESKTOP-TEST\\Tester";
@@ -200,7 +200,7 @@ describe("security audit", () => {
});
it("warns when small models are paired with web/browser tools", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
agents: { defaults: { model: { primary: "ollama/mistral-8b" } } },
tools: {
web: {
@@ -226,7 +226,7 @@ describe("security audit", () => {
});
it("treats small models as safe when sandbox is on and web tools are disabled", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
agents: { defaults: { model: { primary: "ollama/mistral-8b" }, sandbox: { mode: "all" } } },
tools: {
web: {
@@ -250,7 +250,7 @@ describe("security audit", () => {
});
it("flags tools.elevated allowFrom wildcard as critical", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
tools: {
elevated: {
allowFrom: { whatsapp: ["*"] },
@@ -275,7 +275,7 @@ describe("security audit", () => {
});
it("warns when remote CDP uses HTTP", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
browser: {
profiles: {
remote: { cdpUrl: "http://example.com:9222", color: "#0066CC" },
@@ -297,7 +297,7 @@ describe("security audit", () => {
});
it("warns when control UI allows insecure auth", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
controlUi: { allowInsecureAuth: true },
},
@@ -320,7 +320,7 @@ describe("security audit", () => {
});
it("warns when control UI device auth is disabled", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
controlUi: { dangerouslyDisableDeviceAuth: true },
},
@@ -343,7 +343,7 @@ describe("security audit", () => {
});
it("warns when multiple DM senders share the main session", async () => {
const cfg: ClawdbotConfig = { session: { dmScope: "main" } };
const cfg: MoltbotConfig = { session: { dmScope: "main" } };
const plugins: ChannelPlugin[] = [
{
id: "whatsapp",
@@ -392,11 +392,11 @@ describe("security audit", () => {
it("flags Discord native commands without a guild user allowlist", async () => {
const prevStateDir = process.env.CLAWDBOT_STATE_DIR;
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-discord-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-discord-"));
process.env.CLAWDBOT_STATE_DIR = tmp;
await fs.mkdir(path.join(tmp, "credentials"), { recursive: true, mode: 0o700 });
try {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
channels: {
discord: {
enabled: true,
@@ -437,12 +437,12 @@ describe("security audit", () => {
it("does not flag Discord slash commands when dm.allowFrom includes a Discord snowflake id", async () => {
const prevStateDir = process.env.CLAWDBOT_STATE_DIR;
const tmp = await fs.mkdtemp(
path.join(os.tmpdir(), "clawdbot-security-audit-discord-allowfrom-snowflake-"),
path.join(os.tmpdir(), "moltbot-security-audit-discord-allowfrom-snowflake-"),
);
process.env.CLAWDBOT_STATE_DIR = tmp;
await fs.mkdir(path.join(tmp, "credentials"), { recursive: true, mode: 0o700 });
try {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
channels: {
discord: {
enabled: true,
@@ -482,11 +482,11 @@ describe("security audit", () => {
it("flags Discord slash commands when access-group enforcement is disabled and no users allowlist exists", async () => {
const prevStateDir = process.env.CLAWDBOT_STATE_DIR;
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-discord-open-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-discord-open-"));
process.env.CLAWDBOT_STATE_DIR = tmp;
await fs.mkdir(path.join(tmp, "credentials"), { recursive: true, mode: 0o700 });
try {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
commands: { useAccessGroups: false },
channels: {
discord: {
@@ -527,11 +527,11 @@ describe("security audit", () => {
it("flags Slack slash commands without a channel users allowlist", async () => {
const prevStateDir = process.env.CLAWDBOT_STATE_DIR;
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-slack-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-slack-"));
process.env.CLAWDBOT_STATE_DIR = tmp;
await fs.mkdir(path.join(tmp, "credentials"), { recursive: true, mode: 0o700 });
try {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
channels: {
slack: {
enabled: true,
@@ -566,11 +566,11 @@ describe("security audit", () => {
it("flags Slack slash commands when access-group enforcement is disabled", async () => {
const prevStateDir = process.env.CLAWDBOT_STATE_DIR;
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-slack-open-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-slack-open-"));
process.env.CLAWDBOT_STATE_DIR = tmp;
await fs.mkdir(path.join(tmp, "credentials"), { recursive: true, mode: 0o700 });
try {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
commands: { useAccessGroups: false },
channels: {
slack: {
@@ -606,11 +606,11 @@ describe("security audit", () => {
it("flags Telegram group commands without a sender allowlist", async () => {
const prevStateDir = process.env.CLAWDBOT_STATE_DIR;
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-telegram-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-telegram-"));
process.env.CLAWDBOT_STATE_DIR = tmp;
await fs.mkdir(path.join(tmp, "credentials"), { recursive: true, mode: 0o700 });
try {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
channels: {
telegram: {
enabled: true,
@@ -643,7 +643,7 @@ describe("security audit", () => {
});
it("adds a warning when deep probe fails", async () => {
const cfg: ClawdbotConfig = { gateway: { mode: "local" } };
const cfg: MoltbotConfig = { gateway: { mode: "local" } };
const res = await runSecurityAudit({
config: cfg,
@@ -672,7 +672,7 @@ describe("security audit", () => {
});
it("adds a warning when deep probe throws", async () => {
const cfg: ClawdbotConfig = { gateway: { mode: "local" } };
const cfg: MoltbotConfig = { gateway: { mode: "local" } };
const res = await runSecurityAudit({
config: cfg,
@@ -695,7 +695,7 @@ describe("security audit", () => {
});
it("warns on legacy model configuration", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
agents: { defaults: { model: { primary: "openai/gpt-3.5-turbo" } } },
};
@@ -713,7 +713,7 @@ describe("security audit", () => {
});
it("warns on weak model tiers", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
agents: { defaults: { model: { primary: "anthropic/claude-haiku-4-5" } } },
};
@@ -731,7 +731,7 @@ describe("security audit", () => {
});
it("warns when hooks token looks short", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
hooks: { enabled: true, token: "short" },
};
@@ -751,7 +751,7 @@ describe("security audit", () => {
it("warns when hooks token reuses the gateway env token", async () => {
const prevToken = process.env.CLAWDBOT_GATEWAY_TOKEN;
process.env.CLAWDBOT_GATEWAY_TOKEN = "shared-gateway-token-1234567890";
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
hooks: { enabled: true, token: "shared-gateway-token-1234567890" },
};
@@ -774,14 +774,14 @@ describe("security audit", () => {
});
it("warns when state/config look like a synced folder", async () => {
const cfg: ClawdbotConfig = {};
const cfg: MoltbotConfig = {};
const res = await runSecurityAudit({
config: cfg,
includeFilesystem: false,
includeChannelSecurity: false,
stateDir: "/Users/test/Dropbox/.clawdbot",
configPath: "/Users/test/Dropbox/.clawdbot/clawdbot.json",
configPath: "/Users/test/Dropbox/.clawdbot/moltbot.json",
});
expect(res.findings).toEqual(
@@ -792,7 +792,7 @@ describe("security audit", () => {
});
it("flags group/world-readable config include files", async () => {
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-"));
const stateDir = path.join(tmp, "state");
await fs.mkdir(stateDir, { recursive: true, mode: 0o700 });
@@ -806,12 +806,12 @@ describe("security audit", () => {
await fs.chmod(includePath, 0o644);
}
const configPath = path.join(stateDir, "clawdbot.json");
const configPath = path.join(stateDir, "moltbot.json");
await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8");
await fs.chmod(configPath, 0o600);
try {
const cfg: ClawdbotConfig = { logging: { redactSensitive: "off" } };
const cfg: MoltbotConfig = { logging: { redactSensitive: "off" } };
const user = "DESKTOP-TEST\\Tester";
const execIcacls = isWindows
? async (_cmd: string, args: string[]) => {
@@ -865,7 +865,7 @@ describe("security audit", () => {
delete process.env.TELEGRAM_BOT_TOKEN;
delete process.env.SLACK_BOT_TOKEN;
delete process.env.SLACK_APP_TOKEN;
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-"));
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
@@ -873,13 +873,13 @@ describe("security audit", () => {
});
try {
const cfg: ClawdbotConfig = {};
const cfg: MoltbotConfig = {};
const res = await runSecurityAudit({
config: cfg,
includeFilesystem: true,
includeChannelSecurity: false,
stateDir,
configPath: path.join(stateDir, "clawdbot.json"),
configPath: path.join(stateDir, "moltbot.json"),
});
expect(res.findings).toEqual(
@@ -902,7 +902,7 @@ describe("security audit", () => {
it("flags unallowlisted extensions as critical when native skill commands are exposed", async () => {
const prevDiscordToken = process.env.DISCORD_BOT_TOKEN;
delete process.env.DISCORD_BOT_TOKEN;
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-audit-"));
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-security-audit-"));
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
@@ -910,7 +910,7 @@ describe("security audit", () => {
});
try {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
channels: {
discord: { enabled: true, token: "t" },
},
@@ -920,7 +920,7 @@ describe("security audit", () => {
includeFilesystem: true,
includeChannelSecurity: false,
stateDir,
configPath: path.join(stateDir, "clawdbot.json"),
configPath: path.join(stateDir, "moltbot.json"),
});
expect(res.findings).toEqual(
@@ -938,7 +938,7 @@ describe("security audit", () => {
});
it("flags open groupPolicy when tools.elevated is enabled", async () => {
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
tools: { elevated: { enabled: true, allowFrom: { whatsapp: ["+1"] } } },
channels: { whatsapp: { groupPolicy: "open" } },
};
@@ -983,7 +983,7 @@ describe("security audit", () => {
it("uses local auth when gateway.mode is local", async () => {
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
mode: "local",
auth: { token: "local-token-abc123" },
@@ -1018,7 +1018,7 @@ describe("security audit", () => {
it("prefers env token over local config token", async () => {
process.env.CLAWDBOT_GATEWAY_TOKEN = "env-token";
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
mode: "local",
auth: { token: "local-token" },
@@ -1052,7 +1052,7 @@ describe("security audit", () => {
it("uses local auth when gateway.mode is undefined (default)", async () => {
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
auth: { token: "default-local-token" },
},
@@ -1085,7 +1085,7 @@ describe("security audit", () => {
it("uses remote auth when gateway.mode is remote with URL", async () => {
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
mode: "remote",
auth: { token: "local-token-should-not-use" },
@@ -1124,7 +1124,7 @@ describe("security audit", () => {
it("ignores env token when gateway.mode is remote", async () => {
process.env.CLAWDBOT_GATEWAY_TOKEN = "env-token";
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
mode: "remote",
auth: { token: "local-token-should-not-use" },
@@ -1162,7 +1162,7 @@ describe("security audit", () => {
it("uses remote password when env is unset", async () => {
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
mode: "remote",
remote: {
@@ -1200,7 +1200,7 @@ describe("security audit", () => {
it("prefers env password over remote password", async () => {
process.env.CLAWDBOT_GATEWAY_PASSWORD = "env-pass";
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
mode: "remote",
remote: {
@@ -1237,7 +1237,7 @@ describe("security audit", () => {
it("falls back to local auth when gateway.mode is remote but URL is missing", async () => {
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
const cfg: MoltbotConfig = {
gateway: {
mode: "remote",
auth: { token: "fallback-local-token" },