github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-26 23:33:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2c61fb69c1cca5ea46136fe71ade96efba1a2e45
openclaw/src/security/dangerous-tools.ts
theonejvo 2c61fb69c1 feat(security): add client-side skill security enforcement 
Add a capability-based security model for community skills, inspired by
how mobile and Apple ecosystem apps declare capabilities upfront. This is
not a silver bullet for prompt injection, but it's a significant step up
from the status quo and encourages responsible developer practices by
making capability requirements explicit and visible.

Runtime enforcement for community skills installed from ClawHub:

- Capability declarations (shell, filesystem, network, browser, sessions)
  parsed from SKILL.md frontmatter and enforced at tool-call time
- Static SKILL.md scanner detecting prompt injection patterns, suspicious
  constructs, and capability mismatches
- Global skill security context tracking loaded community skills and
  their aggregate capabilities
- Before-tool-call enforcement gate blocking undeclared tool usage
- Command-dispatch capability check preventing shell/filesystem access
  without explicit declaration
- Trust tier classification (builtin/community/local) — only community
  skills are subject to enforcement
- System prompt trust context warning for skills with scan warnings or
  missing capability declarations
- CLI: `skills list -v`, `skills info`, `skills check` now surface
  capabilities, scan results, and security status
- TUI security log panel for skill enforcement events
- Docs updated across 7 files covering the full security model

Companion PR: openclaw/clawhub (capability visibility + UI badges)
2026-02-22 22:35:00 +11:00

99 lines
3.3 KiB
TypeScript
Raw Blame History

// Shared tool-risk constants.
// Keep these centralized so gateway HTTP restrictions, security audits, and ACP prompts don't drift.
/**
* Tools denied via Gateway HTTP `POST /tools/invoke` by default.
* These are high-risk because they enable session orchestration, control-plane actions,
* or interactive flows that don't make sense over a non-interactive HTTP surface.
*/
export const DEFAULT_GATEWAY_HTTP_TOOL_DENY = [
// Session orchestration — spawning agents remotely is RCE
"sessions_spawn",
// Cross-session injection — message injection across sessions
"sessions_send",
// Gateway control plane — prevents gateway reconfiguration via HTTP
"gateway",
// Interactive setup — requires terminal QR scan, hangs on HTTP
"whatsapp_login",
] as const;
/**
* ACP tools that should always require explicit user approval.
* ACP is an automation surface; we never want "silent yes" for mutating/execution tools.
*/
export const DANGEROUS_ACP_TOOL_NAMES = [
"exec",
"spawn",
"shell",
"sessions_spawn",
"sessions_send",
"gateway",
"fs_write",
"fs_delete",
"fs_move",
"apply_patch",
] as const;
export const DANGEROUS_ACP_TOOLS = new Set<string>(DANGEROUS_ACP_TOOL_NAMES);
// ---------------------------------------------------------------------------
// Skill capability → tool group mapping.
// Maps human-readable capability names (declared in SKILL.md frontmatter) to
// the existing TOOL_GROUPS in tool-policy.ts.
//
// CLAWHUB ALIGNMENT: Keep in sync with clawhub/convex/lib/skillCapabilities.ts.
// Both OpenClaw and ClawHub validate against the same capability names.
// ---------------------------------------------------------------------------
export const CAPABILITY_TOOL_GROUP_MAP: Record<string, string> = {
shell: "group:runtime", // exec, process
filesystem: "group:fs", // read, write, edit, apply_patch
network: "group:web", // web_search, web_fetch
browser: "group:ui", // browser, canvas
sessions: "group:sessions", // sessions_spawn, sessions_send, subagents, etc.
messaging: "group:messaging", // message
scheduling: "group:scheduling", // cron
};
/**
* Tools always denied when community skills are loaded, regardless of
* capability declarations. These are control-plane / infrastructure tools
* that no community skill should ever touch.
*/
export const COMMUNITY_SKILL_ALWAYS_DENY = [
"gateway", // control-plane reconfiguration
"nodes", // device/node control
] as const;
export const COMMUNITY_SKILL_ALWAYS_DENY_SET = new Set<string>(COMMUNITY_SKILL_ALWAYS_DENY);
/**
* Tools that require an explicit capability declaration from community skills.
* If a community skill doesn't declare the matching capability, these tools
* are blocked at runtime by the before-tool-call hook.
*/
export const DANGEROUS_COMMUNITY_SKILL_TOOLS = [
// shell capability
"exec",
"process",
"lobster",
// filesystem capability (mutations only — read is safe and always allowed)
"write",
"edit",
"apply_patch",
// network capability
"web_fetch",
"web_search",
// browser capability
"browser",
// sessions capability
"sessions_spawn",
"sessions_send",
"subagents",
// messaging capability
"message",
// scheduling capability
"cron",
] as const;
export const DANGEROUS_COMMUNITY_SKILL_TOOL_SET = new Set<string>(DANGEROUS_COMMUNITY_SKILL_TOOLS);
Reference in New Issue View Git Blame Copy Permalink