1.发现问题
运行 openclaw status 发现3个严重的安全威胁
bash
$ openclaw status
🦞 OpenClaw 2026.3.13 (61d171a) --- The only crab in your contacts you actually want to hear from. 🦞
11:54:50 [plugins] feishu_doc: Registered feishu_doc, feishu_app_scopes
11:54:50 [plugins] feishu_chat: Registered feishu_chat tool
11:54:50 [plugins] feishu_wiki: Registered feishu_wiki tool
11:54:50 [plugins] feishu_drive: Registered feishu_drive tool
11:54:50 [plugins] feishu_bitable: Registered bitable tools
│
11:54:50 [plugins] feishu_doc: Registered feishu_doc, feishu_app_scopes
11:54:50 [plugins] feishu_chat: Registered feishu_chat tool
11:54:50 [plugins] feishu_wiki: Registered feishu_wiki tool
11:54:50 [plugins] feishu_drive: Registered feishu_drive tool
11:54:50 [plugins] feishu_bitable: Registered bitable tools
◇
│
◇
OpenClaw status
Overview
┌─────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Item │ Value │
├─────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Dashboard │ http://127.0.0.1:18789/ │
│ OS │ linux 6.8.0-71-generic (x64) · node 24.14.0 │
│ Tailscale │ off │
│ Channel │ stable (default) │
│ Update │ pnpm · npm latest 2026.3.13 │
│ Gateway │ local · ws://127.0.0.1:18789 (local loopback) · unreachable (missing scope: operator.read) │
│ Gateway service │ systemd installed · enabled · running (pid 793469, state active) │
│ Node service │ systemd not installed │
│ Agents │ 1 · 1 bootstrap file present · sessions 2 · default main active 14h ago │
│ Memory │ 0 files · 0 chunks · dirty · sources memory · plugin memory-core · vector unknown · fts ready · cache on (0) │
│ Probes │ skipped (use --deep) │
│ Events │ none │
│ Heartbeat │ 30m (main) │
│ Sessions │ 2 active · default MiniMax-M2.5 (200k ctx) · ~/.openclaw/agents/main/sessions/sessions.json │
└─────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Security audit
Summary: 3 critical · 4 warn · 1 info
CRITICAL Open groupPolicy with elevated tools enabled
Found groupPolicy="open" at: - channels.feishu.groupPolicy With tools.elevated enabled, a prompt injection in those rooms can become a high-impact incident.
Fix: Set groupPolicy="allowlist" and keep elevated allowlists extremely tight.
CRITICAL Open groupPolicy with runtime/filesystem tools exposed
Found groupPolicy="open" at: - channels.feishu.groupPolicy Risky tool exposure contexts: - agents.defaults (sandbox=off; runtime=[exec, process]; fs=[read, wri...
Fix: For open groups, prefer tools.profile="messaging" (or deny group:runtime/group:fs), set tools.fs.workspaceOnly=true, and use agents.defaults.sandbox.mode="all" for exposed agents.
CRITICAL Feishu security warning
Feishu[default] groups: groupPolicy="open" allows any member to trigger (mention-gated). Set channels.feishu.groupPolicy="allowlist" + channels.feishu.groupAll...
WARN Reverse proxy headers are not trusted
gateway.bind is loopback and gateway.trustedProxies is empty. If you expose the Control UI through a reverse proxy, configure trusted proxies so local-client c...
Fix: Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only.
WARN Feishu doc create can grant requester permissions
channels.feishu tools include "doc"; feishu_doc action "create" can grant document access to the trusted requesting Feishu user.
Fix: Disable channels.feishu.tools.doc when not needed, and restrict tool access for untrusted prompts.
WARN Some gateway.nodes.denyCommands entries are ineffective
gateway.nodes.denyCommands uses exact node command-name matching only (for example `system.run`), not shell-text filtering inside a command payload. - Unknown ...
Fix: Use exact command names (for example: canvas.present, canvas.hide, canvas.navigate, canvas.eval, canvas.snapshot, canvas.a2ui.push, canvas.a2ui.pushJSONL, canvas.a2ui.reset). If you need broader restrictions, remove risky command IDs from allowCommands/default workflows and tighten tools.exec policy.
... +1 more
Full report: openclaw security audit
Deep probe: openclaw security audit --deep
Channels
┌──────────┬─────────┬────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Channel │ Enabled │ State │ Detail │
├──────────┼─────────┼────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Feishu │ ON │ OK │ configured │
└──────────┴─────────┴────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Sessions
┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬─────────┬──────────────┬────────────────────────────────┐
│ Key │ Kind │ Age │ Model │ Tokens │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼─────────┼──────────────┼────────────────────────────────┤
│ agent:main:feishu:group:oc_fbe0... │ group │ 14h ago │ MiniMax-M2.5 │ 23k/200k (11%) · 🗄️ 97% cached │
│ agent:main:feishu:direct:ou_d9b... │ direct │ 14h ago │ MiniMax-M2.5 │ 13k/200k (6%) · 🗄️ 25% cached │
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴─────────┴──────────────┴────────────────────────────────┘
FAQ: https://docs.openclaw.ai/faq
Troubleshooting: https://docs.openclaw.ai/troubleshooting
Next steps:
Need to share? openclaw status --all
Need to debug live? openclaw logs --follow
Fix reachability first: openclaw gateway probe查看详细的问题原因:
bash
$ openclaw security audit --deep
🦞 OpenClaw 2026.3.13 (61d171a)
I'm the assistant your terminal demanded, not the one your sleep schedule requested.
13:48:37 [plugins] feishu_doc: Registered feishu_doc, feishu_app_scopes
13:48:37 [plugins] feishu_chat: Registered feishu_chat tool
13:48:37 [plugins] feishu_wiki: Registered feishu_wiki tool
13:48:37 [plugins] feishu_drive: Registered feishu_drive tool
13:48:37 [plugins] feishu_bitable: Registered bitable tools
OpenClaw security audit
Summary: 3 critical · 5 warn · 1 info
Run deeper: openclaw security audit --deep
CRITICAL
security.exposure.open_groups_with_elevated Open groupPolicy with elevated tools enabled
Found groupPolicy="open" at:
- channels.feishu.groupPolicy
With tools.elevated enabled, a prompt injection in those rooms can become a high-impact incident.
Fix: Set groupPolicy="allowlist" and keep elevated allowlists extremely tight.
security.exposure.open_groups_with_runtime_or_fs Open groupPolicy with runtime/filesystem tools exposed
Found groupPolicy="open" at:
- channels.feishu.groupPolicy
Risky tool exposure contexts:
- agents.defaults (sandbox=off; runtime=[exec, process]; fs=[read, write, edit, apply_patch]; fs.workspaceOnly=false)
Prompt injection in open groups can trigger command/file actions in these contexts.
Fix: For open groups, prefer tools.profile="messaging" (or deny group:runtime/group:fs), set tools.fs.workspaceOnly=true, and use agents.defaults.sandbox.mode="all" for exposed agents.
channels.feishu.warning.1 Feishu security warning
Feishu[default] groups: groupPolicy="open" allows any member to trigger (mention-gated). Set channels.feishu.groupPolicy="allowlist" + channels.feishu.groupAllowFrom to restrict senders.
WARN
gateway.trusted_proxies_missing Reverse proxy headers are not trusted
gateway.bind is loopback and gateway.trustedProxies is empty. If you expose the Control UI through a reverse proxy, configure trusted proxies so local-client checks cannot be spoofed.
Fix: Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only.
channels.feishu.doc_owner_open_id Feishu doc create can grant requester permissions
channels.feishu tools include "doc"; feishu_doc action "create" can grant document access to the trusted requesting Feishu user.
Fix: Disable channels.feishu.tools.doc when not needed, and restrict tool access for untrusted prompts.
gateway.nodes.deny_commands_ineffective Some gateway.nodes.denyCommands entries are ineffective
gateway.nodes.denyCommands uses exact node command-name matching only (for example `system.run`), not shell-text filtering inside a command payload.
- Unknown command names (not in defaults/allowCommands): camera.snap (did you mean: camera.list), camera.clip (did you mean: camera.list), screen.record, contacts.add, calendar.add, reminders.add (did you mean: reminders.list), sms.send
Fix: Use exact command names (for example: canvas.present, canvas.hide, canvas.navigate, canvas.eval, canvas.snapshot, canvas.a2ui.push, canvas.a2ui.pushJSONL, canvas.a2ui.reset). If you need broader restrictions, remove risky command IDs from allowCommands/default workflows and tighten tools.exec policy.
security.trust_model.multi_user_heuristic Potential multi-user setup detected (personal-assistant model warning)
Heuristic signals indicate this gateway may be reachable by multiple users:
- channels.feishu.groupPolicy="open"
Runtime/process tools are exposed without full sandboxing in at least one context.
Potential high-impact tool exposure contexts:
- agents.defaults (sandbox=off; runtime=[exec, process]; fs=[read, write, edit, apply_patch]; fs.workspaceOnly=false)
OpenClaw's default security model is personal-assistant (one trusted operator boundary), not hostile multi-tenant isolation on one shared gateway.
Fix: If users may be mutually untrusted, split trust boundaries (separate gateways + credentials, ideally separate OS users/hosts). If you intentionally run shared-user access, set agents.defaults.sandbox.mode="all", keep tools.fs.workspaceOnly=true, deny runtime/fs/web tools unless required, and keep personal/private identities + credentials off that runtime.
gateway.probe_failed Gateway probe failed (deep)
missing scope: operator.read
Fix: Run "openclaw status --all" to debug connectivity/auth, then re-run "openclaw security audit --deep".
INFO
summary.attack_surface Attack surface summary
groups: open=1, allowlist=0
tools.elevated: enabled
hooks.webhooks: disabled
hooks.internal: enabled
browser control: enabled
trust model: personal assistant (one trusted operator boundary), not hostile multi-tenant on one shared gateway2. 查看原因
查看飞书群组策略
bash
$ openclaw config get channels.feishu.groupPolicy
🦞 OpenClaw 2026.3.13 (61d171a) --- I run on caffeine, JSON5, and the audacity of "it worked on my machine."
open
13:56:51 [plugins] feishu_doc: Registered feishu_doc, feishu_app_scopes
13:56:51 [plugins] feishu_chat: Registered feishu_chat tool
13:56:51 [plugins] feishu_wiki: Registered feishu_wiki tool
13:56:51 [plugins] feishu_drive: Registered feishu_drive tool
13:56:51 [plugins] feishu_bitable: Registered bitable tools2.1 CRITICAL: 开放群组策略 + 高危工具启用
2.1.1 问题本质
飞书群组策略设为 open,同时启用了 tools.elevated(特权工具)
2.1.2 攻击场景
攻击者 → 加入公开飞书群 → @OpenClaw 机器人
→ 注入恶意提示词 → 调用高危工具(如 exec/sandbox-off)
→ 完全控制服务器
2.1.3 修改
yaml
# openclaw.yaml
channels:
feishu:
groupPolicy: "allowlist" # 改为白名单制
groupAllowFrom:
- "oc_your-trusted-group-id-1"
- "oc_your-trusted-group-id-2"
tools:
elevated: false 也可以用命令修改:
-
- 设置飞书群组策略为白名单制
powershell
$ openclaw config set channels.feishu.groupPolicy "allowlist"-
- 添加 groupAllowFrom 白名单
打开飞书 App ,进入群
点击下图的右上方的 ... 打开设置
其中 群组ID 为下图中的 会话ID
powershell
$ openclaw config set channels.feishu.groupAllowFrom '["oc_fbe0e81468794e8bf2d13635f70c2138"]'
🦞 OpenClaw 2026.3.13 (61d171a) --- Powered by open source, sustained by spite and good documentation.
│
◇ Doctor warnings ──────────────────────────────────────────────────────────────────────────╮
│ │
│ - channels.feishu.groupPolicy is "allowlist" but groupAllowFrom (and allowFrom) is empty │
│ --- all group messages will be silently dropped. Add sender IDs to │
│ channels.feishu.groupAllowFrom or channels.feishu.allowFrom, or set groupPolicy to │
│ "open". │
│ │
├────────────────────────────────────────────────────────────────────────────────────────────╯
15:33:05 [plugins] feishu_doc: Registered feishu_doc, feishu_app_scopes
15:33:05 [plugins] feishu_chat: Registered feishu_chat tool
15:33:05 [plugins] feishu_wiki: Registered feishu_wiki tool
15:33:05 [plugins] feishu_drive: Registered feishu_drive tool
15:33:05 [plugins] feishu_bitable: Registered bitable tools
Config overwrite: /home/ubuntu/.openclaw/openclaw.json (sha256 3d5921137dc1d249dd8d393ee7300d14def2a7f221ace70e31d9d2fb50bf93fe -> 1971afbbf204ae4d04b16553a37e61cc6fc276230762f353259e4a0e7e46b439, backup=/home/ubuntu/.openclaw/openclaw.json.bak)然后查看:
powershell
$ openclaw config get channels.feishu
🦞 OpenClaw 2026.3.13 (61d171a) --- Runs on a Raspberry Pi. Dreams of a rack in Iceland.
{
"enabled": true,
"appId": "cli_a939527feb38dbcc",
"appSecret": "__OPENCLAW_REDACTED__",
"connectionMode": "websocket",
"domain": "feishu",
"groupPolicy": "allowlist",
"groupAllowlist": [
"oc_fbe0e81468794e8bf2d13635f70c2138"
]
}
15:19:37 [plugins] feishu_doc: Registered feishu_doc, feishu_app_scopes
15:19:37 [plugins] feishu_chat: Registered feishu_chat tool
15:19:37 [plugins] feishu_wiki: Registered feishu_wiki tool
15:19:37 [plugins] feishu_drive: Registered feishu_drive tool
15:19:37 [plugins] feishu_bitable: Registered bitable tools-
- 禁用 elevated 工具
powershell
$ openclaw config set tools.elevated '{"enabled": false}'然后查看:
powershell
$ openclaw config get tools
🦞 OpenClaw 2026.3.13 (61d171a) --- I run on caffeine, JSON5, and the audacity of "it worked on my machine."
{
"profile": "coding",
"elevated": {
"enabled": false
}
}2.2 开放群组 + runtime/filesystem 工具暴露
2.2.1 问题本质
agents.defaults 配置危险:
- sandbox=off(关闭沙箱)
- runtime: [exec, process] (允许执行系统命令和管理进程)
- fs: [read, write] (允许读写文件系统)
2.2.2 攻击场景
任何飞书群成员均可通过构造恶意提示词,让机器人执行任意系统命令或删除/窃取服务器文件:
提示词注入 → 读取 /etc/passwd、写入 WebShell、执行任意命令
2.2.3 修改
powershell
# 1. 强制沙箱模式为 all
$ openclaw config set agents.defaults.sandbox.mode "off"
# 禁用工具
$ openclaw config set tools.deny '["exec","process"]'
# 设置 fs 工具仅在工作目录
$ openclaw config set tools.fs.workspaceOnly true
# 设置飞书工具为 messaging 模式(仅消息功能)
$ openclaw config set channels.feishu.tools.profile "messaging"2.3 WARN: 反向代理头未信任
2.3.1 风险
如果通过 Nginx/Apache 暴露 Control UI,无法识别真实客户端 IP,可能绕过 IP 白名单
2.3.2 修复
查看需要加入白名单的IP
powershell
$ curl ipinfo.io/IP
114.106.107.153把IP 加入白名单
powershell
$ openclaw config set gateway.trustedProxies '["114.106.107.153"]'2.4 WARN: 飞书文档创建权限泄露
2.4.1 问题
feishu_doc.create 会自动给调用者(飞书用户)授予文档权限
2.4.2 攻击场景
攻击者让机器人创建文档 → 自动获得该文档编辑权 → 可能用于传播恶意内容
2.4.2 修复
powershell
openclaw config set channels.feishu.tools.doc false2.5 WARN: denyCommands 配置无效
2.5.1 问题
gateway.nodes.denyCommands 只匹配精确命令名,不匹配命令内容
2.5.2 修复
powershell
openclaw config set gateway.nodes.denyCommands '["system.run"]'3. 检查检验
3.1 检查整体服务状态
powershell
$ openclaw status
🦞 OpenClaw 2026.3.13 (61d171a) --- Claws out, commit in---let's ship something mildly responsible.
18:41:54 [plugins] feishu_doc: Registered feishu_app_scopes
18:41:54 [plugins] feishu_chat: Registered feishu_chat tool
18:41:54 [plugins] feishu_wiki: Registered feishu_wiki tool
18:41:54 [plugins] feishu_drive: Registered feishu_drive tool
18:41:54 [plugins] feishu_bitable: Registered bitable tools
│
18:41:54 [plugins] feishu_doc: Registered feishu_app_scopes
18:41:54 [plugins] feishu_chat: Registered feishu_chat tool
18:41:54 [plugins] feishu_wiki: Registered feishu_wiki tool
18:41:54 [plugins] feishu_drive: Registered feishu_drive tool
18:41:54 [plugins] feishu_bitable: Registered bitable tools
◇
│
◇
OpenClaw status
Overview
┌─────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Item │ Value │
├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Dashboard │ http://127.0.0.1:18789/ │
│ OS │ linux 6.8.0-71-generic (x64) · node 24.14.0 │
│ Tailscale │ off │
│ Channel │ stable (default) │
│ Update │ pnpm · npm latest 2026.3.13 │
│ Gateway │ local · ws://127.0.0.1:18789 (local loopback) · unreachable (missing scope: operator.read) │
│ Gateway service │ systemd installed · enabled · running (pid 1130434, state active) │
│ Node service │ systemd not installed │
│ Agents │ 1 · 1 bootstrap file present · sessions 2 · default main active 3h ago │
│ Memory │ 0 files · 0 chunks · dirty · sources memory · plugin memory-core · vector unknown · fts ready · │
│ │ cache on (0) │
│ Probes │ skipped (use --deep) │
│ Events │ none │
│ Heartbeat │ 30m (main) │
│ Sessions │ 2 active · default MiniMax-M2.5 (200k ctx) · ~/.openclaw/agents/main/sessions/sessions.json │
└─────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────┘
Security audit
Summary: 0 critical · 0 warn · 1 info
No critical or warn findings detected.
Full report: openclaw security audit
Deep probe: openclaw security audit --deep
Channels
┌──────────┬─────────┬────────┬─────────────────────────────────────────────────────────────────────────────────────────┐
│ Channel │ Enabled │ State │ Detail │
├──────────┼─────────┼────────┼─────────────────────────────────────────────────────────────────────────────────────────┤
│ Feishu │ ON │ OK │ configured │
└──────────┴─────────┴────────┴─────────────────────────────────────────────────────────────────────────────────────────┘
Sessions
┌─────────────────────────────────────────────────────┬────────┬─────────┬──────────────┬───────────────────────────────┐
│ Key │ Kind │ Age │ Model │ Tokens │
├─────────────────────────────────────────────────────┼────────┼─────────┼──────────────┼───────────────────────────────┤
│ agent:main:feishu:group:oc_fbe0... │ group │ 3h ago │ MiniMax-M2.5 │ 15k/200k (7%) · 🗄️ 69% cached │
│ agent:main:feishu:direct:ou_d9b... │ direct │ 21h ago │ MiniMax-M2.5 │ 13k/200k (6%) · 🗄️ 25% cached │`在这里插入代码片`
└─────────────────────────────────────────────────────┴────────┴─────────┴──────────────┴───────────────────────────────┘
FAQ: https://docs.openclaw.ai/faq
Troubleshooting: https://docs.openclaw.ai/troubleshooting
Next steps:
Need to share? openclaw status --all
Need to debug live? openclaw logs --follow
Fix reachability first: openclaw gateway probe3.2 检查 Gateway 运行状态
powershell
$ openclaw gateway status
🦞 OpenClaw 2026.3.13 (61d171a) --- Welcome to the command line: where dreams compile and confidence segfaults.
18:43:34 [plugins] feishu_doc: Registered feishu_app_scopes
18:43:34 [plugins] feishu_chat: Registered feishu_chat tool
18:43:34 [plugins] feishu_wiki: Registered feishu_wiki tool
18:43:34 [plugins] feishu_drive: Registered feishu_drive tool
18:43:34 [plugins] feishu_bitable: Registered bitable tools
│
◇
Service: systemd (enabled)
File logs: /tmp/openclaw/openclaw-2026-03-17.log
Command: /home/ubuntu/.nvm/versions/node/v24.14.0/bin/node /home/ubuntu/.nvm/versions/node/v24.14.0/lib/node_modules/openclaw/dist/index.js gateway --port 18789
Service file: ~/.config/systemd/user/openclaw-gateway.service
Service env: OPENCLAW_GATEWAY_PORT=18789
Service config looks out of date or non-standard.
Service config issue: Gateway service uses Node from a version manager; it can break after upgrades. (/home/ubuntu/.nvm/versions/node/v24.14.0/bin/node)
Service config issue: System Node 22 LTS (22.16+) or Node 24 not found; install it before migrating away from version managers.
Recommendation: run "openclaw doctor" (or "openclaw doctor --repair").
Config (cli): ~/.openclaw/openclaw.json
Config (service): ~/.openclaw/openclaw.json
Gateway: bind=loopback (127.0.0.1), port=18789 (service args)
Probe target: ws://127.0.0.1:18789
Dashboard: http://127.0.0.1:18789/
Probe note: Loopback-only gateway; only local clients can connect.
Runtime: running (pid 1130434, state active, sub running, last exit 0, reason 0)
RPC probe: ok
Listening: 127.0.0.1:18789
Troubles: run openclaw status
Troubleshooting: https://docs.openclaw.ai/troubleshooting3.3 执行全面诊断
powershell
$ openclaw doctor3.4 检查通信渠道连通性
powershell
$ openclaw channels status --probe
🦞 OpenClaw 2026.3.13 (61d171a) --- iMessage green bubble energy, but for everyone.
18:47:46 [plugins] feishu_doc: Registered feishu_app_scopes
18:47:46 [plugins] feishu_chat: Registered feishu_chat tool
18:47:46 [plugins] feishu_wiki: Registered feishu_wiki tool
18:47:46 [plugins] feishu_drive: Registered feishu_drive tool
18:47:46 [plugins] feishu_bitable: Registered bitable tools
│
18:47:46 [plugins] feishu_doc: Registered feishu_app_scopes
18:47:46 [plugins] feishu_chat: Registered feishu_chat tool
18:47:46 [plugins] feishu_wiki: Registered feishu_wiki tool
18:47:46 [plugins] feishu_drive: Registered feishu_drive tool
18:47:46 [plugins] feishu_bitable: Registered bitable tools
◇
Gateway reachable.
- Feishu default: enabled, configured, running, works
Tip: status --deep adds gateway health probes to status output (requires a reachable gateway).3.5 实时查看日志
powershell
$ openclaw logs --follow3.6 查看占用端口的进程
powershell
$ lsof -i :18789
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openclaw- 1136191 ubuntu 22u IPv4 5821514 0t0 TCP localhost:18789 (LISTEN)
openclaw- 1136191 ubuntu 23u IPv6 5821515 0t0 TCP ip6-localhost:18789 (LISTEN)