How do I report a vulnerability?

Email security@neullabs.com with as much detail as you can. We acknowledge within 48 hours and aim for a fix within 14 days for confirmed issues. Critical sandbox-escape findings get a same-day response. We follow coordinated disclosure — please don't publicly disclose until we've shipped a patch.

Is there a bug bounty?

Not yet. As an Apache-2.0 project we're not in a position to pay bounties. We credit researchers in the CHANGELOG and the SECURITY.md acknowledgments, and we'll write you a reference letter on request.

Has it been pen-tested?

OpenClawMU itself hasn't been formally pen-tested as of v0.1. Upstream OpenClaw has had multiple informal reviews from the security community on Discord. We treat sandbox escape as a CVE and ship patches as a priority release.

Security posture · OpenClawMU

Threat model

OpenClawMU's threat model assumes:

The operator is trusted. Whoever runs openclaw gateway has full access. Compromise of the operator account compromises everything.
Tenants are mutually untrusted. Tenant A may be actively malicious toward tenant B. The isolation model exists to prevent A from observing or interfering with B.
The gateway is reachable from the public internet. Often it isn't (Tailscale, SSH tunnel) but the design assumes it could be.
LLM providers are honest. We trust Anthropic / OpenAI / your-LLM-of-choice to return correct token usage figures and not to reveal one tenant's data to another. (They have their own multi-tenant isolation guarantees.)

Token security

128-bit random secrets from crypto.randomBytes.
SHA-256 hashed at rest; plaintext never written to disk after first display.
Constant-time comparison via crypto.timingSafeEqual.
Tokens carry the tenant ID prefix for log greppability without exposing the secret.
Rotation is single-command and instant.

Sandbox isolation

Bubblewrap default: user-namespace + mount-namespace + seccomp filter + tmpfs scratch.
Docker mode: --cap-drop=ALL, default-deny seccomp, optional gVisor runtime, cgroup memory/CPU caps.
No network egress by default. Opt-in per tool with hostname + port allow-lists.
Read-only host filesystem; writable scratch tmpfs; writable tenant work dir.

Path-traversal hardening

Every API surface that takes a path string:

Resolves the path with path.resolve against the tenant root.
Asserts the resolved path is a descendant of the tenant root.
Rejects symlinks that point outside the root.
Rejects absolute paths in user input.

Surfaces with this protection: file_read / file_write tools, plugin loaders, S3 backup target, S3 restore source, config overlay file paths, sandbox mount specs.

Admin / tenant key separation

The gateway config has two distinct credential classes:

Admin keys — LLM provider credentials, rate card, S3 credentials, control-plane HTTP API key. Live only in the gateway config; never in any tenant overlay.
Tenant tokens — issued per tenant, scoped to that tenant's namespace. Can be rotated.

Attempting to set an admin key from a tenant config overlay fails at load time with a clear error. There's no precedence rule to argue over.

Audit logs

The gateway emits a JSONL audit log to ~/.openclaw/audit.log for every state-changing operation: tenant create / delete / suspend, token rotate, config overlay write, backup, restore, channel pair / unpair, cron add / remove. Each line carries a timestamp, the actor (admin key or tenant token hash prefix), the action, and the target. Rotate with logrotate or your favourite log shipper.

Disclosure

Email security@neullabs.com with findings. We acknowledge within 48 hours, fix within 14 days for confirmed issues. Critical issues (sandbox escape, token leak) get same-day response. Coordinated disclosure preferred — please don't go public until we've shipped a patch.

Security advisories live at https://github.com/neul-labs/openclawmu/security/advisories ↗ .

Security posture.