1.发现问题运行 openclaw status 发现3个严重的安全威胁$ openclaw status OpenClaw2026.3.13(61d171a)— The only crabinyour contacts you actually want to hear from. 11:54:50[plugins]feishu_doc: Registered feishu_doc, feishu_app_scopes11:54:50[plugins]feishu_chat: Registered feishu_chat tool11:54:50[plugins]feishu_wiki: Registered feishu_wiki tool11:54:50[plugins]feishu_drive: Registered feishu_drive tool11:54:50[plugins]feishu_bitable: Registered bitable tools │11:54:50[plugins]feishu_doc: Registered feishu_doc, feishu_app_scopes11:54:50[plugins]feishu_chat: Registered feishu_chat tool11:54:50[plugins]feishu_wiki: Registered feishu_wiki tool11:54:50[plugins]feishu_drive: Registered feishu_drive tool11:54:50[plugins]feishu_bitable: Registered bitable tools ◇ │ ◇ OpenClaw status Overview ┌─────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ │ Item │ Value │ ├─────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ Dashboard │ http://127.0.0.1:18789/ │ │ OS │ linux6.8.0-71-generic(x64)·node24.14.0 │ │ Tailscale │ off │ │ Channel │ stable(default)│ │ Update │pnpm·npmlatest2026.3.13 │ │ Gateway │local· ws://127.0.0.1:18789(local loopback)· unreachable(missing scope: operator.read)│ │ Gatewayservice│ systemd installed · enabled · running(pid793469, state active)│ │ Nodeservice│ systemd not installed │ │ Agents │1·1bootstrapfilepresent · sessions2· default main active 14h ago │ │ Memory │0files ·0chunks · dirty · sources memory · plugin memory-core · vector unknown · fts ready · cache on(0)│ │ Probes │ skipped(use --deep)│ │ Events │ none │ │ Heartbeat │ 30m(main)│ │ Sessions │2active · default MiniMax-M2.5(200k ctx)· ~/.openclaw/agents/main/sessions/sessions.json │ └─────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ Security audit Summary:3critical ·4warn ·1info CRITICAL Open groupPolicy with elevated tools enabled FoundgroupPolicyopenat: - channels.feishu.groupPolicy With tools.elevated enabled, a prompt injectioninthose rooms can become a high-impact incident. Fix: SetgroupPolicyallowlistand keep elevated allowlists extremely tight. CRITICAL Open groupPolicy with runtime/filesystem tools exposed FoundgroupPolicyopenat: - channels.feishu.groupPolicy Risky tool exposure contexts: - agents.defaults(sandboxoff;runtime[exec, process];fs[read, wri… Fix: Foropengroups, prefertools.profilemessaging(or deny group:runtime/group:fs),settools.fs.workspaceOnlytrue, and useagents.defaults.sandbox.modeallforexposed agents. CRITICAL Feishu security warning Feishu[default]groups:groupPolicyopenallows any member to trigger(mention-gated). Setchannels.feishu.groupPolicyallowlist channels.feishu.groupAll… WARN Reverse proxy headers are not trusted gateway.bind is loopback and gateway.trustedProxies is empty. If you expose the Control UI through a reverse proxy, configure trusted proxies so local-client c… Fix: Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only. WARN Feishu doc create can grant requester permissions channels.feishu tools includedoc;feishu_doc actioncreatecan grant document access to the trusted requesting Feishu user. Fix: Disable channels.feishu.tools.doc when not needed, and restrict tool accessforuntrusted prompts. WARN Some gateway.nodes.denyCommands entries are ineffective gateway.nodes.denyCommands uses exactnodecommand-name matching only(for examplesystem.run), not shell-text filtering inside acommandpayload. - Unknown … Fix: Use exactcommandnames(for example: canvas.present, canvas.hide, canvas.navigate, canvas.eval, canvas.snapshot, canvas.a2ui.push, canvas.a2ui.pushJSONL, canvas.a2ui.reset). If you need broader restrictions, remove riskycommandIDs from allowCommands/default workflows and tighten tools.exec policy. … 1moreFull report: openclaw security audit Deep probe: openclaw security audit--deepChannels ┌──────────┬─────────┬────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ │ Channel │ Enabled │ State │ Detail │ ├──────────┼─────────┼────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ Feishu │ ON │ OK │ configured │ └──────────┴─────────┴────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ Sessions ┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬─────────┬──────────────┬────────────────────────────────┐ │ Key │ Kind │ Age │ Model │ Tokens │ ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼─────────┼──────────────┼────────────────────────────────┤ │ agent:main:feishu:group:oc_fbe0… │ group │ 14h ago │ MiniMax-M2.5 │ 23k/200k(11%)· ️97% cached │ │ agent:main:feishu:direct:ou_d9b… │ direct │ 14h ago │ MiniMax-M2.5 │ 13k/200k(6%)· ️25% cached │ └──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴─────────┴──────────────┴────────────────────────────────┘ FAQ: https://docs.openclaw.ai/faq Troubleshooting: https://docs.openclaw.ai/troubleshooting Next steps: Need to share? openclaw status--allNeed to debug live? openclaw logs--followFix reachability first: openclaw gateway probe查看详细的问题原因$ openclaw security audit--deep OpenClaw2026.3.13(61d171a)Im the assistant your terminal demanded, not the one your sleep schedule requested. 13:48:37 [plugins] feishu_doc: Registered feishu_doc, feishu_app_scopes 13:48:37 [plugins] feishu_chat: Registered feishu_chat tool 13:48:37 [plugins] feishu_wiki: Registered feishu_wiki tool 13:48:37 [plugins] feishu_drive: Registered feishu_drive tool 13:48:37 [plugins] feishu_bitable: Registered bitable tools OpenClaw security audit Summary: 3 critical · 5 warn · 1 info Run deeper: openclaw security audit --deep CRITICAL security.exposure.open_groups_with_elevated Open groupPolicy with elevated tools enabled Found groupPolicyopen at: - channels.feishu.groupPolicy With tools.elevated enabled, a prompt injection in those rooms can become a high-impact incident. Fix: Set groupPolicyallowlist and keep elevated allowlists extremely tight. security.exposure.open_groups_with_runtime_or_fs Open groupPolicy with runtime/filesystem tools exposed Found groupPolicyopen at: - channels.feishu.groupPolicy Risky tool exposure contexts: - agents.defaults (sandboxoff; runtime[exec, process]; fs[read, write, edit, apply_patch]; fs.workspaceOnlyfalse) Prompt injection in open groups can trigger command/file actions in these contexts. Fix: For open groups, prefer tools.profilemessaging (or deny group:runtime/group:fs), set tools.fs.workspaceOnlytrue, and use agents.defaults.sandbox.modeall for exposed agents. channels.feishu.warning.1 Feishu security warning Feishu[default] groups: groupPolicyopen allows any member to trigger (mention-gated). Set channels.feishu.groupPolicyallowlist channels.feishu.groupAllowFrom to restrict senders. WARN gateway.trusted_proxies_missing Reverse proxy headers are not trusted gateway.bind is loopback and gateway.trustedProxies is empty. If you expose the Control UI through a reverse proxy, configure trusted proxies so local-client checks cannot be spoofed. Fix: Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only. channels.feishu.doc_owner_open_id Feishu doc create can grant requester permissions channels.feishu tools include doc; feishu_doc action create can grant document access to the trusted requesting Feishu user. Fix: Disable channels.feishu.tools.doc when not needed, and restrict tool access for untrusted prompts. gateway.nodes.deny_commands_ineffective Some gateway.nodes.denyCommands entries are ineffective gateway.nodes.denyCommands uses exact node command-name matching only (for example system.run), not shell-text filtering inside a command payload. - Unknown command names (not in defaults/allowCommands): camera.snap (did you mean: camera.list), camera.clip (did you mean: camera.list), screen.record, contacts.add, calendar.add, reminders.add (did you mean: reminders.list), sms.send Fix: Use exact command names (for example: canvas.present, canvas.hide, canvas.navigate, canvas.eval, canvas.snapshot, canvas.a2ui.push, canvas.a2ui.pushJSONL, canvas.a2ui.reset). If you need broader restrictions, remove risky command IDs from allowCommands/default workflows and tighten tools.exec policy. security.trust_model.multi_user_heuristic Potential multi-user setup detected (personal-assistant model warning) Heuristic signals indicate this gateway may be reachable by multiple users: - channels.feishu.groupPolicyopen Runtime/process tools are exposed without full sandboxing in at least one context. Potential high-impact tool exposure contexts: - agents.defaults (sandboxoff; runtime[exec, process]; fs[read, write, edit, apply_patch]; fs.workspaceOnlyfalse) OpenClaws default security model is personal-assistant(one trusted operator boundary), not hostile multi-tenant isolation on one shared gateway. Fix: Ifusersmay be mutually untrusted,splittrust boundaries(separate gateways credentials, ideally separate OS users/hosts). If you intentionally run shared-user access,setagents.defaults.sandbox.modeall, keeptools.fs.workspaceOnlytrue, deny runtime/fs/web tools unless required, and keep personal/private identities credentials off that runtime. gateway.probe_failed Gateway probe failed(deep)missing scope: operator.read Fix: Runopenclaw status --allto debug connectivity/auth,thenre-runopenclaw security audit --deep.INFO summary.attack_surface Attack surface summary groups:open1,allowlist0tools.elevated: enabled hooks.webhooks: disabled hooks.internal: enabled browser control: enabled trust model: personal assistant(one trusted operator boundary), not hostile multi-tenant on one shared gateway2. 查看原因查看飞书群组策略$ openclaw config get channels.feishu.groupPolicy OpenClaw2026.3.13(61d171a)— I run on caffeine, JSON5, and the audacity ofit worked on my machine.open13:56:51[plugins]feishu_doc: Registered feishu_doc, feishu_app_scopes13:56:51[plugins]feishu_chat: Registered feishu_chat tool13:56:51[plugins]feishu_wiki: Registered feishu_wiki tool13:56:51[plugins]feishu_drive: Registered feishu_drive tool13:56:51[plugins]feishu_bitable: Registered bitable tools2.1 CRITICAL: 开放群组策略 高危工具启用2.1.1 问题本质飞书群组策略设为 open同时启用了 tools.elevated特权工具2.1.2 攻击场景攻击者 → 加入公开飞书群 → OpenClaw 机器人→ 注入恶意提示词 → 调用高危工具如 exec/sandbox-off→ 完全控制服务器2.1.3 修改# openclaw.yamlchannels:feishu:groupPolicy:allowlist# 改为白名单制groupAllowFrom:-oc_your-trusted-group-id-1-oc_your-trusted-group-id-2tools:elevated:false也可以用命令修改设置飞书群组策略为白名单制$ openclaw configsetchannels.feishu.groupPolicyallowlist添加 groupAllowFrom 白名单打开飞书 App 进入群点击下图的右上方的…打开设置其中群组ID为下图中的会话ID$ openclaw configsetchannels.feishu.groupAllowFrom[oc_fbe0e81468794e8bf2d13635f70c2138] OpenClaw 2026.3.13(61d171a)— Powered by open source,sustained by spite and good documentation.│ ◇ Doctor warnings ──────────────────────────────────────────────────────────────────────────╮ │ │ │-channels.feishu.groupPolicy isallowlistbut groupAllowFrom(and allowFrom)is empty │ │ — allgroupmessages will be silently dropped.Add sender IDs to │ │ channels.feishu.groupAllowFrom or channels.feishu.allowFrom,orsetgroupPolicy to │ │open.│ │ │ ├────────────────────────────────────────────────────────────────────────────────────────────╯ 15:33:05[plugins]feishu_doc: Registered feishu_doc,feishu_app_scopes 15:33:05[plugins]feishu_chat: Registered feishu_chat tool 15:33:05[plugins]feishu_wiki: Registered feishu_wiki tool 15:33:05[plugins]feishu_drive: Registered feishu_drive tool 15:33:05[plugins]feishu_bitable: Registered bitable tools Config overwrite:/home/ubuntu/.openclaw/openclaw.json(sha256 3d5921137dc1d249dd8d393ee7300d14def2a7f221ace70e31d9d2fb50bf93fe- 1971afbbf204ae4d04b16553a37e61cc6fc276230762f353259e4a0e7e46b439,backup/home/ubuntu/.openclaw/openclaw.json.bak)然后查看$ openclaw config get channels.feishu OpenClaw 2026.3.13(61d171a)— Runs on a Raspberry Pi.Dreams of a rack in Iceland.{enabled: true,appId:cli_a939527feb38dbcc,appSecret:__OPENCLAW_REDACTED__,connectionMode:websocket,domain:feishu,groupPolicy:allowlist,groupAllowlist:[oc_fbe0e81468794e8bf2d13635f70c2138]}15:19:37[plugins]feishu_doc: Registered feishu_doc,feishu_app_scopes 15:19:37[plugins]feishu_chat: Registered feishu_chat tool 15:19:37[plugins]feishu_wiki: Registered feishu_wiki tool 15:19:37[plugins]feishu_drive: Registered feishu_drive tool 15:19:37[plugins]feishu_bitable: Registered bitable tools禁用 elevated 工具$ openclaw configsettools.elevated{enabled: false}然后查看$ openclaw config get tools OpenClaw 2026.3.13(61d171a)— I run on caffeine,JSON5,and the audacity ofit worked on my machine.{profile:coding,elevated:{enabled: false}}2.2 开放群组 runtime/filesystem 工具暴露2.2.1 问题本质agents.defaults 配置危险sandboxoff关闭沙箱runtime: [exec, process] (允许执行系统命令和管理进程)fs: [read, write] (允许读写文件系统)2.2.2 攻击场景任何飞书群成员均可通过构造恶意提示词让机器人执行任意系统命令或删除/窃取服务器文件:提示词注入 → 读取 /etc/passwd、写入 WebShell、执行任意命令2.2.3 修改# 1. 强制沙箱模式为 all$ openclaw configsetagents.defaults.sandbox.modeoff# 禁用工具$ openclaw configsettools.deny[exec,process]# 设置 fs 工具仅在工作目录$ openclaw configsettools.fs.workspaceOnly true# 设置飞书工具为 messaging 模式仅消息功能$ openclaw configsetchannels.feishu.tools.profilemessaging2.3 WARN: 反向代理头未信任2.3.1 风险如果通过 Nginx/Apache 暴露 Control UI无法识别真实客户端 IP可能绕过 IP 白名单2.3.2 修复查看需要加入白名单的IP$ curl ipinfo.io/IP 114.106.107.153把IP 加入白名单$ openclaw configsetgateway.trustedProxies[114.106.107.153]2.4 WARN: 飞书文档创建权限泄露2.4.1 问题feishu_doc.create 会自动给调用者飞书用户授予文档权限2.4.2 攻击场景攻击者让机器人创建文档 → 自动获得该文档编辑权 → 可能用于传播恶意内容2.4.2 修复openclaw configsetchannels.feishu.tools.doc false2.5 WARN: denyCommands 配置无效2.5.1 问题gateway.nodes.denyCommands 只匹配精确命令名不匹配命令内容2.5.2 修复openclaw configsetgateway.nodes.denyCommands[system.run]3. 检查检验3.1 检查整体服务状态$ openclaw status OpenClaw 2026.3.13(61d171a)— Claws out,commit in—lets ship something mildly responsible.18:41:54[plugins]feishu_doc: Registered feishu_app_scopes 18:41:54[plugins]feishu_chat: Registered feishu_chat tool 18:41:54[plugins]feishu_wiki: Registered feishu_wiki tool 18:41:54[plugins]feishu_drive: Registered feishu_drive tool 18:41:54[plugins]feishu_bitable: Registered bitable tools │ 18:41:54[plugins]feishu_doc: Registered feishu_app_scopes 18:41:54[plugins]feishu_chat: Registered feishu_chat tool 18:41:54[plugins]feishu_wiki: Registered feishu_wiki tool 18:41:54[plugins]feishu_drive: Registered feishu_drive tool 18:41:54[plugins]feishu_bitable: Registered bitable tools ◇ │ ◇ OpenClaw status Overview ┌─────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────┐ │ Item │ Value │ ├─────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ Dashboard │ http://127.0.0.1:18789/ │ │ OS │ linux 6.8.0-71-generic(x64)· node 24.14.0 │ │ Tailscale │ off │ │ Channel │ stable(default)│ │ Update │ pnpm · npm latest 2026.3.13 │ │ Gateway │ local · ws://127.0.0.1:18789(local loopback)· unreachable(missing scope: operator.read)│ │ Gateway service │ systemd installed · enabled · running(pid 1130434,state active)│ │ Node service │ systemd not installed │ │ Agents │ 1 · 1 bootstrap file present · sessions 2 · default main active 3h ago │ │ Memory │ 0 files · 0 chunks · dirty · sources memory · plugin memory-core · vector unknown · fts ready · │ │ │ cache on(0)│ │ Probes │ skipped(use--deep)│ │ Events │ none │ │ Heartbeat │ 30m(main)│ │ Sessions │ 2 active · default MiniMax-M2.5(200k ctx)· ~/.openclaw/agents/main/sessions/sessions.json │ └─────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────┘ Security audit Summary: 0 critical · 0 warn · 1 info No critical or warn findings detected.Full report: openclaw security audit Deep probe: openclaw security audit--deep Channels ┌──────────┬─────────┬────────┬─────────────────────────────────────────────────────────────────────────────────────────┐ │ Channel │ Enabled │ State │ Detail │ ├──────────┼─────────┼────────┼─────────────────────────────────────────────────────────────────────────────────────────┤ │ Feishu │ ON │ OK │ configured │ └──────────┴─────────┴────────┴─────────────────────────────────────────────────────────────────────────────────────────┘ Sessions ┌─────────────────────────────────────────────────────┬────────┬─────────┬──────────────┬───────────────────────────────┐ │ Key │ Kind │ Age │ Model │ Tokens │ ├─────────────────────────────────────────────────────┼────────┼─────────┼──────────────┼───────────────────────────────┤ │ agent:main:feishu:group:oc_fbe0… │group│ 3h ago │ MiniMax-M2.5 │ 15k/200k(7%)· ️ 69% cached │ │ agent:main:feishu:direct:ou_d9b… │ direct │ 21h ago │ MiniMax-M2.5 │ 13k/200k(6%)· ️ 25% cached │在这里插入代码片 └─────────────────────────────────────────────────────┴────────┴─────────┴──────────────┴───────────────────────────────┘ FAQ: https://docs.openclaw.ai/faq Troubleshooting: https://docs.openclaw.ai/troubleshooting Next steps: Need to share? openclaw status--all Need to debug live? openclaw logs--follow Fix reachability first: openclaw gateway probe3.2 检查 Gateway 运行状态$ openclaw gateway status OpenClaw 2026.3.13(61d171a)— Welcome to the command line: where dreams compile and confidence segfaults.18:43:34[plugins]feishu_doc: Registered feishu_app_scopes 18:43:34[plugins]feishu_chat: Registered feishu_chat tool 18:43:34[plugins]feishu_wiki: Registered feishu_wiki tool 18:43:34[plugins]feishu_drive: Registered feishu_drive tool 18:43:34[plugins]feishu_bitable: Registered bitable tools │ ◇ Service: systemd(enabled)File logs:/tmp/openclaw/openclaw-2026-03-17.log Command:/home/ubuntu/.nvm/versions/node/v24.14.0/bin/node/home/ubuntu/.nvm/versions/node/v24.14.0/lib/node_modules/openclaw/dist/index.js gateway--port 18789 Service file: ~/.config/systemd/user/openclaw-gateway.service Service env: OPENCLAW_GATEWAY_PORT18789 Service config looks out of date or non-standard.Service config issue: Gateway service uses Nodefroma version manager;it canbreakafter upgrades.(/home/ubuntu/.nvm/versions/node/v24.14.0/bin/node)Service config issue: System Node 22 LTS(22.16)or Node 24 not found;install it before migrating awayfromversion managers.Recommendation: runopenclaw doctor(oropenclaw doctor --repair).Config(cli): ~/.openclaw/openclaw.json Config(service): ~/.openclaw/openclaw.json Gateway: bindloopback(127.0.0.1),port18789(service args)Probe target: ws://127.0.0.1:18789 Dashboard: http://127.0.0.1:18789/ Probe note: Loopback-only gateway;only local clients can connect.Runtime: running(pid 1130434,state active,sub running,lastexit0,reason 0)RPC probe: ok Listening: 127.0.0.1:18789 Troubles: run openclaw status Troubleshooting: https://docs.openclaw.ai/troubleshooting3.3 执行全面诊断$ openclaw doctor3.4 检查通信渠道连通性$ openclaw channels status--probe OpenClaw 2026.3.13(61d171a)— iMessage green bubble energy,butforeveryone.18:47:46[plugins]feishu_doc: Registered feishu_app_scopes 18:47:46[plugins]feishu_chat: Registered feishu_chat tool 18:47:46[plugins]feishu_wiki: Registered feishu_wiki tool 18:47:46[plugins]feishu_drive: Registered feishu_drive tool 18:47:46[plugins]feishu_bitable: Registered bitable tools │ 18:47:46[plugins]feishu_doc: Registered feishu_app_scopes 18:47:46[plugins]feishu_chat: Registered feishu_chat tool 18:47:46[plugins]feishu_wiki: Registered feishu_wiki tool 18:47:46[plugins]feishu_drive: Registered feishu_drive tool 18:47:46[plugins]feishu_bitable: Registered bitable tools ◇ Gateway reachable.-Feishu default: enabled,configured,running,works Tip: status--deep adds gateway health probes to status output(requires a reachable gateway).3.5 实时查看日志$ openclaw logs--follow3.6 查看占用端口的进程$ lsof-i :18789 COMMAND PID USER FDTYPEDEVICE SIZE/OFF NODE NAME openclaw- 1136191 ubuntu 22u IPv4 5821514 0t0 TCP localhost:18789(LISTEN)openclaw- 1136191 ubuntu 23u IPv6 5821515 0t0 TCP ip6-localhost:18789(LISTEN)