Bug type

Behavior bug (incorrect output/state without crash)

Summary

Summary

openclaw security audit reports critical ACL issues on Windows, even when ACLs are correctly restricted to only:

• current user
• NT AUTHORITY\SYSTEM

This appears to be a locale/encoding parsing issue (Russian Windows), where identity names from icacls are displayed as garbled text (e.g. NT AUTHORITY\�������) and misclassified as "others".

Environment

• OpenClaw: 2026.3.2 (85377a2)
• OS: Windows 10 10.0.19045 (RU locale)
• Node: 24.13.0
• Shell: PowerShell

Command

openclaw security audit --deep
───

Actual result

Audit reports critical findings such as:

• fs.config.perms_writable
• fs.credentials_dir.perms_writable
• fs.auth_profiles.perms_writable

with messages like:

• acl=NT AUTHORITY\�������:(F)

───

Expected result

No critical ACL findings when ACLs are restricted to only:

• <COMPUTER>\<USERNAME>: FullControl
• NT AUTHORITY\SYSTEM: FullControl
• inheritance disabled

───
Verification (PowerShell Get-Acl)

(Get-Acl "$env:USERPROFILE\.openclaw\openclaw.json").Access
(Get-Acl "$env:USERPROFILE\.openclaw\credentials").Access
(Get-Acl "$env:USERPROFILE\.openclaw\agents\main\agent\auth-profiles.json").Access

Observed entries:

• NT AUTHORITY\СИСТЕМА (FullControl, Allow, IsInherited=False)
• <COMPUTER>\<USERNAME> (FullControl, Allow, IsInherited=False)

No extra principals.

───

Notes

Likely parser logic relies on localized icacls identity text instead of stable SID-based matching.
Suggestion: resolve and compare SIDs (S-1-5-18 etc.) rather than localized account names.

### Steps to reproduce

openclaw security audit --deep

🦞 OpenClaw 2026.3.2 (85377a2) — I don't judge, but your missing API keys are absolutely judging you.

OpenClaw security audit
Summary: 3 critical · 3 warn · 1 info
Run deeper: openclaw security audit --deep

CRITICAL
fs.config.perms_writable Config file is writable by others
C:\Users\user.openclaw\openclaw.json acl=NT AUTHORITY\�������:(F); another user could change gateway/auth/tool policies.
Fix: icacls "C:\Users\user.openclaw\openclaw.json" /inheritance:r /grant:r "WIN-1OJ4F69CGN3\user:F" /grant:r "*S-1-5-18:F"
fs.credentials_dir.perms_writable Credentials dir is writable by others
C:\Users\user.openclaw\credentials acl=NT AUTHORITY\�������:(OI)(CI)(F); another user could drop/modify credential files.
Fix: icacls "C:\Users\user.openclaw\credentials" /inheritance:r /grant:r "WIN-1OJ4F69CGN3\user:(OI)(CI)F" /grant:r "*S-1-5-18:(OI)(CI)F"
fs.auth_profiles.perms_writable auth-profiles.json is writable by others
C:\Users\user.openclaw\agents\main\agent\auth-profiles.json acl=NT AUTHORITY\�������:(F); another user could inject credentials.
Fix: icacls "C:\Users\user.openclaw\agents\main\agent\auth-profiles.json" /inheritance:r /grant:r "WIN-1OJ4F69CGN3\user:F" /grant:r "*S-1-5-18:F"

WARN
gateway.trusted_proxies_missing Reverse proxy headers are not trusted
gateway.bind is loopback and gateway.trustedProxies is empty. If you expose the Control UI through a reverse proxy, configure trusted proxies so local-client checks cannot be spoofed.
Fix: Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only.
fs.state_dir.perms_group_writable State dir is group-writable
C:\Users\user.openclaw acl=NT AUTHORITY\�������:(OI)(CI)(F); group users can write into your OpenClaw state.
Fix: icacls "C:\Users\user.openclaw" /inheritance:r /grant:r "WIN-1OJ4F69CGN3\user:(OI)(CI)F" /grant:r "*S-1-5-18:(OI)(CI)F"
fs.sessions_store.perms_readable sessions.json is readable by others
C:\Users\user.openclaw\agents\main\sessions\sessions.json acl=NT AUTHORITY\�������:(I)(F); routing and transcript metadata can be sensitive.
Fix: icacls "C:\Users\user.openclaw\agents\main\sessions\sessions.json" /inheritance:r /grant:r "WIN-1OJ4F69CGN3\user:F" /grant:r "*S-1-5-18:F"

INFO
summary.attack_surface Attack surface summary
groups: open=0, allowlist=1
tools.elevated: enabled
hooks.webhooks: disabled
hooks.internal: disabled
browser control: enabled
trust model: personal assistant (one trusted operator boundary), not hostile multi-tenant on one shared gateway

### Expected behavior

---

### Actual behavior

---

### OpenClaw version

2026.3.2 (85377a2)

### Operating system

Windows 10 `10.0.19045` (RU locale)

### Install method

npm global

### Logs, screenshots, and evidence

```shell

Impact and severity

No response

Additional information

No response