Problem

The daily healthcheck:security-audit cron reports a NEW CRITICAL alert when a Telegram group has allowFrom: ["*"] configured at the group level — even when the top-level groupAllowFrom is correctly restricted to specific user IDs.

Steps to reproduce

Configure OpenClaw with the following structure:

{
  "channels": {
    "telegram": {
      "groupAllowFrom": ["<user_id>"],
      "groups": {
        "-100XXXXXXXXX": {
          "requireMention": true,
          "allowFrom": ["*"]
        }
      }
    }
  }
}

The top-level groupAllowFrom restricts access to one user. The group-level allowFrom: ["*"] is intentional — in a multi-person group, all members should be able to trigger the bot (e.g., after @mention).

Run the security audit. It will report:

🔴 NEW CRITICAL: Telegram group allowlist contains wildcard (*) — allows any group member to run commands

Expected behavior

The audit should distinguish between:

• Dangerous: top-level groupAllowFrom: ["*"] (no user restriction at all)
• Intentional: group-level allowFrom: ["*"] when top-level is already restricted

When top-level groupAllowFrom is already set to explicit user IDs, a group-level wildcard is not a security issue — it simply means all users who can access the bot can trigger it in that group (which is the typical desired behavior for multi-user groups with requireMention: true).

Suggested fix

Before flagging a group-level wildcard as critical, check whether groupAllowFrom at the top level is already restricted to specific users. If so, downgrade to info or suppress entirely.

Environment

• OpenClaw version: 2026.3.13
• Platform: macOS (arm64)
• Channel: Telegram