security: add mDNS discovery config to reduce information disclosure#1882
Merged
steipete merged 2 commits intoopenclaw:mainfrom Jan 26, 2026
Merged
security: add mDNS discovery config to reduce information disclosure#1882steipete merged 2 commits intoopenclaw:mainfrom
steipete merged 2 commits intoopenclaw:mainfrom
Conversation
mDNS broadcasts can expose sensitive operational details like filesystem paths (cliPath) and SSH availability (sshPort) to anyone on the local network. This information aids reconnaissance and should be minimized for gateways exposed beyond trusted networks. Changes: - Add discovery.mdns.enabled config option to disable mDNS entirely - Add discovery.mdns.minimal option to omit cliPath/sshPort from TXT records - Update security docs with operational security guidance Minimal mode still broadcasts enough for device discovery (role, gatewayPort, transport) while omitting details that help map the host environment. Apps that need CLI path can fetch it via the authenticated WebSocket.
ccf00f0 to
15d4738
Compare
Contributor
|
Landed via temp rebase onto main.
Thanks @orlyjamie! |
Contributor
Author
|
Likewise thanks @steipete |
tyler6204
added a commit
that referenced
this pull request
Jan 27, 2026
mDNS broadcasts can expose sensitive operational details like filesystem paths (cliPath) and SSH availability (sshPort) to anyone on the local network. This information aids reconnaissance and should be minimized for gateways exposed beyond trusted networks.
Example..
https://www.shodan.io/search?query=clawdbot

Changes:
Minimal mode still broadcasts enough for device discovery (role, gatewayPort, transport) while omitting details that help map the host environment. Apps that need CLI path can fetch it via the authenticated WebSocket.