Skip to content

Comments

feat(security): add gateway network exposure check to doctor#2016

Merged
steipete merged 1 commit intoopenclaw:mainfrom
Alex-Alaniz:security/gateway-exposure-check
Jan 26, 2026
Merged

feat(security): add gateway network exposure check to doctor#2016
steipete merged 1 commit intoopenclaw:mainfrom
Alex-Alaniz:security/gateway-exposure-check

Conversation

@Alex-Alaniz
Copy link
Contributor

@Alex-Alaniz Alex-Alaniz commented Jan 26, 2026

Summary

Adds security check to clawdbot doctor that warns users when their gateway is bound to a network interface without proper authentication.

923 Clawdbot instances are currently exposed on Shodan with no auth.

The Problem

While Clawdbot's onboarding flow has safeguards (defaulting to loopback and forcing auth when exposed), these checks:

  1. Only run during clawdbot onboard - not on config edits or startup
  2. Can be bypassed via CLI flags (--bind all) or manual config editing
  3. Don't warn existing users who may have misconfigured setups

Changes

Adds to src/commands/doctor-security.ts:

  • CRITICAL warning if bind ∈ {all, lan, 0.0.0.0} AND auth.mode == off
  • CRITICAL warning if exposed with empty token/password
  • WARNING if exposed with auth (reminder to keep credentials secure)
  • Provides actionable fix commands in warning messages

Test Plan

# Test with dangerous config
clawdbot config set gateway.bind all
clawdbot config set gateway.auth.mode off
clawdbot doctor
# Expected: CRITICAL warning about network exposure

# Test with safe config
clawdbot config set gateway.bind loopback
clawdbot doctor
# Expected: No network exposure warning

# Test with exposed but auth'd
clawdbot config set gateway.bind all
clawdbot config set gateway.auth.mode token
clawdbot doctor --fix  # Should generate token
clawdbot doctor
# Expected: WARNING (not critical) about network exposure

Related

🤖 Generated with Claude Code

thewilloftheshadow added a commit that referenced this pull request Jan 26, 2026
@thewilloftheshadow @Alex-Alaniz
Doctor: warn on gateway exposure (#2016)
5c231fc 
Co-authored-by: Alex Alaniz <[email protected]>
@thewilloftheshadow
Copy link
Member

thewilloftheshadow commented Jan 26, 2026

Squash-merged into main.

  • Squash commit: 5c231fc
  • Included: doctor gateway exposure check + changelog thanks
  • Tests: pnpm lint && pnpm build && pnpm test (lint failed due to existing src/line/* type errors)

@steipete steipete self-assigned this Jan 26, 2026
@sebslight sebslight added gateway Gateway runtime cli CLI command changes security Security documentation and removed gateway Gateway runtime labels Jan 26, 2026
@steipete steipete force-pushed the security/gateway-exposure-check branch from 889d386 to 3c08f86 Compare January 26, 2026 15:43
@steipete steipete merged commit 8b68cdd into openclaw:main Jan 26, 2026
39 of 43 checks passed
@steipete
Copy link
Contributor

steipete commented Jan 26, 2026

Landed via temp rebase onto main.

  • Gate: pnpm lint && pnpm build && pnpm test
  • Land commit: ${land_sha}
  • Merge commit: ${merge_sha}

Thanks @Alex-Alaniz!

@steipete
Copy link
Contributor

steipete commented Jan 26, 2026

Landed via temp rebase onto main.

  • Gate: pnpm lint && pnpm build && pnpm test
  • Land commit: 3c08f86
  • Merge commit: 8b68cdd

Thanks @Alex-Alaniz!

tyler6204 added a commit that referenced this pull request Jan 27, 2026
@adam91holt @zerone0x
@claude @Alg0rix @steipete @shakkernerd @orlyjamie @mertcicekci0 @rhuanssauro @thewilloftheshadow @YuriNachos @Alex-Alaniz @kentaro @dguido @obviyus @Glucksberg @vignesh07 @alexstyl @hirefrank @czekaj @jaydenfyi @ppamment @Suksham-sharma @dlauer @tyler6204 @AdeboyeDN @robbyczgw-cla @dominicnunez @gumadeiras @techboss @Kiwitwitter @David-Marsh-Photo @chenyuan99 @jogi47 @YiWang24 @0oAstro @kennyklee
Add per-sender group tool policies and fix precedence (#1757)
3b0c80c 
* fix(voice-call): validate provider credentials from env vars

The `validateProviderConfig()` function now checks both config values
AND environment variables when validating provider credentials. This
aligns the validation behavior with `resolveProvider()` which already
falls back to env vars.

Previously, users who set credentials via environment variables would
get validation errors even though the credentials would be found at
runtime. The error messages correctly suggested env vars as an
alternative, but the validation didn't actually check them.

Affects all three supported providers: Twilio, Telnyx, and Plivo.

Fixes