Skip to content
HomeNewsDeploy AI Agents Safely: How OneClickClaw Approaches Security Without the Hype

Subscribe to OpenClaw News

One short email when we publish. No spam, unsubscribe anytime.

ChatGPT Image May 20, 2026, 04 40 09 PM

Deploy AI Agents Safely: How OneClickClaw Approaches Security Without the Hype

May 20, 2026

OpenClaw Lays Out Its Security Roadmap: Filesystem Guardrails, Egress Control, and Plugin Trust

OpenClaw published a public note describing where its security work is heading, including a shared filesystem-safety library, a Node-level network egress router called Proxyline, stricter plugin trust on its ClawHub channel, smarter command-approval parsing, and a 148-rule static analysis pack. The team is explicit that some pieces are shipped, others are rolling out, and a few are still in research, and they want readers to know the difference.

OpenClaw is a local AI assistant that can read files, run shell commands, install plugins, and reach the network on the user's behalf. That level of access is the whole point, and also the whole problem. The new write-up is a rare thing in agent-land: a vendor distinguishing what is live from what is aspirational.

Filesystem boundaries: fs-safe and a planned SQLite move

The first piece is fs-safe, described as a shared library of root-bounded filesystem patterns that core code, plugins, and adjacent services can all use. It is currently in use. The post is careful to say fs-safe is not a sandbox: a plugin allowed to run arbitrary shell commands can still do arbitrary shell things. What fs-safe guards against is the class of bugs where code thinks it is writing inside one root and a symlink, absolute path, or sloppy archive extraction sends it somewhere else.

The intent is for ClawHub plugins to adopt these primitives as the expected pattern, with bypasses counting against a plugin's trust posture over time. Plugin authors should not have to reimplement boundary checks themselves.

Sitting behind that is a larger, in-flight refactor to move runtime state, including sessions, transcripts, scheduler state, and plugin state, into SQLite (a small embedded database) instead of loose files on disk. The team frames the security motivation simply: the safest filesystem call is the one you never make. The post does not give a target release date for this refactor.

command ast approval highlight evidence
The exec approval dialog surfacing highlighted inner commands inside a bash shell wrapper

Proxyline: moving network controls to the egress point

Server-side request forgery, or SSRF (an attacker tricking a service into fetching an internal URL), is harder to defend in an agent than in a normal web app. In a normal app, user-controlled URLs are the exception. In an agent, "fetch this URL because the model asked for it" is just normal work.

OpenClaw's team explains why pre-fetch URL validation alone is not enough: validation resolves DNS once, the actual fetch resolves DNS again, and the answer can change in between. A hostname that looked like a public IP at check time can resolve to a cloud metadata endpoint by the time the request leaves the machine.

Proxyline is their fix. It is a Node-process routing layer that installs process-global routing for Node's networking surfaces and sends traffic through a proxy the operator configures. The proxy, not Proxyline, is where the policy lives: block metadata addresses, block private ranges, block loopback canaries, and so on. As the post puts it: Proxyline routes, the proxy enforces.

The team is honest about the limits. Raw sockets, native modules, unusual transports, and non-OpenClaw child processes can still bypass a Node-level guardrail. For ordinary network paths, though, shifting the control point from "a wrapper remembered to validate" to "egress goes through a proxy policy" is a structural improvement.

fs safe boundary refusal evidence
The fs-safe smoke test blocking path traversal attempts with FsSafeError outside-workspace codes

ClawHub plugin trust

OpenClaw treats ClawHub as the authority for plugin trust and provenance when a plugin is installed from there. The pipeline mixes signals: ClawScan, VirusTotal, static analysis, metadata checks, source provenance, and manual moderation. The team is candid that none of this is magic, and that a scanner that screams about everything trains users to ignore it.

What ClawHub can do, that a purely local install flow cannot, is attach trust evidence to a specific package version: clean, suspicious, held, quarantined, revoked, or malicious. If a release is marked malicious and quarantined, the ClawHub install path should refuse it outright.

Plugins from GitHub, private registries, or files passed around between users will continue to exist, and OpenClaw is not trying to lock that down. Higher-trust tiers above the baseline, such as official packages and trusted publishers, are described as still being explored, not as live features. The exact product shape for scanning plugins that live outside ClawHub is also still open.

Command approvals: parsing wrappers and contextual review

The team names a problem most agent users will recognise: approval prompts arrive faster than anyone can read them, so users flip on YOLO mode (auto-approve everything) and the prompts stop meaning anything.

clawhub malicious install blocked compact evidence
ClawHub install refusing a plugin release flagged as malicious with quarantine status details

Two fixes are in motion. First, parsing. The shell approval path now inspects inner command chains inside common shell -c wrappers, so a policy that blocks rm is not bypassed by bash -c "rm -rf ~/something". A Tree-sitter based command highlighter surfaces what OpenClaw found inside those wrappers. PowerShell fails closed for forms the parser does not understand, with broader support on the roadmap.

Second, deciding when to ask. The team is experimenting with contextual approval, the goal being that prompts are rarer but actually meaningful when they appear.

For OpenAI users, OpenClaw exposes Auto Review, which it describes as a Codex-specific feature replacing manual approval at the sandbox boundary with a separate reviewer agent. For context the source does not provide: Codex is OpenAI's coding agent that runs locally on your computer, available as a CLI, IDE extension, and cloud product. In Codex's own model, automatic review does not change the sandbox boundary; it is one possible reviewer for approval requests at that boundary, such as sandbox escalations, blocked network access, or side-effecting tool calls that still need approval. That is the pattern OpenClaw appears to be plugging into for its OpenAI-routed users.

Static analysis: 148 rules and counting

The post acknowledges that OpenClaw has accumulated GitHub Security Advisories (the disclosure records GitHub uses for patched vulnerabilities) and that patching individual bugs is not enough. The team treats each advisory as evidence about a bug class and asks whether nearby code shares the same shape.

opengrep ghsa local rule hit evidence
OpenGrep static analysis rule firing on a permissive fallback pattern tied to a specific GHSA advisory

For that, they use OpenGrep, a pattern-based code scanner, with a precise rulepack. The checked-in pack currently has 148 rules, each tied to a specific advisory, report, or review finding. It runs on PR diffs in CI, with full scans available manually, and CodeQL runs alongside it for deeper semantic coverage. The team emphasises precision over recall on the grounds that a noisy rule is worse than no rule.

What This Means for You

If you run any local AI agent, OpenClaw or otherwise, the useful takeaway is the framework, not the specific features. When evaluating an agent, ask the vendor the same things OpenClaw asked itself:

  • Where does filesystem policy live? Is there a shared safe-IO library, or does every plugin reinvent it?

  • Where does network policy live? Is egress routed through a proxy you can monitor, or is it pre-fetch URL validation that DNS can defeat?

    proxy validation egress evidence
    Proxyline proxy validation passing allowed connections and blocking loopback addresses correctly
  • What does the plugin install path actually check? Is there a trust signal attached to specific versions, or just a name and a download count?

  • How are command approvals parsed? Will the agent see rm inside a bash -c wrapper, or only the outer command?

  • What happens after a security advisory is patched? Is there a regression rule, or did the fix land and the institutional memory disappear with it?

peter steinbergers openclaw. openclaw   p. steinberger

Helpful documentation

Get notified when we publish new articles

No spam, unsubscribe anytime.

By subscribing, you agree to our Privacy Policy.

OpenClaw Security Roadmap: Egress | OneClickClaw News