moltbot-security

AI 代理的安全强化 - Moltbot、OpenClaw、Cursor、Claude。锁定网关、修复权限、身份验证、防火墙。对于振动编码设置至关重要。

# Moltbot Security Guide

Your Moltbot gateway was designed for local use. When exposed to the internet without proper security, attackers can access your API keys, private messages, and full system access.

**Based on:** Real vulnerability research that found 1,673+ exposed OpenClaw/Moltbot gateways on Shodan.

---

## TL;DR - The 5 Essentials

1. **Bind to loopback** — Never expose gateway to public internet
2. **Set auth token** — Require authentication for all requests
3. **Fix file permissions** — Only you should read config files
4. **Update Node.js** — Use v22.12.0+ to avoid known vulnerabilities
5. **Use Tailscale** — Secure remote access without public exposure

---

## What Gets Exposed (The Real Risk)

When your gateway is publicly accessible:
- Complete conversation histories (Telegram, WhatsApp, Signal, iMessage)
- API keys for Claude, OpenAI, and other providers
- OAuth tokens and bot credentials
- Full shell access to host machine

**Prompt injection attack example:** An attacker sends you an email with hidden instructions. Your AI reads it, extracts your recent emails, and forwards summaries to the attacker. No hacking required.

---

## Quick Security Audit

Run this to check your current security posture:

```bash
openclaw security audit --deep
```

Auto-fix issues:

```bash
openclaw security audit --deep --fix
```

---

## Step 1: Bind Gateway to Loopback Only

**What this does:** Prevents the gateway from accepting connections from other machines.

Check your `~/.openclaw/openclaw.json`:

```json
{
  "gateway": {
    "bind": "loopback"
  }
}
```

**Options:**
- `loopback` — Only accessible from localhost (most secure)
- `lan` — Accessible from local network only
- `auto` — Binds to all interfaces (dangerous if exposed)

---

## Step 2: Set Up Authentication

**Option A: Token Authentication (Recommended)**

Generate a secure token:

```bash
openssl rand -hex 32
```

Add to your config:

```json
{
  "gateway": {
    "auth": {
      "mode": "token",
      "token": "your-64-char-hex-token-here"
    }
  }
}
```

Or set via environment:

```bash
export CLAWDBOT_GATEWAY_TOKEN="your-secure-random-token-here"
```

**Option B: Password Authentication**

```json
{
  "gateway": {
    "auth": {
      "mode": "password"
    }
  }
}
```

Then:

```bash
export CLAWDBOT_GATEWAY_PASSWORD="your-secure-password-here"
```

---

## Step 3: Lock Down File Permissions

**What this does:** Ensures only you can read sensitive config files.

```bash
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.json
chmod 700 ~/.openclaw/credentials
```

**Permission meanings:**
- `700` = Only owner can access folder
- `600` = Only owner can read/write file

Or let OpenClaw fix it:

```bash
openclaw security audit --fix
```

---

## Step 4: Disable Network Broadcasting

**What this does:** Stops OpenClaw from announcing itself via mDNS/Bonjour.

Add to your shell config (`~/.zshrc` or `~/.bashrc`):

```bash
export CLAWDBOT_DISABLE_BONJOUR=1
```

Reload:

```bash
source ~/.zshrc
```

---

## Step 5: Update Node.js

Older Node.js versions have security vulnerabilities. You need **v22.12.0+**.

Check version:

```bash
node --version
```

**Mac (Homebrew):**
```bash
brew update && brew upgrade node
```

**Ubuntu/Debian:**
```bash
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
```

**Windows:** Download from [nodejs.org](https://nodejs.org/)

---

## Step 6: Set Up Tailscale (Remote Access)

**What this does:** Creates encrypted tunnel between your devices. Access OpenClaw from anywhere without public exposure.

**Install Tailscale:**

```bash
# Linux
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Mac
brew install tailscale
```

**Configure OpenClaw for Tailscale:**

```json
{
  "gateway": {
    "bind": "loopback",
    "tailscale": {
      "mode": "serve"
    }
  }
}
```

Now access via your Tailscale network only.

---

## Step 7: Firewall Setup (UFW)

**For cloud servers (AWS, DigitalOcean, Hetzner, etc.)**

**Install UFW:**
```bash
sudo apt update && sudo apt install ufw -y
```

**Set defaults:**
```bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
```

**Allow SSH (don't skip!):**
```bash
sudo ufw allow ssh
```

**Allow Tailscale (if using):**
```bash
sudo ufw allow in on tailscale0
```

**Enable:**
```bash
sudo ufw enable
```

**Verify:**
```bash
sudo ufw status verbose
```

⚠️ **Never do this:**
```bash
# DON'T - exposes your gateway publicly
sudo ufw allow 18789
```

---

## Step 8: SSH Hardening

**Disable password auth (use SSH keys):**

```bash
sudo nano /etc/ssh/sshd_config
```

Change:
```
PasswordAuthentication no
PermitRootLogin no
```

Restart:
```bash
sudo systemctl restart sshd
```

---

## Security Checklist

Before deploying:

- [ ] Gateway bound to `loopback` or `lan`
- [ ] Auth token or password set
- [ ] File permissions locked (600/700)
- [ ] mDNS/Bonjour disabled
- [ ] Node.js v22.12.0+
- [ ] Tailscale configured (if remote)
- [ ] Firewall blocking port 18789
- [ ] SSH password auth disabled

---

## Config Template (Secure Defaults)

```json
{
  "gateway": {
    "port": 18789,
    "bind": "loopback",
    "auth": {
      "mode": "token",
      "token": "YOUR_64_CHAR_HEX_TOKEN"
    },
    "tailscale": {
      "mode": "serve"
    }
  }
}
```

---

## Credits

Based on security research by [@NickSpisak_](https://x.com/NickSpisak_) who found 1,673+ exposed gateways on Shodan.

Original article: https://x.com/nickspisak_/status/2016195582180700592

---

## Installation

```bash
clawdhub install NextFrontierBuilds/moltbot, openclaw-security
```

Built by [@NextXFrontier](https://x.com/NextXFrontier)

---

## 中文说明

# Moltbot 安全指南

你的 Moltbot 网关原本是为本地使用而设计的。当它在没有适当安全防护的情况下暴露到互联网时，攻击者可以访问你的 API 密钥、私人消息以及完整的系统访问权限。

**基于：** 真实的漏洞研究，该研究在 Shodan 上发现了 1,673 个以上暴露在外的 OpenClaw/Moltbot 网关。

---

## TL;DR —— 五个必做事项

1. **绑定到回环地址（loopback）** —— 永远不要将网关暴露到公共互联网
2. **设置认证令牌** —— 要求所有请求都进行身份验证
3. **修复文件权限** —— 只有你才能读取配置文件
4. **更新 Node.js** —— 使用 v22.12.0+ 以避免已知漏洞
5. **使用 Tailscale** —— 在不公开暴露的情况下实现安全的远程访问

---

## 哪些内容会被暴露（真实风险）

当你的网关可被公开访问时：
- 完整的对话历史（Telegram、WhatsApp、Signal、iMessage）
- Claude、OpenAI 及其他服务商的 API 密钥
- OAuth 令牌和机器人凭据
- 对宿主机的完整 shell 访问权限

**提示词注入攻击示例：** 攻击者给你发送一封带有隐藏指令的邮件。你的 AI 读取它，提取你最近的邮件，并将摘要转发给攻击者。无需任何黑客手段。

---

## 快速安全审计

运行以下命令检查你当前的安全状况：

```bash
openclaw security audit --deep
```

自动修复问题：

```bash
openclaw security audit --deep --fix
```

---

## 第 1 步：仅将网关绑定到回环地址

**作用：** 阻止网关接受来自其他机器的连接。

检查你的 `~/.openclaw/openclaw.json`：

```json
{
  "gateway": {
    "bind": "loopback"
  }
}
```

**选项：**
- `loopback` —— 仅可从 localhost 访问（最安全）
- `lan` —— 仅可从本地网络访问
- `auto` —— 绑定到所有网络接口（如果暴露则非常危险）

---

## 第 2 步：设置身份验证

**选项 A：令牌认证（推荐）**

生成一个安全令牌：

```bash
openssl rand -hex 32
```

添加到你的配置中：

```json
{
  "gateway": {
    "auth": {
      "mode": "token",
      "token": "your-64-char-hex-token-here"
    }
  }
}
```

或通过环境变量设置：

```bash
export CLAWDBOT_GATEWAY_TOKEN="your-secure-random-token-here"
```

**选项 B：密码认证**

```json
{
  "gateway": {
    "auth": {
      "mode": "password"
    }
  }
}
```

然后：

```bash
export CLAWDBOT_GATEWAY_PASSWORD="your-secure-password-here"
```

---

## 第 3 步：锁定文件权限

**作用：** 确保只有你才能读取敏感的配置文件。

```bash
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.json
chmod 700 ~/.openclaw/credentials
```

**权限含义：**
- `700` = 仅所有者可以访问该文件夹
- `600` = 仅所有者可以读写该文件

或者让 OpenClaw 来修复：

```bash
openclaw security audit --fix
```

---

## 第 4 步：禁用网络广播

**作用：** 阻止 OpenClaw 通过 mDNS/Bonjour 宣告自身的存在。

添加到你的 shell 配置中（`~/.zshrc` 或 `~/.bashrc`）：

```bash
export CLAWDBOT_DISABLE_BONJOUR=1
```

重新加载：

```bash
source ~/.zshrc
```

---

## 第 5 步：更新 Node.js

较旧的 Node.js 版本存在安全漏洞。你需要 **v22.12.0+**。

检查版本：

```bash
node --version
```

**Mac（Homebrew）：**
```bash
brew update && brew upgrade node
```

**Ubuntu/Debian：**
```bash
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
```

**Windows：** 从 [nodejs.org](https://nodejs.org/