Appearance
Security & Identity
TL;DR: Sam runs with several security settings intentionally relaxed for ease of use — including disabled device auth and an all-open proxy trust policy. Credentials are stored as plain-text in a workspace file. A pairing request from Christian (CTO) has been pending since March 16.
See Security Concerns for risk assessment and recommended fixes.
Device Identity
Sam's gateway has a cryptographic identity:
| Property | Value |
|---|---|
| Device ID | f924133d...f9950f1 (redacted) |
| Key type | Ed25519 (EdDSA) |
| Public key | -----BEGIN PUBLIC KEY----- MCowBQYDK2VwAyEAtlibUJm1f5lQO+/x6LEm4x3... |
| Created at | March 3, 2026 (bootstrap) |
| Role | Operator |
| Scopes | operator.admin, operator.approvals, operator.pairing |
The private key is stored in .openclaw/identity/device.json. The operator token is in .openclaw/identity/device-auth.json.
Gateway Authentication
The gateway uses static token authentication:
json
"gateway": {
"auth": {
"mode": "token",
"token": "dd6b9c...fad90c1" // redacted
}
}This token is:
- Required for all gateway API calls
- Set as environment variable
OPENCLAW_GATEWAY_TOKENin the startup script - Also embedded in
openclaw.json— visible to anyone who can read the config file
Control UI Settings ⚠️
Two settings in the gateway config are security-relevant:
json
"controlUi": {
"allowedOrigins": ["https://myclaw.ai", "http://localhost:18789"],
"allowInsecureAuth": true,
"dangerouslyDisableDeviceAuth": true
}| Setting | Value | What It Means |
|---|---|---|
allowInsecureAuth | true | Allows auth flows over HTTP (not just HTTPS) |
dangerouslyDisableDeviceAuth | true | Skips device pairing verification for Control UI access |
allowedOrigins | myclaw.ai + localhost | Control UI CORS — myclaw.ai origin is allowed |
These settings are likely enabled so the myclaw.ai web interface can connect to the local gateway without requiring full device pairing.
Trusted Proxies ⚠️
json
"trustedProxies": ["0.0.0.0/0"]This tells the gateway to trust forwarded headers (X-Forwarded-For, X-Real-IP) from any IP address. In a normal deployment, you'd restrict this to your actual proxy/load balancer IP.
With 0.0.0.0/0, any incoming request can spoof its source IP by setting forwarded headers. On a LAN-only deployment this is lower risk, but should be tightened.
Slack Channel Access
| Setting | Value |
|---|---|
groupPolicy | allowlist — only approved channels/groups |
allowFrom | Only U06BQPTAE1H (John Levan) |
userTokenReadOnly | true — can read but not act as user |
The Slack allow-from list is stored in .openclaw/credentials/slack-default-allowFrom.json:
json
{ "allowFrom": ["U06BQPTAE1H"] }Only John can initiate conversations with Sam via Slack DM.
Pending Device Pairing Request
.openclaw/credentials/slack-pairing.json shows a pending pairing request:
json
{
"requests": [{
"id": "U0A5ZP3MW9E",
"code": "ULFHGL9K",
"createdAt": "2026-03-16T15:30:13.559Z",
"meta": {
"name": "Christian Jimenez",
"accountId": "default"
}
}]
}Christian Jimenez (CTO, U0A5ZP3MW9E) initiated a pairing request on March 16, 2026 at 3:30 PM. It has been pending for 3+ days (as of March 19).
This pairing request would give Christian the ability to message Sam directly. It has not been approved (no pending.json entry, no paired.json entry for Christian).
Action needed: John should decide whether to approve Christian's access. Given Christian's role as CTO and his involvement in the Sam decomposition project, approving seems appropriate.
Credential Storage
All API credentials are stored in plain-text in the workspace:
File: .openclaw/workspace/.env.credentials
Contents (from TOOLS.md, not the actual file):
POSTHOG_API_KEY(project key, phc_ prefix)POSTHOG_PERSONAL_API_KEY(personal key, phx_ prefix — for queries)META_ACCESS_TOKENBRAZE_API_KEYNORTHBEAM_API_KEYLOOKER_CLIENT_ID,LOOKER_CLIENT_SECRETGITHUB_PAT_TAGIATELLE(and 3 other PATs)- Higgsfield API key + secret
- Shotstack API key + owner ID
- Zendesk API token
Also in workspace:
.env.northbeam— additional NorthBeam credentialsconfig/google/credentials.json— Google OAuth app credentialsconfig/google/token.json— John's work Gmail refresh tokenconfig/google/token-personal.json— John's personal Gmail refresh tokenopenclaw.json— Slack bot token + app token
Risk: If the workspace directory is compromised, all service credentials are exposed. No secrets manager is configured. No credential rotation policy.
OpenClaw supports SecretRef objects for pulling credentials from env vars, files, or external vaults — but none of that is configured here.
Paired Devices
.openclaw/devices/paired.json:
json
{
"f924133d...": {
"platform": "linux",
"clientId": "gateway-client",
"clientMode": "backend",
"role": "operator",
"scopes": ["operator.admin", "operator.approvals", "operator.pairing", "operator.read", "operator.write"]
}
}Only one paired device: the gateway itself (running as a backend client with operator privileges). No mobile apps, no desktop apps, no remote clients are paired.
See also: Security Concerns | Configuration