Appearance
Security Concerns
Most of these settings were chosen for convenience during initial setup. They're worth reviewing before expanding team access or connecting additional services.
Summary
| Concern | Severity | Easy Fix? |
|---|---|---|
dangerouslyDisableDeviceAuth: true | 🟡 Medium | Yes — toggle to false |
allowInsecureAuth: true | 🟡 Medium | Yes — toggle to false |
trustedProxies: 0.0.0.0/0 | 🟡 Medium | Yes — set actual proxy IP |
| Credentials in plain-text file | 🔴 High | Requires SecretRef migration |
Slack tokens in openclaw.json | 🟡 Medium | Move to secrets.providers |
| GitHub PATs with broad access | 🟡 Medium | Scope PATs per repo |
| Google refresh tokens on disk | 🔴 High | Store in secrets manager |
| Pending CTO pairing unapproved | 🟢 Low | Just approve it |
1. dangerouslyDisableDeviceAuth: true
What it means: The Control UI at http://localhost:18789 doesn't require device pairing to grant access. Anyone who can reach the gateway URL with the bearer token can access the Control UI.
Why it was probably enabled: myclaw.ai's web dashboard needs to connect to the gateway without going through a full device pairing flow on every session.
Risk: If the gateway token is compromised (it's in openclaw.json), full control UI access is available.
Fix:
json
"controlUi": {
"dangerouslyDisableDeviceAuth": false
}Then pair myclaw.ai properly as a device, or keep using this only in a trusted LAN environment.
2. allowInsecureAuth: true
What it means: Auth flows can proceed over HTTP (not just HTTPS). On a LAN-only gateway this is lower risk, but it means credentials could be intercepted if the network is compromised.
Fix:
json
"controlUi": {
"allowInsecureAuth": false
}3. Trusted Proxies 0.0.0.0/0
What it means: The gateway trusts forwarded headers (X-Forwarded-For, X-Real-IP) from ANY IP address. This means any client can spoof its source IP by sending these headers.
Risk: On a properly isolated LAN this is low risk. If the gateway is ever exposed through a proxy or reverse proxy, this is a serious problem.
Fix: Set to your actual proxy IP or remove entirely if no proxy is in front:
json
"trustedProxies": ["10.0.0.1"]Or remove the field entirely to use the default (no trusted proxies).
4. Credentials in Plain-Text File
What it means: .openclaw/workspace/.env.credentials contains API keys for 10+ services. Any process or person with access to the workspace directory can read all credentials.
Credentials at risk if file is compromised:
- PostHog API key (full analytics access)
- Braze API key (can read/write email/SMS to subscribers)
- Meta Ads access token (can spend money on ad campaigns)
- GitHub PATs (read access to 74 private FuturHealth repos)
- Looker credentials (read access to all business dashboards)
- NorthBeam API key (attribution data)
- Higgsfield + Shotstack API keys
- Zendesk API token
- Google OAuth credentials + refresh tokens
Rotation status: Unknown. No credential rotation policy observed.
Fix:
- Use OpenClaw's
secrets.providerswithsource: "env"to move secrets out of workspace files - Or at minimum: encrypt
.env.credentialsat rest - Rotate all keys now, especially GitHub PATs (which have access to 74 private repos)
5. Slack Tokens in openclaw.json
What it means: The Slack bot token (xoxb-...) and app token (xapp-...) are stored in plain text in openclaw.json.
Risk: openclaw.json is the main config file. If it's exposed (backup sent to someone, config exported), Slack tokens are visible.
Fix: Use SecretRef:
json
"channels": {
"slack": {
"botToken": { "source": "env", "provider": "default", "id": "SLACK_BOT_TOKEN" }
}
}6. GitHub PATs with Broad Access
What it means: GITHUB_PAT_TAGIATELLE has access to all 74 FuturHealth private repos. This token is used for routine GitHub monitoring of 4 repos.
Risk: If this PAT is compromised, an attacker has read access to all 74 FuturHealth private repos including payments, care systems, and new app code.
Fix: Create a scoped PAT that only has access to the 4 monitoring repos (funnel, funnel-cms, landing-pages, checkout). Keep TAGIATELLE as a backup with broad access stored separately.
7. Google Refresh Tokens on Disk
What it means: config/google/token.json and config/google/token-personal.json contain OAuth refresh tokens for John's work and personal Gmail accounts. These auto-renew indefinitely.
Risk: If these files are compromised, an attacker has persistent access to John's email and calendar until the tokens are explicitly revoked.
Fix:
- Move these files outside the workspace directory
- Or encrypt them
- Set up a process to rotate them periodically (manual revoke + re-auth)
8. Pending CTO Pairing
Status: Not a security risk — it's a pending request from Christian Jimenez (CTO).
The pairing request from March 16 has not been approved. Christian is actively working on the decomposition project and needs access.
Action: John should approve or deny via openclaw devices list and openclaw devices approve.
Current Risk Summary
For a single-user Slack-connected agent on a LAN:
- Immediate risk: Low (gateway isn't exposed to internet, only John has Slack access)
- As team access expands: Medium (Christian's pairing + potential other team members)
- If server is compromised: High (all 10+ service credentials are exposed)
The security posture is appropriate for an individual's personal agent. It needs hardening before it becomes a team-facing system.
See also: Security & Identity | Configuration | Migration Plan