🦞ClawTips
← Back to library

安全基线:当 gateway.tools.allow 重新放开危险 HTTP 工具时强制审计

解决‘配置回滚时无意打开高风险工具’的问题。前置:可编辑 gateway 配置并重启服务。步骤:先查看当前 allow 列表→最小化白名单→重启并观察告警→把审计写入变更流程。关键配置:gateway.tools.allow。验证:高风险工具被放开时出现明确 warning。风险:忽视 warning 可能扩大 SSRF/数据外联暴露面。

GITHUBDiscovered 2026-02-14Author OpenClaw maintainers
Prerequisites
  • You have admin access to OpenClaw gateway config and restart controls.
  • A change-review process exists for production config updates.
Steps
  1. Export current config and identify any broad tool allowlists that include external HTTP-capable tools.
  2. Reduce gateway.tools.allow to least-privilege set required by active workflows.
  3. Restart gateway and inspect startup/runtime warnings for tool-risk notices.
  4. Document explicit justification for each high-risk tool kept enabled.
Commands
openclaw gateway status
openclaw gateway restart
openclaw help
Verify

Risk warnings are visible when dangerous tools are enabled, and production config reflects least-privilege allowlist.

Caveats
  • Do not silence warnings without replacing them with equivalent controls.
  • Exact warning text may differ across versions(需验证).
Source attribution

This tip is aggregated from community/public sources and preserved with attribution.

Open original source ↗
Visit original post