🦞ClawTips
← Back to library

Exec stderr 可能外泄密钥:加脱敏层 + 命令级规避策略

问题/场景:exec 工具的 stderr/stdout 会进入模型上下文,模型可能原样回发到 Telegram/Discord 导致密钥泄露。前置条件:命令失败或打印敏感信息(token、Bearer、连接串)。实施步骤:先在命令侧抑制敏感 stderr → 在网关侧增加 regex 脱敏规则 → 对高风险命令启用最小输出与审计。关键配置:`exec.sanitizePatterns`(提案)。验证:构造含假 token 的报错后,用户侧回包不再出现明文密钥。风险:过度脱敏会损失诊断信息,需平衡可观测性。来源:Issue #21457 + OpenClaw docs(web tool security section) 交叉验证。

GITHUBDiscovered 2026-02-20Author iris-blufix
Prerequisites
  • Your workflow uses exec for shell commands and forwards model replies to external channels.
  • You can modify gateway config or at least enforce command-level output controls.
Steps
  1. Identify high-risk commands (env dumps, auth tests, failing scripts) and avoid exposing raw stderr to users.
  2. Apply command hygiene: redirect noisy stderr (`2>/dev/null`) or scrub with safe filters before returning text.
  3. Add/plan sanitizer patterns for secrets (`token/password/authorization/Bearer`) at gateway output boundary.
  4. Run red-team test with fake secrets and verify channel replies only contain redacted placeholders.
Commands
some_command_that_may_fail 2>/dev/null
openclaw gateway status
openclaw help
Verify

Injected fake credentials in stderr never appear in final Telegram/Discord replies.

Caveats
  • If sanitizer is regex-only, novel secret formats can still bypass filtering(需验证).
  • Do not disable diagnostics globally; keep secured operator logs for incident response.
Source attribution

This tip is aggregated from community/public sources and preserved with attribution.

Open original source ↗
Visit original post