锁紧高危命令:/config 与 /debug 强制 owner 权限(PR #44305)
问题/场景:多用户频道中,非 owner 误触或恶意执行 /config、/debug 会带来配置泄露或服务风险。前置条件:OpenClaw 运行在群聊/共享频道。实施步骤:1) 升级至含 PR #44305;2) 用非 owner 账号尝试 /config 与 /debug;3) 再用 owner 账号执行同命令;4) 检查拒绝与授权日志。关键命令:openclaw gateway status。验证方法:非 owner 被拒绝,owner 正常执行。风险与边界:若 owner 标识配置错误,可能出现“全部拒绝”或误放行。来源归因:GitHub PR #44305。
GITHUBDiscovered 2026-03-13Author openclaw contributors
Prerequisites
- Your deployment has explicit owner identity configured.
- You can test with at least one non-owner account in the same channel.
Steps
- Upgrade OpenClaw to include PR #44305.
- As non-owner, run /config and /debug and capture denial responses.
- As owner, run same commands to confirm authorized path still works.
- Review logs and document expected behavior in ops runbook.
Commands
openclaw gateway statusopenclaw helpVerify
Only owner can execute /config and /debug; non-owner attempts are blocked with clear feedback.
Caveats
- Shared bot accounts can blur identity boundaries; avoid shared owner credentials.
- Channel-specific auth adapters may differ in how owner IDs are resolved(需验证).
Source attribution
This tip is aggregated from community/public sources and preserved with attribution.
Open original source ↗