Look! Publication of OpenClaw Guidance on Safe Use by the National Internet Crisis Centre, etc

March 23rd message for user safety OpenClawOn 22 March, the National Internet Emergency Response Centre and the China Cyberspace Safety Association jointly published the OpenClaw Safe Use Practice Guide, which recommends safety protection for ordinary users, business users, cloud service providers and technology developers。

Among these, recommendations for ordinary users include: installation of OpenClaw using specialized equipment, virtual machines or containers, and environmental isolation, which would be inappropriate for installation on day-to-day office computers; running OpenClaw without administrator or super-user privileges; storage and processing of privacy data in OpenClaw environments; and timely updating of OpenClaw ' s latest version. For cloud service providers, recommendations include security assessment and strengthening of the basic security aspects of cloud mainframe; deployment of, access to, and supply chain and data security protection。

1AI HAS THE FOLLOWING TEXT:

OpenClaw (crawns) has high-authority capabilities such as system command execution, document reading and writing, and API call, and default configuration and inappropriate use can easily lead to serious security risks such as remote takeovers, data leaks and malicious code enforcement. In order to help users to use OpenClaw safely, CNCERT, in collaboration with the China Cyberspace Safety Association, organizes a study with relevant domestic producers, which is aimed at ordinary users, business users, cloud service providers and technology developers/enthusiasts, makes the following safety protection recommendations。

I. General users

(i) It is recommended that OpenClaw should be installed in specialized equipment, virtual machines or containers and that it should be environmentally isolated and not fit on a day-to-day office computer。

• Option 1: Specially run with idle old computers to empty personal data。

• Option 2: Create an independent virtual machine or container with VMware, VirtualBox, Docker and separate from the host。

• Option 3: Deployment of cloud servers with remote local access only。

(ii) Recommendation not to expose OpenClaw default port (1878\1989) to the public network

• CONFIGURE WITH ONLY LOCAL ACCESS (127.0.0.1) TO CLOSE PORT MAP BINDING WITH PUBLIC NETWORK IP。

• WHERE REMOTE ACCESS IS REQUIRED, VPN ACCESS, ETC., IS RECOMMENDED, AND ROBUST AUTHENTICATION MEASURES SUCH AS CERTIFICATION CODES ARE ACTIVATED。

• In the case of instant messaging software (e.g., micro-intelligence, nails, flybooks, etc.), it is recommended that access be granted only to the person or to a credible person authorized to do so。

(iii) It is recommended that OpenClaw be run without administrator or super user privileges

• Creates a dedicated low-Authorization account, which only grants read and write permission to the smallest necessary directory。

• Disable high-risk access, screen recording, system automation, etc。

• Opens a dedicated work directory only and prohibits access to desktops, documents, downloads, password manager directories。

• Configures the white list path and refuses to read the profile, key file, and so on。

• The system shut-down command execution function is only temporarily activated and confirmed twice when necessary。

• LIMIT ACCESS TO THE NETWORK AND ONLY ALLOW CONNECTION TO THE NECESSARY AI SERVICE WITH API。

(iv) Recommended installation of credible skills plugins (Skills)

• Carefully install, use Skills issued by outside communities/individuals, and prevent risks such as information leaks or server attacks

• Undefined skills such as “auto-profit, wool, crack” or black-and-white production are rejected。

(v) Recommendation not to store / process privacy data in OpenClaw environment

• OpenClaw is not required to process bank cards, passwords, ID cards, keys, etc。

(vi) Recommendation for timely update of OpenClaw

• :: Installation of official security patches in a timely manner and follow-up on official security bulletins and leak alerts。

II. Enterprise users

(i) Recommended security management systems and usage norms for smart body applications

• The operational boundaries of intelligent applications are clearly allowed to be defined with prohibited use scenarios, data ranges and types of operation。

• The establishment of an internal use code and approval process, which requires security assessment and management approval for the introduction of new smart body applications or high authority functions, ensures that access is documented and documented。

(ii) Basic network and environmental safety protections recommended for smart-body operating environments

• THE DIRECT EXPOSURE OF SMART BODY SERVICES TO PUBLIC NETWORKS IS PROHIBITED, ACCESS IS RESTRICTED BY MEANS OF FIREWALLS, VPNS, ETC., AND ONLY THE NECESSARY PORTS ARE OPENED TO A TRUSTED NETWORK OR IP ADDRESS。

• Use of mainframe intrusion defence, malicious flow detection, etc. against threats of cyberattack on the server where the smart body is located。

• Ensure that the operational environment is regularly updated with patches, remove known system gaps and ensure that the underlying environment is safe and secure。

(iii) Recommended smart body authority management and border control

• All smart-body service accounts are configured according to the minimum necessary privileges。

• Border-limiting and access control of document catalogues, web domains, database tables, etc. accessible to intelligent bodies, using the system's own or third-party rights control tool。

• A rigorous multifactoral certification and operational clearance should be applied to high-authorization smarts, with additional defences at the critical resource level to prevent abuse of authority。

(iv) Recommendations for smart body operation monitoring and audit tracking

• (b) Establish a continuous operation monitoring mechanism for autonomous intelligent bodies, including a behavioural log of intelligent bodies, key decision-making outputs, use of system resources and recording of unusual events。

• Audit logs should be generated for critical operations and security-related events and protected against tampering with preservation。

• CONFIGURE THE SECURITY INFORMATION AND INCIDENT MANAGEMENT (SIEM) TOOL TO ACHIEVE A CENTRALIZED ANALYSIS OF INTELLIGENT LOGS AND TIMELY DETECTION OF SIGNS OF SUSPICIOUS BEHAVIOUR。

• The audit tracking capability should ensure that, in the event of an accident, the behaviour path of the intelligent body can be restored to provide a basis for the investigation of the problem and for the determination of responsibility。

(v) Recommended critical operation protection strategy for smart bodies

• Enterprises should develop protection strategies as a baseline for governance for high-risk operations that may be performed by autonomous intelligent bodies. For example, manual double-checking or multiple-checking of operations such as the removal of large amounts of data, the modification of core configurations, funds transactions, etc.; prior simulation exercises or security checks for irreversible operations; and time window and scope limits for high-impact operations, which are allowed only under specified conditions。

• These strategies should be aligned with high-security scenarios such as the financial system, the production control system and so on to ensure that smarts do not break the security of the business as a whole。

(vi) Recommended smart body supply chain security and code management

• Security management systems for third-party components and skill plugins on which autonomous intelligent bodies rely should be established。

• The new skill modules introduced must be subject to security clearance and testing before they meet security requirements before they can be put into operation。

• The skills and dependencies of existing operations should be regularly checked for version and security updates, and patches or upgrades should be applied in a timely manner。

• It is recommended that the approved skill codes be stored in the enterprise's in-house code warehouse, and that intelligents be prohibited from directly accessing and implementing unarchived codes from outside while running。

(vii) Recommendation for smart body voucher and key management

• All sensitive documents should not be explicitly written into codes or configuration documents and should be injected as required using a secure voucher management system。

• Once the intelligence is in use, the key should be destroyed or recovered in time to prevent long-term presence in the memory or log。

• Updates of key supporting documentation are regularly replaced to reduce the risk of leakage。

(viii) Recommended personnel training and emergency response exercises

• Regular security training for personnel involved in research and development, transport and peacekeeping operations to raise awareness of the risks of autonomous intelligence。

• Avoiding situations where a “single word authorization” leads to unconscious execution of high-risk operations。

• To enhance the awareness of employees of their security responsibilities in the use of intelligence, and to eliminate the misuse of irregularities and careless misuse。

• Develop contingency plans and conduct regular simulation exercises to increase team responsiveness and capability to respond to smart security incidents。

Cloud service providers

(i) Recommended security assessment and reinforcement of the basic security aspects of cloud mainframe

• Validation, isolation and access control and internalization of default security to the extent possible

• Remote log-in access to cloud hosts is prohibited by default, on the basis of basic password rules, to circumvent known leaks of weak passwords。

• The OpenClaw service authentication and access controls are performed, each user 's OpenClaw Gateway service is enabled only randomly token by default, and Gateway to the public network is not exposed by default。

• Make sure you're safe and propose to deploy OpenClaw with a stand-alone VPC network under the user's own account。

• (b) The development of product-in-temperature safety scanning and manual safety tests, including mirrors, product control, user-run examples, to avoid risks such as typical security issues at the design and realization levels of cloud products, and API Key leaks。

(ii) Recommendation for security protection capability deployment / access

• Deployment of intrusion monitoring capabilities and provision of basic security protection at such locations as the mainframe, network, etc。

• Basic protection against DDoS attacks, etc。

• Increased security risk monitoring for cloud host examples of OpenClaw deployment。

(iii) Recommended supply chain and data security protection

• OpenClaw security gap monitoring and protection is performed, routine normalization monitoring is activated, and the OpenClaw mirror is regularly updated。

• Skills installation security controls, security-tested and certified Skills are provided by default in the cloud OpenClaw product interface, with known malicious Skills ability to block installation, and control is introduced into malicious Skills。

• INCREASES THE MALICIOUS RISK DETECTION CAPABILITY OF NEW AI SCENARIOS TO PROVIDE TIMELY COVERAGE FOR CLOUD PLATFORMS AND MORE SECURE AND MANAGEABLE USE OF AI ASSISTANTS BY USERS。

• Modelling calls for safety protection, and the cloud OpenClaw product interface only supports the call to a large registered model. Upgrade the protective capacity of the large model security fence, including the introduction of a warning, further enhancement, privacy disclosure, etc。

Technology developers / lovers

(i) Recommendations for basic configuration enhancements

• It is recommended that the latest version be used to ensure that all known gaps have been repaired and that continued attention is given to updating the version and to repairing the gaps。

• Open identification:

1) Yes i don't know, config.json 。

2) Opens the DM pairing policy, setting the twinning policy for chat software to pairing (coding required) or allowlist (white list), and absolutely prohibits setting it to open。

• We're going to do a good job of net invisibility and minimizing exposure:

1) Do not expose the Web management interface (port 18789) directly to the public/ local area network。

2) Security tunnel programmes such as Tailscale, WireGuard, etc., are not used in private, and the port is shown on the outside。

UI, MAKE SURE i'm sorry, mateway Auth is false, preventing the console from downgrading。

(ii) Recommendation of operational isolation

According to official documents, OpenClaw offers two complementary sandboxing strategies, and when it is necessary to avoid the addition or deletion of OpenClaw to the system that undermines its integrity, it is recommended that:

• Enable full Docker/ Virtual Machine run

Runs the entire OpenClaw Gateway and all of its dependencies directly in a Docker container/ virtual machine. Even if the Gateway itself had been breached, the attackers were confined to containers and could not directly endanger the host system。

• Enable tool sandbox

1) Gateway operates in the host, but separates Agent's tool execution (e.g. code running, file operation) from the Docker container。

2) Adoption you know, kids Enabled. It is suggested that the scope: “agent” or scope: “session” should be maintained to prevent access across Agent data。

3) Controls Agent's permissions to the work area (no one access, ro read-only, rw read-write) finely by workingspace Access parameters。

• Minimal Permission Principle

1) enable a white list of tools, disable high-risk tools (e. g. shell, browser) in the configuration, open only the necessary tools and configure the white list of plugins。

2) access to file system restrictions, sensitive directories are mounted in ro (read-only) to avoid the erroneous deletion of the core document。

• Recommendations for regular security audits using officially available security audit tools

1) opens an openclaw security inspection to conduct routine checks, scan entry station access controls, network exposure and local file access。

2) opens an in-depth survey to perform real-time gateway detection to simulate the attacker ' s attempt to identify potential exposure points。

3) start auto-rehabilitating and self-enforcement security

(iii) Recommended supply chain preparedness

1) It is not appropriate to blindly install the popular skills in the ClawHub, as well as the VS Code plugins or NPM packages from unofficial channels, with code review prior to installation. The lawhub inspect –files command can be used to see if there are suspicious commands, such as npm install, pip install, remote script download, etc。

2) to specify what Agent is prohibited from doing and the operation that requires a record, to prohibit the execution of a hazardous order (e.g. rm-ref/), to prohibit the modification of authentication or authorization configuration, to prohibit the sending of token/ private key/ assistive words to the offline, and to prohibit blind execution of the “one-key installation” order in the document。

3) Upon completion of installation, it is recommended that the security configuration be completed, that only the core configuration file be accessed by this machine, that a configuration Hashi baseline be established and that no private key or assistive words be delivered to Agent。