File size: 1,640 Bytes
4d917ef | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | #!/bin/sh
# Security check - runs at startup, non-fatal, logs warnings only.
PASS=0
WARN=0
log_ok() { echo "[security] OK: $1"; }
log_warn() { echo "[security] WARN: $1"; WARN=$((WARN+1)); }
# 1. Gateway token should be set and not too short
TOKEN="${OPENCLAW_GATEWAY_TOKEN:-}"
if [ -z "$TOKEN" ]; then
log_warn "OPENCLAW_GATEWAY_TOKEN is not set - gateway is unprotected"
elif [ ${#TOKEN} -lt 8 ]; then
log_warn "OPENCLAW_GATEWAY_TOKEN is very short (< 8 chars), use a longer token"
else
log_ok "Gateway token is set (length=${#TOKEN})"
fi
# 2. HF_TOKEN should not be exposed as gateway token
HF="${HF_TOKEN:-}"
if [ -n "$HF" ] && [ "$HF" = "$TOKEN" ]; then
log_warn "OPENCLAW_GATEWAY_TOKEN equals HF_TOKEN - use separate tokens"
fi
# 3. Config file should not contain raw API keys in plaintext paths
CONFIG="${OPENCLAW_HOME:-/home/user}/.openclaw/openclaw.json"
if [ -f "$CONFIG" ]; then
# warn if any obvious key pattern found outside env.vars block
if grep -q '"_API_KEY"' "$CONFIG" 2>/dev/null; then
log_warn "openclaw.json may contain raw API keys - prefer env vars"
else
log_ok "openclaw.json looks clean (no raw API keys)"
fi
fi
# 4. Warn if allowedOrigins is wildcard in production
if grep -q '"allowedOrigins": \["\*"\]' "$CONFIG" 2>/dev/null; then
log_warn "controlUi.allowedOrigins=[\"*\"] - consider locking to your Space URL"
fi
# 5. Check file permissions on sensitive files
if [ -f "$CONFIG" ]; then
PERMS=$(stat -c "%a" "$CONFIG" 2>/dev/null || stat -f "%A" "$CONFIG" 2>/dev/null || echo "unknown")
log_ok "openclaw.json permissions: $PERMS"
fi
echo "[security] Check complete: $WARN warning(s)"
exit 0
|