Create security-check.sh
Browse files- security-check.sh +57 -0
security-check.sh
ADDED
|
@@ -0,0 +1,57 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
#!/bin/sh
|
| 2 |
+
|
| 3 |
+
# Security check - runs at startup, non-fatal, logs warnings only.
|
| 4 |
+
|
| 5 |
+
PASS=0
|
| 6 |
+
WARN=0
|
| 7 |
+
|
| 8 |
+
log_ok() { echo "[security] OK: $1"; }
|
| 9 |
+
log_warn() { echo "[security] WARN: $1"; WARN=$((WARN+1)); }
|
| 10 |
+
|
| 11 |
+
# 1. Gateway token should be set and not too short
|
| 12 |
+
|
| 13 |
+
TOKEN="${OPENCLAW_GATEWAY_TOKEN:-}"
|
| 14 |
+
if [ -z "$TOKEN" ]; then
|
| 15 |
+
log_warn "OPENCLAW_GATEWAY_TOKEN is not set - gateway is unprotected"
|
| 16 |
+
elif [ ${#TOKEN} -lt 8 ]; then
|
| 17 |
+
log_warn "OPENCLAW_GATEWAY_TOKEN is very short (< 8 chars), use a longer token"
|
| 18 |
+
else
|
| 19 |
+
log_ok "Gateway token is set (length=${#TOKEN})"
|
| 20 |
+
fi
|
| 21 |
+
|
| 22 |
+
# 2. HF_TOKEN should not be exposed as gateway token
|
| 23 |
+
|
| 24 |
+
HF="${HF_TOKEN:-}"
|
| 25 |
+
if [ -n "$HF" ] && [ "$HF" = "$TOKEN" ]; then
|
| 26 |
+
log_warn "OPENCLAW_GATEWAY_TOKEN equals HF_TOKEN - use separate tokens"
|
| 27 |
+
fi
|
| 28 |
+
|
| 29 |
+
# 3. Config file should not contain raw API keys in plaintext paths
|
| 30 |
+
|
| 31 |
+
CONFIG="${OPENCLAW_HOME:-/home/user}/.openclaw/openclaw.json"
|
| 32 |
+
if [ -f "$CONFIG" ]; then
|
| 33 |
+
|
| 34 |
+
# warn if any obvious key pattern found outside env.vars block
|
| 35 |
+
|
| 36 |
+
if grep -q '"_API_KEY"' "$CONFIG" 2>/dev/null; then
|
| 37 |
+
log_warn "openclaw.json may contain raw API keys - prefer env vars"
|
| 38 |
+
else
|
| 39 |
+
log_ok "openclaw.json looks clean (no raw API keys)"
|
| 40 |
+
fi
|
| 41 |
+
fi
|
| 42 |
+
|
| 43 |
+
# 4. Warn if allowedOrigins is wildcard in production
|
| 44 |
+
|
| 45 |
+
if grep -q '"allowedOrigins": \["\*"\]' "$CONFIG" 2>/dev/null; then
|
| 46 |
+
log_warn "controlUi.allowedOrigins=[\"*\"] - consider locking to your Space URL"
|
| 47 |
+
fi
|
| 48 |
+
|
| 49 |
+
# 5. Check file permissions on sensitive files
|
| 50 |
+
|
| 51 |
+
if [ -f "$CONFIG" ]; then
|
| 52 |
+
PERMS=$(stat -c "%a" "$CONFIG" 2>/dev/null || stat -f "%A" "$CONFIG" 2>/dev/null || echo "unknown")
|
| 53 |
+
log_ok "openclaw.json permissions: $PERMS"
|
| 54 |
+
fi
|
| 55 |
+
|
| 56 |
+
echo "[security] Check complete: $WARN warning(s)"
|
| 57 |
+
exit 0
|