This document defines how to report vulnerabilities in ClawLite and the minimum baseline for secure operation.
Do not publish exploitable details in a public issue.
Use:
Include:
- technical description
- practical impact
- reproduction steps
- affected commit/version
- evidence (logs, payloads, stacktrace)
- CLI (
start,run,onboard,cron,skills) - Gateway (
/health,/v1/chat,/v1/cron/*,/v1/ws) - Providers and external API integrations
- Local tools (exec/files/web/cron/message/spawn/mcp)
- Channels and scheduler components
- User/channel input is untrusted.
- Tools with local execution are privileged.
- Provider keys are critical secrets.
- Set a gateway token and protect network access.
- Run with a non-admin user.
- Restrict file permissions in
~/.clawlite/(700or600where applicable). - Review skills with
command/scriptbefore enabling in production. - Rotate provider keys periodically.
After the fix, publish a patch and clear upgrade guidance.