harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
zeroclaw/SECURITY.md
argenis de la rosa 05cb353f7f feat: initial release — ZeroClaw v0.1.0 
- 22 AI providers (OpenRouter, Anthropic, OpenAI, Mistral, etc.)
- 7 channels (CLI, Telegram, Discord, Slack, iMessage, Matrix, Webhook)
- 5-step onboarding wizard with Project Context personalization
- OpenClaw-aligned system prompt (SOUL.md, IDENTITY.md, USER.md, AGENTS.md, etc.)
- SQLite memory backend with auto-save
- Skills system with on-demand loading
- Security: autonomy levels, command allowlists, cost limits
- 532 tests passing, 0 clippy warnings
2026-02-13 12:19:14 -05:00

1.9 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
0.1.x

Reporting a Vulnerability

Please do NOT open a public GitHub issue for security vulnerabilities.

Instead, please report them responsibly:

  1. Email: Send details to the maintainers via GitHub private vulnerability reporting
  2. GitHub: Use GitHub Security Advisories

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Impact assessment
  • Suggested fix (if any)

Response Timeline

  • Acknowledgment: Within 48 hours
  • Assessment: Within 1 week
  • Fix: Within 2 weeks for critical issues

Security Architecture

ZeroClaw implements defense-in-depth security:

Autonomy Levels

  • ReadOnly — Agent can only read, no shell or write access
  • Supervised — Agent can act within allowlists (default)
  • Full — Agent has full access within workspace sandbox

Sandboxing Layers

  1. Workspace isolation — All file operations confined to workspace directory
  2. Path traversal blocking.. sequences and absolute paths rejected
  3. Command allowlisting — Only explicitly approved commands can execute
  4. Forbidden path list — Critical system paths (/etc, /root, ~/.ssh) always blocked
  5. Rate limiting — Max actions per hour and cost per day caps

What We Protect Against

  • Path traversal attacks (../../../etc/passwd)
  • Command injection (rm -rf /, curl | sh)
  • Workspace escape via symlinks or absolute paths
  • Runaway cost from LLM API calls
  • Unauthorized shell command execution

Security Testing

All security mechanisms are covered by automated tests (129 tests):

cargo test -- security
cargo test -- tools::shell
cargo test -- tools::file_read
cargo test -- tools::file_write