Agent can self-modify openclaw.json to bypass auth and CORS controls

[ericksoa]

Summary

An AI agent running inside the NemoClaw sandbox can modify openclaw.json to weaken its own security controls. This was publicly reported by @ZackKorman on X on 2026-03-20 (1.7K views).

Attack chain

1. Agent uses its standard write/edit/exec tools to modify /sandbox/.openclaw/openclaw.json
2. Changes gateway.auth.token to a trivial value (e.g. "123")
3. Changes gateway.controlUi.allowedOrigins to ["*"]
4. Restarts the gateway via exec
5. Result: any website the user visits can now connect to their bot via websocket and issue commands

Root cause

openclaw.json is inside the /sandbox read_write zone defined in nemoclaw-blueprint/policies/openclaw-sandbox.yaml (line 29), and no tool-level deny list prevents the agent from writing to it. After startup, the config file remains writable by the sandbox user.

Proposed fix (minimum)

After fix_openclaw_config completes in scripts/nemoclaw-start.sh, change ownership and permissions so the agent cannot modify the file:

chown root:root "$HOME/.openclaw/openclaw.json"
chmod 444 "$HOME/.openclaw/openclaw.json"

The gateway only needs read access after startup, and the agent process runs as sandbox user per the sandbox policy, so it cannot modify a root-owned read-only file.

Defense-in-depth (follow-up)

• Add .openclaw/ paths to SandboxToolPolicy.deny for write/edit/exec tools
• Move config outside /sandbox writable zone to a read-only mount
• Change Landlock from best_effort to enforce
• Re-evaluate allowInsecureAuth: True and dangerouslyDisableDeviceAuth: True defaults