healthcheck: security audit falsely flags intentional group-level allowFrom wildcard as critical

[dongzhenye]

Problem

The daily healthcheck:security-audit cron reports a NEW CRITICAL alert when a Telegram group has allowFrom: ["*"] configured at the group level — even when the top-level groupAllowFrom is correctly restricted to specific user IDs.

Steps to reproduce

Configure OpenClaw with the following structure:

{
  "channels": {
    "telegram": {
      "groupAllowFrom": ["<user_id>"],
      "groups": {
        "-100XXXXXXXXX": {
          "requireMention": true,
          "allowFrom": ["*"]
        }
      }
    }
  }
}

The top-level groupAllowFrom restricts access to one user. The group-level allowFrom: ["*"] is intentional — in a multi-person group, all members should be able to trigger the bot (e.g., after @mention).

Run the security audit. It will report:

🔴 NEW CRITICAL: Telegram group allowlist contains wildcard (*) — allows any group member to run commands

Expected behavior

The audit should distinguish between:

• Dangerous: top-level groupAllowFrom: ["*"] (no user restriction at all)
• Intentional: group-level allowFrom: ["*"] when top-level is already restricted

When top-level groupAllowFrom is already set to explicit user IDs, a group-level wildcard is not a security issue — it simply means all users who can access the bot can trigger it in that group (which is the typical desired behavior for multi-user groups with requireMention: true).

Suggested fix

Before flagging a group-level wildcard as critical, check whether groupAllowFrom at the top level is already restricted to specific users. If so, downgrade to info or suppress entirely.

Environment

• OpenClaw version: 2026.3.13
• Platform: macOS (arm64)
• Channel: Telegram

[Ryce]

This is audit-state vs config-intent drift: the healthcheck security audit sees `allowFrom: ["*"]` at the group level and flags it as CRITICAL, but it doesn't understand the two-level permission model. The top-level `groupAllowFrom` correctly restricts access, making the per-group wildcard intentional — not a security hole.

The audit tool has an incomplete model of the config's actual security posture. It reads one field in isolation without evaluating the composed permission chain. This is the same class of problem as config-state drift: two subsystems hold different views of what the config actually means.

Why this matters beyond false positives: if a user trusts the audit, they'll tighten the group-level `allowFrom` to specific IDs — which breaks dynamic group membership. The audit is recommending a config change that would cause operational failures. That's worse than a false positive; it's a false positive that leads to real damage if acted on.

Fix: the audit should evaluate the composed permission — if `groupAllowFrom` is restricted AND the group's `allowFrom` is wildcard, the effective policy is still restricted. Flag only if BOTH levels are wildcard or if group-level is wildcard with no top-level restriction.

[clawsweeper]

Closing this as implemented after Codex automated review.

Current main, and the v2026.4.24 release tree, no longer emit the reported Telegram wildcard CRITICAL for per-group groups.<id>.allowFrom: ["*"] when top-level groupAllowFrom is restricted. The remaining wildcard critical check is limited to the pairing store or top-level channels.telegram.groupAllowFrom.

What I checked:

• Critical wildcard trigger is top-level/store only: collectTelegramSecurityAuditFindings computes groupAllowFromHasWildcard only from telegramCfg.groupAllowFrom, then emits channels.telegram.groups.allowFrom.wildcard only when the pairing store or top-level groupAllowFrom contains "*". (extensions/telegram/src/security-audit.ts:68, d228463120a5)
• Per-group allowFrom is not the wildcard critical trigger: The collector walks groups.<id>.allowFrom and topic allowFrom for invalid-entry checks and to mark that a sender allowlist exists, but it does not set the wildcard-critical condition from those per-group/per-topic values. (extensions/telegram/src/security-audit.ts:83, d228463120a5)
• Security audit uses the Telegram collector: The Telegram channel registers collectTelegramSecurityAuditFindings, and the shared audit path calls channel plugin collectAuditFindings, so this is the path used by openclaw security audit / healthcheck security audit. (extensions/telegram/src/security.ts:36, d228463120a5)
• Release contains the same collector behavior: The v2026.4.24 tag contains the same wildcard-critical condition limited to storeHasWildcard || groupAllowFromHasWildcard. (extensions/telegram/src/security-audit.ts:140, cbcfdf62c729)
• Current docs describe the relevant Telegram sender controls: The Telegram docs describe group sender filtering as groupAllowFrom or per-group/per-topic allowFrom, with pairing remaining DM-only, which matches the current audit/runtime surface being reviewed. Public docs: docs/channels/telegram.md. (docs/channels/telegram.md:158, d228463120a5)
• Related discussion acknowledged: The provided GitHub context links PR fix(security): respect top-level restriction for Telegram group allowFrom wildcard #48804 and Ryce's comment to the same audit/config-intent drift for healthcheck: security audit falsely flags intentional group-level allowFrom wildcard as critical #48687; current main contains the false-positive suppression behavior even though that PR itself was closed unmerged.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against d228463120a5; fix evidence: release v2026.4.24, commit cbcfdf62c729.