Skip to content

Security Hardening: Request Timeouts, Credential Encryption, Skill Signing, and Prompt Injection Defense #7604

New issue
New issue
Open
Open
Security Hardening: Request Timeouts, Credential Encryption, Skill Signing, and Prompt Injection Defense#7604
Labels
bugSomething isn't workingsecuritySecurity documentation
@alamine42

Description

@alamine42
alamine42
opened on Feb 3, 2026

Summary

I'd like to contribute a series of security improvements to OpenClaw addressing five gaps identified through code review:

Issue Severity Proposed Fix
GatewayClient request timeout (#4954) MEDIUM AbortController-based timeout with configurable default
Plaintext credential storage HIGH AES-256-GCM encryption at rest with passphrase
Plaintext session transcripts HIGH Per-entry encryption for JSONL session files
Unsigned skill loading HIGH Ed25519 signing and verification
Limited prompt injection protection HIGH Input/output validation layers

Proposed Approach

1. GatewayClient Timeout Fix (PR 1)

Problem: GatewayClient.request() in src/gateway/client.ts:415-441 returns a Promise with no timeout. Pending requests can hang indefinitely, causing resource exhaustion.

Solution:

  • Add optional timeout parameter to request() method
  • Use AbortController with setTimeout for clean cancellation
  • Default timeout: 30 seconds (configurable via gateway.timeout)
  • Create TimeoutError class for specific error handling
  • Clean up pending request on timeout

Files: src/gateway/client.ts, ui/src/ui/gateway.ts

Tests: Unit tests for timeout behavior, integration tests with mock server

2. Credential Encryption at Rest (PR 2)

Problem: All credentials in ~/.openclaw/ stored as plaintext JSON (auth-profiles.json, oauth.json, creds.json). Vulnerable to infostealers and disk theft.

Solution:

  • Implement encryption module using Node.js crypto:
    • Key derivation: crypto.scrypt (N=2^16, r=8, p=1)
    • Encryption: AES-256-GCM with random 12-byte IV
    • Format: salt || IV || authTag || ciphertext
  • Passphrase prompt on startup (or OPENCLAW_PASSPHRASE env var)
  • Migration tool: openclaw credentials migrate
  • Feature flag: security.credentialEncryption: true/false

Files: New src/infra/crypto.ts, src/agents/auth-profiles/store.ts, src/web/auth-store.ts

Tests: Roundtrip encryption, wrong passphrase handling, migration

3. Session Transcript Encryption (PR 3)

Problem: Session logs in ~/.openclaw/agents/*/sessions/*.jsonl contain sensitive conversation data stored as plaintext.

Solution:

  • Per-line encryption in JSONL format (each entry encrypted independently)
  • Same passphrase/key as credential encryption
  • Transparent encryption on write, decryption on read
  • Format detection for backward compatibility with plaintext files

Files: src/config/sessions/transcript.ts, src/gateway/session-utils.fs.ts

Tests: Write/read encrypted sessions, large file handling, format detection

4. Skill Signing & Verification (PRs 4-5)

Problem: Skills loaded without cryptographic verification. Supply chain attack vector.

Solution:

  • PR 4 - Signing Infrastructure:

    • Ed25519 key generation: openclaw skills keygen
    • Skill signing: openclaw skills sign <path>
    • Signature embedded in skill manifest

  • PR 5 - Verification:

    • Trusted key registry: ~/.openclaw/trusted-keys.json
    • Verification before skill execution
    • Configurable policy: skills.requireSigning: true/false/warn

Files: New src/agents/skills/signing.ts, src/agents/skills/verification.ts

5. Prompt Injection Defense (PRs 6-7)

Problem: Limited protection against prompt injection attacks.

Solution:

  • PR 6 - Input Validation:

    • Unicode normalization (NFC, zero-width removal)
    • Pattern detection for known injection techniques
    • Configurable sensitivity levels
    • Security event logging

  • PR 7 - Output Validation:

    • Dangerous command pattern detection
    • User confirmation for risky operations
    • Exfiltration detection (secrets in outbound requests)

Files: New src/security/input-validation.ts, src/security/output-validation.ts

Implementation Plan

I propose submitting these as 7 atomic PRs over the coming weeks:

  1. PR 1: GatewayClient timeout (closes [Bug]: GatewayClient.request() has no timeout, causing indefinite hangs #4954)
  2. PR 2: Crypto infrastructure + credential encryption
  3. PR 3: Session transcript encryption
  4. PR 4: Skill signing infrastructure
  5. PR 5: Skill verification integration
  6. PR 6: Input validation layer
  7. PR 7: Output validation layer

Each PR will include:

  • Comprehensive tests (unit + integration)
  • Documentation updates
  • Feature flags for rollback
  • CHANGELOG entry

Questions for Maintainers

  1. Timeout default: Is 30 seconds reasonable for GatewayClient.request()?
  2. Encryption scope: Should we also encrypt the session metadata store (sessions.json)?
  3. Skill signing: Any existing thoughts on key distribution for skill authors?
  4. Prompt injection: Are there specific patterns you've seen in the wild that should be prioritized?

About Me

I'm contributing as part of a broader AI safety effort. Happy to discuss any aspect of this proposal or adjust the approach based on feedback.

Note: AI-assisted development, as encouraged in CONTRIBUTING.md.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecuritySecurity documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions