Clarify env-var executable behavior reports in SECURITY.md

[jacobtomlinson]

Summary

• Clarify that control over the OpenClaw process environment, launcher environment, or child-process environment is inside the trusted host/operator boundary.
• Add environment-variable-driven executable behavior changes to the common false-positive and out-of-scope report categories unless a separate OpenClaw boundary bypass lets untrusted input set or mutate that environment.
• Cover env vars that redirect lookup paths, preload code, select wrappers/interpreters, alter package-manager or runtime hooks, or make one executable invoke another.

Review note: SECURITY.md is covered by @openclaw/openclaw-secops in CODEOWNERS.

Verification

• pnpm docs:list
• git diff --check
• git diff --check upstream/main...HEAD

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 9, 2026, 4:50 PM ET / 20:50 UTC.

Summary
The PR adds SECURITY.md guidance that environment-variable-driven executable behavior is inside the trusted host/operator boundary unless untrusted input can separately set or mutate that environment.

PR surface: Docs +4. Total +4 across 1 file.

Reproducibility: not applicable. this is a documentation and security-policy clarification rather than a reproducible runtime bug.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P1] Merging unreviewed security-policy wording could cause maintainers to triage environment-variable executable reports under the wrong boundary model; CODEOWNERS secops review should confirm the scope before merge.

Maintainer options:

1. Wait for secops approval (recommended)
   Have @openclaw/openclaw-secops confirm the SECURITY.md trust-boundary wording before merge.
2. Narrow the policy text
   If secops wants a smaller policy change, revise the wording to preserve valid reports where untrusted input can influence process or child-process environment.

Next step before merge

• [P1] The PR has a protected maintainer label and changes security-policy scope, so it needs human secops review rather than automated repair.

Security
Cleared: The diff changes only SECURITY.md policy text and introduces no code execution, dependency, credential, workflow, or supply-chain change.

Review details

Best possible solution:

Merge the SECURITY.md clarification only after the secops owners confirm the env-var executable wording matches OpenClaw's intended trust model.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a documentation and security-policy clarification rather than a reproducible runtime bug.

Is this the best way to solve the issue?

Yes, pending secops approval: SECURITY.md is the existing report-triage policy surface, and the added lines sit next to related trusted-host and executable-identity guidance.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a4e02cd1dd48.

Label changes

Label changes:

• add P3: This is a small documentation/security-policy clarification with low direct runtime impact.
• add merge-risk: 🚨 security-boundary: The PR changes normative security-report scope, so the risk is policy misclassification of boundary-bypass reports rather than a CI-detectable runtime failure.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The PR is documentation/security-policy text only, so after-fix real behavior proof is not required.

Label justifications:

• P3: This is a small documentation/security-policy clarification with low direct runtime impact.
• merge-risk: 🚨 security-boundary: The PR changes normative security-report scope, so the risk is policy misclassification of boundary-bypass reports rather than a CI-detectable runtime failure.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The PR is documentation/security-policy text only, so after-fix real behavior proof is not required.

Evidence reviewed

PR surface:

Docs +4. Total +4 across 1 file.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	0	0	0	0
Docs	1	4	0	+4
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	1	4	0	+4

What I checked:

• Repository policy read: Root AGENTS.md was read fully; its review guidance makes security docs, CODEOWNERS, and protected-label handling relevant to this PR. (AGENTS.md:1, a4e02cd1dd48)
• Protected security owner: CODEOWNERS assigns /SECURITY.md to @openclaw/openclaw-secops, matching the PR body's review note and making owner approval the main merge gate. (.github/CODEOWNERS:8, a4e02cd1dd48)
• Current security policy context: Current SECURITY.md already frames useful reports around boundary bypasses and lists common false-positive/out-of-scope categories, so the PR is editing the right policy surface. (SECURITY.md:45, a4e02cd1dd48)
• Trust-model consistency check: The security guide documents the one trusted-operator boundary and says exec approvals are guardrails rather than a semantic model of every loader path, which is consistent with the proposed env-var wording. Public docs: docs/gateway/security/index.md. (docs/gateway/security/index.md:17, a4e02cd1dd48)
• PR diff scope: The PR head changes only SECURITY.md, adding four documentation lines and no runtime, workflow, dependency, lockfile, credential, or package metadata changes. (SECURITY.md:49, 46ec9a447b66)
• Whitespace validation: git diff --check against the PR head produced no output, so there were no whitespace errors in the changed file. (SECURITY.md, 46ec9a447b66)

Likely related people:

• openclaw/openclaw-secops: CODEOWNERS explicitly owns SECURITY.md and related security docs, so this group is the primary policy reviewer for the changed file. (role: CODEOWNERS reviewer group; confidence: high; files: SECURITY.md, .github/CODEOWNERS)
• steipete: Git history shows many SECURITY.md trust-boundary and false-positive policy edits by Peter Steinberger, including trusted-host deployment assumptions and interpreter approval scope. (role: security policy history owner; confidence: high; commits: 810218756dc6, daaf211e20fe, d4ec0ed3c78f; files: SECURITY.md, docs/gateway/security/index.md)
• vincentkoc: Recent current-main history and blame for SECURITY.md point to Vincent Koc as a recent contributor touching the file, though not necessarily the policy author for this wording. (role: recent area contributor; confidence: medium; commits: 25160515e05e, 5181e4f7c82b; files: SECURITY.md)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.