-
Notifications
You must be signed in to change notification settings - Fork 582
Expand file tree
/
Copy pathopenclaw.security.json
More file actions
37 lines (37 loc) · 1.75 KB
/
openclaw.security.json
File metadata and controls
37 lines (37 loc) · 1.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{
"$schema": "https://openclaw.ai/schemas/plugin-security.json",
"version": "1.0",
"plugin": "@blockrun/clawrouter",
"description": "Smart LLM router with x402 micropayments - legitimately requires wallet key for payment signing",
"expectedBehaviors": [
{
"type": "env-access",
"variable": "BLOCKRUN_WALLET_KEY",
"purpose": "x402 payment signing",
"justification": "ClawRouter uses this wallet key to sign USDC payment transactions on Base L2. The key is used LOCALLY for cryptographic signing and is NEVER transmitted over the network. This is required for x402 protocol compliance.",
"dataFlow": "local-only",
"networkTransmission": false
},
{
"type": "env-access",
"variable": "CLAWCREDIT_API_TOKEN",
"purpose": "authenticate claw.credit payment requests",
"justification": "When BLOCKRUN_PAYMENT_MODE=clawcredit is enabled, ClawRouter forwards payment authorization requests to claw.credit /v1/transaction/pay and must send this bearer token to authenticate the request.",
"dataFlow": "sent-to-claw-credit-api",
"networkTransmission": true
}
],
"securityNotes": [
"The wallet key is used solely for EIP-712 signature generation",
"Signatures are transmitted, not the private key itself",
"Users fund their own wallets - ClawRouter does not custody funds",
"All payment signing happens client-side in the proxy",
"Source code is MIT licensed and fully auditable"
],
"references": [
"https://x402.org - x402 payment protocol specification",
"https://eips.ethereum.org/EIPS/eip-712 - EIP-712 typed data signing",
"https://blockrun.ai/docs - BlockRun API documentation",
"https://github.com/BlockRunAI/ClawRouter - Source code (MIT licensed)"
]
}