-
Notifications
You must be signed in to change notification settings - Fork 414
Expand file tree
/
Copy pathopenclaw.security.json
More file actions
29 lines (29 loc) · 1.31 KB
/
openclaw.security.json
File metadata and controls
29 lines (29 loc) · 1.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
{
"$schema": "https://openclaw.ai/schemas/plugin-security.json",
"version": "1.0",
"plugin": "@blockrun/clawrouter",
"description": "Smart LLM router with x402 micropayments - legitimately requires wallet key for payment signing",
"expectedBehaviors": [
{
"type": "env-access",
"variable": "BLOCKRUN_WALLET_KEY",
"purpose": "x402 payment signing",
"justification": "ClawRouter uses this wallet key to sign USDC payment transactions on Base L2. The key is used LOCALLY for cryptographic signing and is NEVER transmitted over the network. This is required for x402 protocol compliance.",
"dataFlow": "local-only",
"networkTransmission": false
}
],
"securityNotes": [
"The wallet key is used solely for EIP-712 signature generation",
"Signatures are transmitted, not the private key itself",
"Users fund their own wallets - ClawRouter does not custody funds",
"All payment signing happens client-side in the proxy",
"Source code is MIT licensed and fully auditable"
],
"references": [
"https://x402.org - x402 payment protocol specification",
"https://eips.ethereum.org/EIPS/eip-712 - EIP-712 typed data signing",
"https://blockrun.ai/docs - BlockRun API documentation",
"https://github.com/BlockRunAI/ClawRouter - Source code (MIT licensed)"
]
}