open/claude-code-complete-agent
1
0
Fork 0
Code Activity Actions
claude-code-complete-agent/security/README.md
Kjell Tore Guttormsen 841cd32c66 feat(security): harden repo with scoped permissions, CVE mapping, and scan evidence 
Settings.json: 16 scoped Bash grants (was 6 wildcards), 26-pattern deny list (was 5).
CVE mapping: all 9 OpenClaw CVEs mapped to specific defenses with layer documentation.
Scan results: posture Grade D (expected without llm-security), deep scan 0 critical/high.
Hooks README: Option A — document llm-security hooks, recommend plugin installation.
README: evidence-based security section with scan data and verification instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-05 23:58:59 +02:00

61 lines
2.3 KiB
Markdown
Raw Blame History

# Security
This directory contains evidence that Claude Code handles the
security challenges documented in OpenClaw's CVE disclosures
(March 2026). Not just claims — scan data, CVE mappings, and
reproducible configuration.
## Documents
| File | What it covers |
|------|---------------|
| `cve-mitigation-map.md` | Each OpenClaw CVE mapped to a specific Claude Code defense |
| `scan-results.md` | Posture and deep scan results (reproducible, dated 2026-04-05) |
| `openclaw-security-assessment.md` | Data-driven 10-category comparison with CVE analysis |
| `permission-modes-explained.md` | The four permission modes and when to use each |
| `auto-mode-explained.md` | Auto Mode: AI safety classifier for autonomous execution |
| `hook-based-guardrails.md` | Building custom security with PreToolUse hooks |
| `nemoclaw-comparison.md` | Honest comparison with NemoClaw's enterprise security |
## The evidence chain
1. **Architecture eliminates 4 CVEs** — No gateway, no ports,
no multi-user auth means CVE-2026-22172, CVE-2026-25253,
CVE-2026-32025, and CVE-2026-32049 cannot occur.
See `cve-mitigation-map.md`.
2. **Configuration blocks 5 CVEs** — Scoped Bash permissions
(16 grants, 26 deny patterns) and hook enforcement prevent
the remaining attack vectors. See `.claude/settings.json`
and `hooks/README.md`.
3. **Code is clean** — Deep scan (10 scanners, 51 files): zero
secrets, zero injection vectors, zero supply chain risk,
zero Unicode attacks. See `scan-results.md`.
4. **The gap is documented** — Posture Grade D without
llm-security plugin, Grade B+ with it. The gap is runtime
hook enforcement, not code or configuration quality.
See `scan-results.md`.
## How to verify
```bash
# Clone and scan yourself:
git clone https://git.fromaitochitta.com/open/claude-code-complete-agent.git
cd claude-code-complete-agent
# With llm-security plugin installed:
/security posture # Configuration assessment
/security scan . # Code-level scan
/security deep-scan . # All 10 deterministic scanners
```
## Honest gaps
- **No kernel isolation.** NemoClaw (Landlock, seccomp, netns)
provides stronger containment than hooks.
- **No network egress filtering.** Use OS-level firewall rules.
- **Single-user only.** No multi-tenant separation.
See `nemoclaw-comparison.md` for the full honest assessment.
View git blame Copy permalink