NC-OC-001
Webhook signing secret configured
What this checks
Verifies that a webhook signing secret is configured when webhooks are enabled.
Why it matters
Without a signing secret, any actor with knowledge of your webhook URL can send arbitrary commands to your OpenClaw installation.
How to fix it
Set the webhook signing secret environment variable before starting the gateway. See: https://clawvitals.io/docs/NC-OC-001
Technical details
| Field | Value |
|---|---|
| Control ID | NC-OC-001 |
| Domain | OC |
| Severity | Critical |
| Status | Deferred |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
False positive notes
None expected on enabled-webhook installs — this is a binary configuration check.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-OC-001 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.