NC-OC-002
Sandbox mode appropriate for deployment context
What this checks
Checks that sandbox mode is appropriately configured when multi-user heuristics are detected.
Why it matters
Running without sandbox in a multi-user context allows any user to execute arbitrary code on the host system through prompt injection.
How to fix it
If users may be mutually untrusted, split trust boundaries or set agents.defaults.sandbox.mode="all". See: https://clawvitals.io/docs/NC-OC-002
Technical details
| Field | Value |
|---|---|
| Control ID | NC-OC-002 |
| Domain | OC |
| Severity | High |
| Status | Experimental |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
| OWASP LLM 2025 | LLM06: Excessive Agency |
False positive notes
Single-user personal-assistant deployments will not trigger this โ only multi-user heuristic scenarios.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-OC-002 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.