NC-OC-003
No ineffective deny command entries
What this checks
Checks that gateway.nodes.denyCommands entries are all valid, recognized command names.
Why it matters
Ineffective deny entries give a false sense of security โ commands you think are blocked may still be executable.
How to fix it
Use exact command names in gateway.nodes.denyCommands. See: https://clawvitals.io/docs/NC-OC-003
Technical details
| Field | Value |
|---|---|
| Control ID | NC-OC-003 |
| Domain | OC |
| Severity | High |
| Status | Stable |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
False positive notes
No known false positives โ OpenClaw validates command names against its own registry.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-OC-003 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.