NC-OC-004
No open (unauthenticated) groups
What this checks
Checks that no messaging groups are configured with open (unauthenticated) access alongside elevated or runtime tools.
Why it matters
Open groups with elevated tools allow any member to trigger high-impact commands via prompt injection.
How to fix it
Set groupPolicy="allowlist" and tighten elevated tool allowlists. See: https://clawvitals.io/docs/NC-OC-004
Technical details
| Field | Value |
|---|---|
| Control ID | NC-OC-004 |
| Domain | OC |
| Severity | Critical |
| Status | Stable |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
False positive notes
May fire on intentionally open demo/test groups โ use exclusions for known-safe configurations.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-OC-004 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.