NC-OC-006
Workspace file access scoped
What this checks
Checks that filesystem access is scoped to workspace when multi-user heuristics are detected.
Why it matters
Unrestricted filesystem access in a multi-user context allows any user to read/write arbitrary files on the host.
How to fix it
Set tools.fs.workspaceOnly=true for multi-user deployments. See: https://clawvitals.io/docs/NC-OC-006
Technical details
| Field | Value |
|---|---|
| Control ID | NC-OC-006 |
| Domain | OC |
| Severity | High |
| Status | Experimental |
| Data source | openclaw_security_audit |
| Source type | derived |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
| OWASP LLM 2025 | LLM06: Excessive Agency |
False positive notes
Only fires when multi-user heuristic is active. Single-user deployments are unaffected.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-OC-006 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.