Browser control requires gateway authentication
What this checks
Checks that the OpenClaw gateway has authentication configured when browser control is enabled. If browser control is disabled, this check is automatically skipped.
Why it matters
Browser control exposes a powerful interface for interacting with your agent it allows full command execution through the browser. Without gateway authentication, browser control is accessible to anyone who can reach your gateway URL, with no credentials required. This combination is effectively an unauthenticated remote command execution interface.
How to fix it
Option A Set a gateway auth token (recommended)
openclaw gateway auth set --type bearer --token $(openssl rand -hex 32)
openclaw gateway restartOption B Disable browser control if not in use
openclaw config set canvas.enabled false
openclaw gateway restartTechnical details
| Field | Value |
|---|---|
| Control ID | NC-OC-013 |
| Domain | OC |
| Severity | Critical |
| Status | Stable |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| CheckId | browser.control_no_auth |
| Prerequisite | Only evaluated when browser control is enabled |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v1.1.0 |
False positive notes
Only fires when browser control is enabled AND no gateway auth token is set. If browser control is disabled, this control is SKIPPED. If NC-OC-012 also fires (no auth at all), fix NC-OC-012 first resolving it will also resolve this control.
Suppress this finding
clawvitals exclude NC-OC-013 reason "your reason here"