SECURITY MODEL


DashBot is built on OpenClaw — but deliberately leaves out its most dangerous features. No inbound ports. No OAuth tokens. No browser automation. No plugins. What's left is a hardened, local-first agent that can't be reached from the outside.

dashbot-security-audit.sh
$ nmap -sT -p- localhost
PORT     STATE   SERVICE
None     —      No inbound listeners found
$ netstat -an | grep LISTEN | grep dashbot
127.0.0.1:*    LISTEN    (localhost-only WebSocket)
$ curl -I http://dashbot-worker:8080
curl: (7) Failed to connect — Connection refused
# Good. Nothing to connect to.
Attack Surface

What DashBot Exposes
vs. What It Doesn't

DashBot's entire network footprint fits in four lines.

DashBot Attack Surface

  • 127.0.0.1 WebSocket (Flutter UI ↔ Dart gateway)
  • Outbound HTTPS to LLM APIs (OpenAI, Anthropic, etc.)
  • Local filesystem access via tool policies
  • Local SQLite database
4 vectors All local or outbound-only

OpenClaw Full Attack Surface

  • 15+ messaging platform OAuth tokens
  • Inbound webhook HTTP endpoints
  • mDNS/Bonjour network discovery
  • Remote gateway RPC ports
  • Headless browser with stored credentials
  • Docker socket access
  • Voice/TTS audio pipeline
  • Plugin/extension code execution
  • IoT device pairing (camera, audio, GPS)
  • Multi-platform mobile + desktop
40+ vectors Inbound, outbound, and lateral
Security by Removal

9 OpenClaw Features
We Deliberately Left Out

Each card is a feature DashBot does not implement — and the attack surface that disappears because of it.

01

Messaging Channels

WhatsApp, Telegram, Discord, Slack, Signal, iMessage, Teams, Matrix, Nostr, SMS, Email — 15+ platforms

Each requires OAuth tokens, API keys, webhook endpoints, and persistent connections to third-party services.

Eliminated

DashBot stores no OAuth tokens for third-party messaging platforms. The only OAuth credential is for OpenAI model access — equivalent to storing an API key, which auth-profiles already do for every LLM provider. It cannot be used to impersonate the user on any communication platform. No inbound webhook endpoints exposed to the internet. No message relay attack surface. No pivot path to any messaging service.

DashBot's OpenAI OAuth — What It Actually Is

DashBot's OAuth is not issuing tokens to third parties. It's the opposite — DashBot is an OAuth client that authenticates the user with OpenAI to obtain an API key for model access. The flow:

1 User clicks Connect with ChatGPT in DashBot
2 Browser opens auth.openai.com with PKCE
3 User logs in with their OpenAI account
4 Callback to localhost:1455 ← never leaves the machine
5 DashBot exchanges the code for an API key with model.request scope
6 API key stored locally in ~/.openclaw/oauth.json
To be precise

“No stored third-party OAuth tokens” needs nuancing. DashBot does store an OpenAI access token, refresh token, and derived API key in oauth.json. But the security context is fundamentally different from OpenClaw's channel OAuth:

DashBot (OpenAI OAuth) OpenClaw (Channel OAuth)
Direction DashBot authenticates to OpenAI External platforms authenticate to OpenClaw
Purpose Access LLM models Send/receive messages as the user
Scope model.request only Full messaging, profile access
Callback localhost:1455 only Public webhook endpoints
Tokens stored 1 provider (OpenAI) 15+ platforms
Impersonation risk Can spend API credits Can send messages as user on WhatsApp, Slack, Discord, etc.
OAuth tokens Webhook endpoints Persistent connections
02

IoT Nodes

Camera feeds, audio capture, GPS tracking, device pairing via Bonjour/mDNS

OpenClaw pairs with remote devices via Bonjour/mDNS for camera feeds, audio capture, GPS tracking, and sensor data.

Eliminated

No network discovery protocol exposure. No device pairing trust model to compromise. No audio/video capture capabilities. No location tracking.

mDNS broadcast Device pairing A/V capture
03

Browser Automation

Playwright-driven headless/headed Chrome with credential storage

OpenClaw controls a headless/headed browser — navigating pages, filling forms, clicking elements, extracting content, and logging into sites with stored credentials.

Eliminated

No browser process to exploit. No stored site credentials. No ability to perform actions on authenticated web sessions. No Chrome extension attack surface.

Stored credentials Session hijacking Chrome exploits
04

Docker / Sandboxing

Container orchestration, Docker socket, sandbox environments

OpenClaw can run tools inside Docker containers and manage sandbox environments for code execution.

Eliminated

No container escape risk. No Docker socket access (which is effectively root). No image pull from untrusted registries.

Docker socket (root) Container escape Untrusted images
05

Remote Gateway / Multi-Gateway

Network-exposed RPC, mDNS auto-discovery, multi-node mesh

OpenClaw supports remote gateway connections over the network and mDNS-based auto-discovery of other instances.

Eliminated

DashBot binds to localhost only — no network-exposed ports, no mDNS broadcast, no remote RPC access. The gateway is unreachable from other machines.

Network ports mDNS broadcast Remote RPC
06

Webhooks

Inbound HTTP endpoints, Gmail pub/sub, service callbacks

OpenClaw accepts inbound HTTP webhooks from external services (Gmail pub/sub, channel callbacks, etc.).

Eliminated

No publicly routable HTTP endpoints. No webhook signature validation to get wrong. No SSRF risk from callback URLs.

Inbound HTTP SSRF Signature bypass
07

Voice Calls / TTS

Phone network integration, text-to-speech, speech recognition

OpenClaw handles voice calls with text-to-speech and speech recognition pipelines.

Eliminated

No audio processing pipeline. No phone network integration. No stored voice data. No deepfake voice attack surface.

Audio pipeline Phone network Voice data
08

Plugin / Extension System

Third-party loadable plugins, extension marketplace

OpenClaw supports loadable plugins that can extend functionality with arbitrary code execution.

Eliminated

No third-party code execution through plugins. No supply chain risk from untrusted extensions. No dependency confusion attacks.

Code execution Supply chain Dependency confusion
09

Multi-Platform Deployment

iOS, Android, macOS, Linux, Raspberry Pi

OpenClaw targets iOS, Android, macOS, Linux, and Raspberry Pi with separate build pipelines and platform-specific code.

Eliminated

Single-platform (Windows) means one attack surface to secure, one build pipeline to audit. No mobile-specific vulnerabilities (app store spoofing, intent hijacking, etc.).

Multi-platform App store spoofing Intent hijacking

The Core Principle

DashBot's security posture is local-first by design. The entire attack surface is:

Flutter UI
localhost:// WebSocket
Dart Gateway
Outbound HTTPS only
LLM APIs
A localhost-only WebSocket between the Flutter UI and the Dart gateway
LLM API calls to configured providers (outbound HTTPS only)
Local filesystem access governed by tool policies (confirm/allow/deny)
A local SQLite database
No inbound network listeners
No third-party platform integrations
No stored OAuth tokens for external services — only LLM API keys
No remote code execution paths

Every removed feature is a removed attack vector.

Paranoid? Good.

Run netstat -an yourself. You'll find exactly one local listener. That's the whole story.

View Plans Ask Us on Discord