Do not open a public issue for security vulnerabilities.

Instead, please email security concerns to the maintainers privately. You can reach us through the OpenClaw Discord via DM, or open a GitHub Security Advisory.

We will acknowledge your report within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.

ClawPad runs locally and connects to a local OpenClaw gateway. Security concerns include:

• Gateway token exposure — The gateway token should never be committed or exposed in client-side code.
• Path traversal — File operations should be scoped to the configured pages directory.
• XSS via editor content — User-generated markdown/HTML must be sanitized before rendering.
• Dependency vulnerabilities — We monitor dependencies and update regularly.

• Never commit secrets, tokens, or credentials.
• Use environment variables for sensitive configuration.
• Sanitize all user input before rendering or file system operations.
• Keep dependencies up to date (pnpm audit).