squad-openclaw 2026.2.1906 → 2026.2.2002
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +39 -6
- package/dist/index.js +743 -665
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -10,8 +10,8 @@ OpenClaw gateway plugin for [Squad](https://squad.ceo) — provides entity regis
|
|
|
10
10
|
| `fs_read`, `fs_write`, `fs_list`, `fs_delete`, `fs_rename`, `fs_mkdir` | Remote filesystem access for browser clients (subject to security restrictions below) |
|
|
11
11
|
| `sql_query` | Restricted SQLite query tool — `sqlite3` only, scoped to `~/.openclaw/squad-ceo-data/` |
|
|
12
12
|
| `squad.version.check`, `squad.version.update` | Plugin version management and self-update |
|
|
13
|
-
| `tools.invoke` | RPC-based tool invocation for relay mode (
|
|
14
|
-
| Cloud relay client | Connects outbound to `relay.squad.ceo` for remote browser access |
|
|
13
|
+
| `tools.invoke` | RPC-based tool invocation for relay mode — **only invokes this plugin's own tools**, each with its own security restrictions (see below) |
|
|
14
|
+
| Cloud relay client | **Disabled by default (opt-in).** Connects outbound to `relay.squad.ceo` for remote browser access |
|
|
15
15
|
|
|
16
16
|
## Security Model
|
|
17
17
|
|
|
@@ -66,11 +66,13 @@ These files/directories cannot be written to, even if they fall within `allowedR
|
|
|
66
66
|
|
|
67
67
|
## Relay Security
|
|
68
68
|
|
|
69
|
+
> **The cloud relay is DISABLED by default. No outbound connections are made unless the operator explicitly sets `relay.enabled: true`.** Installing this plugin alone does NOT create any network surface — the relay code is never executed until opted in.
|
|
70
|
+
|
|
69
71
|
The cloud relay enables remote browser access to the gateway through `relay.squad.ceo`.
|
|
70
72
|
|
|
71
73
|
### Opt-in Only
|
|
72
74
|
|
|
73
|
-
The relay is **disabled by default
|
|
75
|
+
The relay is **disabled by default** (`relay.enabled` defaults to `false`). The plugin entry point checks this flag **before** calling `startRelayClient()` — if the flag is not set or is `false`, no relay code runs, no WebSocket is opened, and no connection metadata is sent anywhere. The operator must explicitly enable it by setting `relay.enabled: true` in the plugin configuration.
|
|
74
76
|
|
|
75
77
|
### Authentication
|
|
76
78
|
|
|
@@ -93,17 +95,48 @@ The relay-client's device identity must be **explicitly approved by the operator
|
|
|
93
95
|
The relay-client reads `gateway.auth.token` from `~/.openclaw/openclaw.json` via direct `fs.readFileSync`. This is intentional and safe:
|
|
94
96
|
|
|
95
97
|
- The relay-client runs **server-side, in the gateway's own process** — equivalent to the gateway reading its own config
|
|
96
|
-
- The token is **never sent to the relay server or the browser** — only injected into local `localhost:18789` WebSocket connections
|
|
98
|
+
- The token is **never sent to the relay server or the browser** — it is only injected into **local** `localhost:18789` WebSocket connections on the same machine
|
|
97
99
|
- The token is **never exposed through the filesystem tool API** — `gateway.auth.*` is redacted in `filesystem.ts`
|
|
98
100
|
- Direct file read is used because the plugin config API doesn't expose the full gateway config
|
|
99
101
|
|
|
102
|
+
**Token flow (important for security auditing):**
|
|
103
|
+
|
|
104
|
+
```
|
|
105
|
+
Browser ──[connect request]──> relay.squad.ceo ──[relay.forward]──> relay-client
|
|
106
|
+
│
|
|
107
|
+
Token is injected HERE, in memory, │
|
|
108
|
+
into the connect request. │
|
|
109
|
+
▼
|
|
110
|
+
relay-client ──[modified request]──> localhost:18789 (gateway)
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
The relay server only sees the outer `relay.forward` envelope. It **never** receives the modified request containing the token. The token injection happens entirely within the relay-client process, and the modified message is sent over a **local loopback** connection to the gateway. A compromised relay server cannot intercept the operator token because it never traverses the relay — it only exists on the `localhost:18789` path.
|
|
114
|
+
|
|
115
|
+
## Remote Tool Invocation (`tools.invoke`)
|
|
116
|
+
|
|
117
|
+
The `tools.invoke` gateway method allows the browser to call plugin tools over WebSocket (used in relay mode where there is no HTTP path). This is **not** a generic RPC gateway — it is scoped exclusively to the tools registered by **this plugin**:
|
|
118
|
+
|
|
119
|
+
| Tool | What it can access | Restrictions |
|
|
120
|
+
|---|---|---|
|
|
121
|
+
| `fs_read`, `fs_write`, `fs_list`, `fs_delete`, `fs_rename`, `fs_mkdir` | `~/.openclaw/` only | All 4 security layers apply (blocked dirs, blocked files, redaction, allowed roots, write protection) |
|
|
122
|
+
| `sql_query` | `~/.openclaw/squad-ceo-data/*.db` only | sqlite3 only, no shell, no command injection (see below) |
|
|
123
|
+
| `entity_list`, `entity_search`, `entity_sync` | In-memory entity index | Read-only metadata (names, types, paths) |
|
|
124
|
+
| `squad.version.check`, `squad.version.update` | npm registry | Read-only check + controlled `npm install` |
|
|
125
|
+
|
|
126
|
+
It **cannot** invoke gateway core tools (`exec`, `bash`, `read`, `write`, `web_fetch`, etc.) — only the tools this plugin registers via `api.registerTool()`. Every invoked tool enforces its own security restrictions independently — `tools.invoke` is just a transport layer, not a privilege escalation.
|
|
127
|
+
|
|
128
|
+
**Authentication chain for relay access:** Browser JWT → relay claim token → operator-approved device pairing → operator auth token (localhost only). All four must be valid for a `tools.invoke` call to reach the gateway.
|
|
129
|
+
|
|
100
130
|
## SQL Query Tool
|
|
101
131
|
|
|
132
|
+
> **`sql_query` can only access the plugin's own application data** in `~/.openclaw/squad-ceo-data/`. It cannot read or modify any other files on the system — not system databases, not user documents, not gateway configuration.
|
|
133
|
+
|
|
102
134
|
The `sql_query` tool provides restricted SQLite access:
|
|
103
135
|
|
|
104
|
-
- **Path restriction:** Database files must be within `~/.openclaw/squad-ceo-data/`
|
|
136
|
+
- **Path restriction:** Database files must be within `~/.openclaw/squad-ceo-data/` — the plugin's own data directory containing entity registries and application state. Paths outside this directory are rejected before any query is executed.
|
|
105
137
|
- **No shell:** Uses `execFile` (not `exec`) — arguments are passed as an argv array, preventing command injection
|
|
106
|
-
- **No arbitrary commands:** Only `sqlite3` is executed
|
|
138
|
+
- **No arbitrary commands:** Only `sqlite3` is executed — no other binary can be invoked through this tool
|
|
139
|
+
- **Data scope:** The databases in `squad-ceo-data/` contain only Squad application data (entity metadata, search indexes, user preferences). No credentials, tokens, or gateway configuration is stored in these databases.
|
|
107
140
|
|
|
108
141
|
## Build Transparency
|
|
109
142
|
|