Perform security assessment for strictly local Ollama setup
This commit adds `SECURITY_ASSESSMENT_LOCAL.md`, which provides a detailed audit of Moltbot for users who want to run the assistant entirely locally using Ollama. The assessment identifies potential data leakage points (update checks, cloud-capable tools), audits model fallback logic to prevent accidental cloud usage, verifies Gateway binding and authentication, and provides a hardened configuration template. Co-authored-by: samibs <1743891+samibs@users.noreply.github.com>
This commit is contained in:
parent
9688454a30
commit
d3dbf002e4
103
SECURITY_ASSESSMENT_LOCAL.md
Normal file
103
SECURITY_ASSESSMENT_LOCAL.md
Normal file
@ -0,0 +1,103 @@
|
||||
# Moltbot Security Assessment: "Strictly Local" Usage
|
||||
|
||||
This report assesses the security of Moltbot for a "strictly local" deployment using local LLMs (Ollama) and ensuring no sensitive data leaves the machine.
|
||||
|
||||
## 1. Outbound Data Leakage Audit
|
||||
|
||||
### Update Checks
|
||||
Moltbot checks for updates on startup by querying the npm registry (`registry.npmjs.org`). This leaks the fact that Moltbot is being run and the version being used.
|
||||
* **Risk**: Low (Metadata leak).
|
||||
* **Mitigation**: Set `update.checkOnStart: false` in `moltbot.json`.
|
||||
|
||||
### Telemetry & Diagnostics
|
||||
Moltbot includes an OpenTelemetry (OTEL) schema, but no active telemetry is enabled by default to send data to a remote central server.
|
||||
* **Status**: Safe by default.
|
||||
* **Caution**: Avoid enabling `diagnostics.otel.enabled` in production if strict local privacy is required.
|
||||
|
||||
### External Tools
|
||||
The following tools are designed for outbound access and will leak data if used:
|
||||
- `web_fetch`: Fetches content from URLs.
|
||||
- `web_search`: Performs web searches via Brave/Perplexity.
|
||||
- `browser`: Controls a local/remote browser.
|
||||
* **Risk**: High (Content exfiltration if the agent is tricked via prompt injection).
|
||||
* **Mitigation**: Explicitly deny these tools in `tools.deny` or disable them in their respective config sections.
|
||||
|
||||
## 2. Model Isolation & Fallback Audit
|
||||
|
||||
### Provider Fallbacks
|
||||
Moltbot has a fallback mechanism that can transition from a failed primary model to fallbacks. The default provider is `anthropic`.
|
||||
* **Risk**: Medium. If Ollama is unavailable, the system might attempt to talk to Anthropic if a fallback is implicitly configured or if the user hasn't cleared the fallbacks list.
|
||||
* **Mitigation**:
|
||||
- Set `agents.defaults.model.primary` to your Ollama model (e.g., `ollama/llama3`).
|
||||
- Explicitly set `agents.defaults.model.fallbacks: []`.
|
||||
- Ensure no Anthropic/OpenAI API keys or profiles are configured.
|
||||
|
||||
### Model Discovery
|
||||
Cloud-based model discovery (e.g., for Venice, Bedrock) only occurs if those providers are active.
|
||||
* **Status**: Safe as long as cloud providers are not configured.
|
||||
|
||||
## 3. Gateway & Web Security
|
||||
|
||||
### Binding
|
||||
The Moltbot Gateway binds strictly to loopback (`127.0.0.1`) by default.
|
||||
* **Status**: Safe. Access is restricted to the local machine.
|
||||
|
||||
### Authentication
|
||||
Authentication is enforced by default. The Gateway will refuse to start if no token or password is configured (unless using Tailscale).
|
||||
* **Status**: Safe.
|
||||
|
||||
### CSRF & CORS
|
||||
Moltbot does not set CORS headers, effectively blocking cross-origin requests from browsers. Most sensitive actions require a Bearer token or a custom WebSocket handshake, which mitigates CSRF risks from local browsers.
|
||||
* **Risk**: Low.
|
||||
* **Recommendation**: Ensure a strong `gateway.auth.token` is used.
|
||||
|
||||
## 4. Sandbox & Tool Security
|
||||
|
||||
### Untrusted Inputs (WhatsApp/Telegram)
|
||||
When using external channels, the bot receives untrusted input.
|
||||
* **Risk**: High. A malicious message could use prompt injection to trick the bot into running dangerous local commands via the `exec` tool.
|
||||
* **Mitigation**:
|
||||
- Enable Docker sandboxing for all non-main sessions: `agents.defaults.sandbox.mode: "non-main"`.
|
||||
- Tighten `tools.elevated.allowFrom` to only include your own user IDs.
|
||||
- Set `groupPolicy: "allowlist"` for all channels to prevent unauthorized users from interacting with the bot in groups.
|
||||
|
||||
---
|
||||
|
||||
## Recommended Configuration for "Strictly Local" Setup
|
||||
|
||||
Add/update these keys in your `~/.clawdbot/moltbot.json`:
|
||||
|
||||
```json5
|
||||
{
|
||||
"update": {
|
||||
"checkOnStart": false
|
||||
},
|
||||
"agents": {
|
||||
"defaults": {
|
||||
"model": {
|
||||
"primary": "ollama/llama3", // Replace with your Ollama model
|
||||
"fallbacks": []
|
||||
},
|
||||
"sandbox": {
|
||||
"mode": "non-main"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tools": {
|
||||
"deny": ["group:web", "browser", "skills-install"],
|
||||
"elevated": {
|
||||
"enabled": true,
|
||||
"allowFrom": {
|
||||
"whatsapp": ["your-phone-number"],
|
||||
"telegram": ["your-username"]
|
||||
}
|
||||
}
|
||||
},
|
||||
"diagnostics": {
|
||||
"enabled": false
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Summary Verdict
|
||||
Moltbot is **well-suited** for local-only usage, provided the configuration is hardened as described above. The core architecture is local-first, and there are no mandatory "phone home" features that cannot be disabled.
|
||||
Loading…
Reference in New Issue
Block a user