This commit adds `SECURITY_ASSESSMENT_LOCAL.md`, which provides a detailed audit of Moltbot for users who want to run the assistant entirely locally using Ollama. The assessment identifies potential data leakage points (update checks, cloud-capable tools), audits model fallback logic to prevent accidental cloud usage, verifies Gateway binding and authentication, and provides a hardened configuration template. Co-authored-by: samibs <1743891+samibs@users.noreply.github.com>
4.2 KiB
Moltbot Security Assessment: "Strictly Local" Usage
This report assesses the security of Moltbot for a "strictly local" deployment using local LLMs (Ollama) and ensuring no sensitive data leaves the machine.
1. Outbound Data Leakage Audit
Update Checks
Moltbot checks for updates on startup by querying the npm registry (registry.npmjs.org). This leaks the fact that Moltbot is being run and the version being used.
- Risk: Low (Metadata leak).
- Mitigation: Set
update.checkOnStart: falseinmoltbot.json.
Telemetry & Diagnostics
Moltbot includes an OpenTelemetry (OTEL) schema, but no active telemetry is enabled by default to send data to a remote central server.
- Status: Safe by default.
- Caution: Avoid enabling
diagnostics.otel.enabledin production if strict local privacy is required.
External Tools
The following tools are designed for outbound access and will leak data if used:
web_fetch: Fetches content from URLs.web_search: Performs web searches via Brave/Perplexity.browser: Controls a local/remote browser.
- Risk: High (Content exfiltration if the agent is tricked via prompt injection).
- Mitigation: Explicitly deny these tools in
tools.denyor disable them in their respective config sections.
2. Model Isolation & Fallback Audit
Provider Fallbacks
Moltbot has a fallback mechanism that can transition from a failed primary model to fallbacks. The default provider is anthropic.
- Risk: Medium. If Ollama is unavailable, the system might attempt to talk to Anthropic if a fallback is implicitly configured or if the user hasn't cleared the fallbacks list.
- Mitigation:
- Set
agents.defaults.model.primaryto your Ollama model (e.g.,ollama/llama3). - Explicitly set
agents.defaults.model.fallbacks: []. - Ensure no Anthropic/OpenAI API keys or profiles are configured.
- Set
Model Discovery
Cloud-based model discovery (e.g., for Venice, Bedrock) only occurs if those providers are active.
- Status: Safe as long as cloud providers are not configured.
3. Gateway & Web Security
Binding
The Moltbot Gateway binds strictly to loopback (127.0.0.1) by default.
- Status: Safe. Access is restricted to the local machine.
Authentication
Authentication is enforced by default. The Gateway will refuse to start if no token or password is configured (unless using Tailscale).
- Status: Safe.
CSRF & CORS
Moltbot does not set CORS headers, effectively blocking cross-origin requests from browsers. Most sensitive actions require a Bearer token or a custom WebSocket handshake, which mitigates CSRF risks from local browsers.
- Risk: Low.
- Recommendation: Ensure a strong
gateway.auth.tokenis used.
4. Sandbox & Tool Security
Untrusted Inputs (WhatsApp/Telegram)
When using external channels, the bot receives untrusted input.
- Risk: High. A malicious message could use prompt injection to trick the bot into running dangerous local commands via the
exectool. - Mitigation:
- Enable Docker sandboxing for all non-main sessions:
agents.defaults.sandbox.mode: "non-main". - Tighten
tools.elevated.allowFromto only include your own user IDs. - Set
groupPolicy: "allowlist"for all channels to prevent unauthorized users from interacting with the bot in groups.
- Enable Docker sandboxing for all non-main sessions:
Recommended Configuration for "Strictly Local" Setup
Add/update these keys in your ~/.clawdbot/moltbot.json:
{
"update": {
"checkOnStart": false
},
"agents": {
"defaults": {
"model": {
"primary": "ollama/llama3", // Replace with your Ollama model
"fallbacks": []
},
"sandbox": {
"mode": "non-main"
}
}
},
"tools": {
"deny": ["group:web", "browser", "skills-install"],
"elevated": {
"enabled": true,
"allowFrom": {
"whatsapp": ["your-phone-number"],
"telegram": ["your-username"]
}
}
},
"diagnostics": {
"enabled": false
}
}
Summary Verdict
Moltbot is well-suited for local-only usage, provided the configuration is hardened as described above. The core architecture is local-first, and there are no mandatory "phone home" features that cannot be disabled.