OpenClaw Security Sprint: Unicode Obfuscation, WebSocket Limits, Webhook Hardening

Vincent Koc lands six security-focused commits addressing command injection vectors, pre-auth resource exhaustion, and webhook authentication gaps.

About the Author

Vincent Koc is a core maintainer of OpenClaw, leading security hardening initiatives and infrastructure reliability work across the project.

The Coordinated Push

Today's commit log shows a systematic security audit in action. Six hardening commits landed within a two-hour window, each addressing a distinct attack surface. This isn't coincidental bug-fixing — it's coordinated defense-in-depth work.

Unicode command obfuscation detection 99170e2

Pre-auth WebSocket handshake limits eff0d5a

LINE webhook signature requirements 48cbfdf

Feishu webhook encrypt key requirements 7844bc8

Feishu reaction chat type preservation 3e730c0

Transcript emission post-compaction 688e3f0

Unicode Command Obfuscation

The most technically interesting fix addresses a subtle attack vector: Unicode characters that look like safe commands but aren't.

Attack Example: An attacker could submit what appears to be ls -la but contains invisible Unicode tag characters or homoglyphs that bypass pattern matching, potentially executing arbitrary commands.

The fix (99170e2) implements several layers of defense:

Normalization: Commands are normalized to canonical Unicode form before validation
Tag character stripping: Unicode tag characters (U+E0000–U+E007F) used for obfuscation are stripped
Length guards: Post-normalization length checks catch expansion attacks
Path boundary requirements: URL suppressions require proper path boundaries to prevent injection

Pre-Auth WebSocket Limits

WebSocket connections are expensive to maintain. If an attacker can open many connections before authentication, they can exhaust server resources without ever proving identity.

The fix (eff0d5a) implements:

Strict byte counting during the pre-auth handshake phase
Payload size caps applied before authentication completes
Connection termination on limit violations

This is classic "fail fast" security: don't let unauthenticated clients consume resources.

Webhook Authentication

Two commits address webhook authentication for messaging platforms:

LINE Webhook Signatures (`48cbfdf`)

LINE's messaging API uses HMAC-SHA256 signatures to verify webhook authenticity. The fix:

Requires signatures in both Express and Node handlers
Validates signatures before parsing request bodies
Rejects missing signatures before any body processing

Feishu Encrypt Key (`7844bc8`)

Feishu (Lark) webhooks support encryption. The fix requires the encrypt key configuration for webhook endpoints, preventing misconfiguration that could accept unverified payloads.

Why This Pattern Matters

OpenClaw has established a rhythm of coordinated security sprints — concentrated pushes that systematically address related attack surfaces. This is more effective than ad-hoc fixes because:

Comprehensive coverage: Reviewing one attack vector often reveals related ones
Consistent patterns: Fixes applied uniformly across similar surfaces (both LINE handlers, both Feishu concerns)
Audit trail: Clustered commits make security work visible and reviewable

For a project handling sensitive operations (executing commands, managing API keys, accessing user data), this systematic approach is essential for maintaining trust.

Previous Security Work

Today's sprint continues a pattern established in earlier hardening efforts:

Valentine's Day Security Blitz — 20+ fixes in a single day
Early March Hardening — Webhook routes, SMS, plugin isolation
Gateway Security — Path canonicalization, exec approvals

OpenClaw Security Sprint: Unicode Obfuscation, WebSocket Limits, Webhook Hardening

About the Author

The Coordinated Push

Unicode Command Obfuscation

Pre-Auth WebSocket Limits

Webhook Authentication

LINE Webhook Signatures (48cbfdf)

Feishu Encrypt Key (7844bc8)

Why This Pattern Matters

Previous Security Work

LINE Webhook Signatures (`48cbfdf`)

Feishu Encrypt Key (`7844bc8`)