10 Jun 2026 · Agentbot Team
Security Audit & A+ Grade: How We Hardened Agentbot in One Day
We ran a comprehensive 4-phase security audit on the agentbot codebase, fixed every Critical and High finding, eliminated all as any type assertions, replaced 68 console calls with structured logging, and achieved an A+ code quality grade — all in a single day.
The Audit
Using a structured audit methodology inspired by Claude Fable 5's audit prompt, we analyzed the entire agentbot monorepo across 8 dimensions: architecture, code quality, security, testing, performance, dependencies, DevEx, and documentation.
The audit identified 28 findings:
- 3 Critical timing side-channel vulnerabilities
- 4 High security issues (SSRF proxy, command injection, auth bypass)
- 6 Medium code quality issues
- 2 Low infrastructure issues
Critical Security Fixes
1. Timing Side-Channel Attacks
Five authentication endpoints were using === or !== to compare secrets, allowing attackers to enumerate API keys character-by-character by measuring response times.
Fix: Created a shared safeCompare() utility using crypto.timingSafeEqual and applied it to all auth paths:
cron.ts— CRON_SECRET comparisonops/runs/log/route.ts— INTERNAL_API_KEY comparisonops/metrics/collect/route.ts— INTERNAL_API_KEY + BRIDGE_SECREThooks/classify/route.ts— Bearer token validationprovision/route.ts— Bridge secret validation
2. Unauthenticated SSRF Proxy
The /api/openclaw/proxy/ path explicitly bypassed authentication, allowing any unauthenticated user to proxy HTTP requests to internal Railway services.
Fix: Removed the auth bypass middleware and applied authenticate to all OpenClaw routes.
3. Command Injection in Bridge Client
The bridge client used execSync with string concatenation, allowing shell injection via crafted prompts.
Fix: Replaced execSync with spawn using array arguments (no shell).
Structural Improvements
Index.ts: 1,128 → 227 Lines
The 1,128-line god file was extracted into 7 focused modules:
lib/docker.ts— Docker container operationslib/ports.ts— Port management with Postgres advisory locklib/agent-metadata.ts— Agent metadata read/writelib/auto-update.ts— OpenClaw auto-update logicroutes/deployments.ts— POST /api/deploymentsroutes/subscriptions.ts— POST /api/subscriptions/deployindex.ts— Thin entry point (227 lines)
Unified Plan Definitions
Three separate plan definitions (starter/pro/scale in billing, solo/collective/label/network in backend) were unified to use consistent names across the codebase.
CryptoJS → Node Crypto
Wallet encryption was migrated from CryptoJS (MD5-based key derivation) to Node's built-incrypto module using AES-256-GCM with proper salt, IV, and auth tag. Legacy CryptoJS data is still supported via fallback decryption.
Code Quality
Zero Console Calls
68 console.error/warn/log calls were replaced with structured logging via the log utility, enabling JSON-formatted output for production observability.
Zero Type Assertions
All 14 as any type assertions were eliminated, replacing them with proper type annotations (Record<string, unknown>, typed interfaces, etc.).
68 Tests Passing
Added comprehensive test coverage for:
- Auth middleware (timingSafeEqual verification)
- Wallet encryption (AES-256-GCM roundtrip)
- AI service (model selection, system prompts)
- Agent bus (signature verification, replay protection)
- Orchestrator (deploy, stop, start, delete)
- Soul service (getSoul, updateSoul)
- Secure-exec (retry logic, timeout handling)
- React components (CreditBadge, Breadcrumbs)
CI/CD Improvements
- Added lint & secret scan job to GitHub Actions
- Removed 6 stale markdown files (TASKS, SESSION_NOTES, CODE_REVIEW, etc.)
- Fixed smoke-test-review test to run in CI (jose ESM mock)
Learning from MiMo Code
Xiaomi's MiMo Code team recently published their approach to building coding agents that handle long-horizon tasks. Their three-pillar design — computation, memory, and evolution — aligns with our own approach to agentbot:
- Computation: MiMo Code uses parallel sampling and completion verification. Our tiered permission system and structured logging provide similar guardrails for agent execution.
- Memory:MiMo Code's 4-layer memory system (session, project, global, history) mirrors our own memory architecture in OpenClaw — persistent memory per agent, project context, and session state.
- Evolution:MiMo Code's Dream and Distill cycles for memory maintenance are analogous to our agent learning system that promotes experiences across sessions.
We're exploring integrating MiMo Code's Dynamic Workflow concept — turning orchestration logic from prompt into deterministic code — to improve reliability in our provisioning and deployment pipelines.
Final Score
| Metric | Before | After |
|---|---|---|
| Audit Grade | C+ | A+ |
| Critical Vulnerabilities | 3 | 0 |
| Console.* Calls | 68 | 0 |
| Type Assertions (as any) | 14 | 0 |
| Tests | ~20 (mock app) | 68 (real routes) |
| index.ts Lines | 1,128 | 227 |
| Stale Files | 6 | 0 |
Remaining Dependencies
11 moderate-severity vulnerabilities remain in deep dependencies (ethers, next-auth, ws) that require breaking major version upgrades. These are tracked and will be addressed in upcoming dependency update cycles.
What's Next
- Deploy backend to Railway (pending infrastructure setup)
- Expand React component test coverage
- Integrate Dynamic Workflow for provisioning pipelines
- Add monitoring dashboards for production observability
Full audit report: agentbot/AUDIT.md