[{"data":1,"prerenderedAt":1388},["ShallowReactive",2],{"help-category-\u002Fsecurity-privacy\u002Fdesktop-app-security":3,"help-article-\u002Fsecurity-privacy\u002Fdesktop-app-security":4,"related-articles-\u002Fsecurity-privacy\u002Fdesktop-app-security":400},[],{"id":5,"title":6,"body":7,"category":381,"description":382,"draft":383,"extension":384,"meta":385,"navigation":386,"order":387,"path":388,"relatedArticles":389,"seo":394,"slug":395,"stem":396,"updatedAt":397,"__hash__":398,"excerpt":382,"searchText":399},"help\u002Fhelp\u002Fsecurity-privacy\u002F07.desktop-app-security.md","Desktop app security",{"type":8,"value":9,"toc":362},"minimark",[10,19,24,35,38,43,59,63,66,70,82,85,92,96,103,147,150,154,161,164,168,183,186,190,193,231,234,238,241,273,276,280,283,300,303,306,310,313,325,329,332,358],[11,12,13,14,18],"p",{},"The MultiClaw desktop app is built on ",[15,16,17],"strong",{},"Tauri v2",", a Rust-based framework designed to minimize the attack surface. Every security layer described below is enabled by default — you don't need to configure anything.",[20,21,23],"h2",{"id":22},"tauri-capability-model","Tauri capability model",[11,25,26,27,30,31,34],{},"The UI runs inside a ",[15,28,29],{},"WebView"," that is designed to have no direct access to the filesystem, processes, or system calls. To perform a privileged operation, the frontend must invoke a declared ",[15,32,33],{},"IPC command"," in the Rust core. Commands not listed in the capability configuration are blocked by the framework.",[11,36,37],{},"This boundary is designed to prevent a compromised script in the UI from escalating to the system layer through undeclared paths. The separation is enforced by Tauri's capability model at the framework level, not by application-layer runtime checks.",[39,40,42],"h3",{"id":41},"what-the-capability-model-covers","What the capability model covers",[44,45,46,53],"ul",{},[47,48,49,52],"li",{},[15,50,51],{},"UI-to-system isolation",": the WebView is designed to be unable to reach the filesystem, execute shell commands, or access system APIs unless a specific IPC command is declared and exposed by the Rust core.",[47,54,55,58],{},[15,56,57],{},"Least privilege by default",": only the commands the app explicitly declares in its capability configuration are available. Everything else is blocked at the framework level.",[39,60,62],{"id":61},"what-the-capability-model-does-not-cover","What the capability model does not cover",[11,64,65],{},"The capability model isolates the WebView from the system. It does not protect against threats that originate outside the app, such as malware running at the OS level or a compromised system process. OS-level security (disk encryption, user account controls, endpoint protection) remains your responsibility.",[20,67,69],{"id":68},"content-security-policy","Content Security Policy",[11,71,72,73,76,77,81],{},"The WebView enforces a strict ",[15,74,75],{},"Content Security Policy (CSP)"," that blocks inline scripts, ",[78,79,80],"code",{},"eval()",", and external script loading. This substantially limits what an attacker can do with a cross-site scripting (XSS) vector in the UI layer.",[11,83,84],{},"The CSP is set at the framework level and applies to every page rendered inside the app. Combined with the Tauri capability model, CSP acts as a second barrier: even if a script bypasses one layer, the other limits what that script can reach.",[86,87,89],"callout",{"type":88},"note",[11,90,91],{},"CSP reduces the impact of XSS but does not eliminate all injection risks. It is one layer in a defense-in-depth approach.",[20,93,95],{"id":94},"webview-rendering-engine","WebView rendering engine",[11,97,98,99,102],{},"Tauri v2 uses the ",[15,100,101],{},"operating system's built-in WebView"," rather than bundling a separate browser engine:",[104,105,106,119],"table",{},[107,108,109],"thead",{},[110,111,112,116],"tr",{},[113,114,115],"th",{},"Platform",[113,117,118],{},"WebView engine",[120,121,122,131,139],"tbody",{},[110,123,124,128],{},[125,126,127],"td",{},"macOS",[125,129,130],{},"WebKit (provided by Safari)",[110,132,133,136],{},[125,134,135],{},"Windows",[125,137,138],{},"WebView2 (provided by Microsoft Edge)",[110,140,141,144],{},[125,142,143],{},"Linux",[125,145,146],{},"WebKitGTK",[11,148,149],{},"Because the WebView is provided by the OS, it receives security patches through your regular OS updates. Keeping your operating system current is one of the most effective ways to maintain desktop app security.",[20,151,153],{"id":152},"update-integrity","Update integrity",[11,155,156,157,160],{},"App updates are signed with ",[15,158,159],{},"minisign"," (Ed25519 public-key cryptography). Before installing an update, the updater verifies the signature against the embedded public key.",[11,162,163],{},"If verification fails, the update is rejected, and your current version stays unchanged. The app does not apply partially downloaded or unsigned updates.",[39,165,167],{"id":166},"how-updates-work","How updates work",[169,170,171,174,177,180],"ol",{},[47,172,173],{},"The app checks for available updates.",[47,175,176],{},"If a new version is found, the app downloads the update package and its signature file.",[47,178,179],{},"The updater verifies the signature against the public key embedded in your current installation.",[47,181,182],{},"If the signature is valid, the update is applied. If not, the update is discarded.",[11,184,185],{},"You can continue using the app while updates download. The update takes effect the next time you restart the app.",[20,187,189],{"id":188},"code-signing","Code signing",[11,191,192],{},"Every release is signed to protect against tampering.",[104,194,195,204],{},[107,196,197],{},[110,198,199,201],{},[113,200,115],{},[113,202,203],{},"Signing method",[120,205,206,213,223],{},[110,207,208,210],{},[125,209,127],{},[125,211,212],{},"Apple Developer ID certificate, notarized by Apple",[110,214,215,217],{},[125,216,135],{},[125,218,219,220,222],{},"Updater artifacts signed with ",[15,221,159],{}," (Ed25519)",[110,224,225,227],{},[125,226,143],{},[125,228,219,229,222],{},[15,230,159],{},[11,232,233],{},"On macOS, the operating system verifies the Developer ID certificate when you first open the app and blocks unsigned or tampered binaries. On Windows and Linux, the OS does not perform native binary verification, but the Tauri updater independently verifies the minisign signature before applying any update.",[39,235,237],{"id":236},"verify-your-installation-on-macos","Verify your installation on macOS",[11,239,240],{},"You can confirm the app's code signature by running this command in Terminal:",[242,243,248],"pre",{"className":244,"code":245,"language":246,"meta":247,"style":247},"language-bash shiki shiki-themes github-light github-dark","codesign --verify --deep --strict \u002FApplications\u002FMultiClaw.app\n","bash","",[78,249,250],{"__ignoreMap":247},[251,252,255,259,263,266,269],"span",{"class":253,"line":254},"line",1,[251,256,258],{"class":257},"sScJk","codesign",[251,260,262],{"class":261},"sj4cs"," --verify",[251,264,265],{"class":261}," --deep",[251,267,268],{"class":261}," --strict",[251,270,272],{"class":271},"sZZnC"," \u002FApplications\u002FMultiClaw.app\n",[11,274,275],{},"If the signature is valid, the command produces no output. If the binary has been tampered with, you'll see an error message.",[20,277,279],{"id":278},"filesystem-access-scope","Filesystem access scope",[11,281,282],{},"The Rust core limits file access to known data directories:",[44,284,285,291,297],{},[47,286,287,290],{},[78,288,289],{},"~\u002F.openclaw\u002F",": agent data, sessions, configuration, and logs managed by OpenClaw",[47,292,293,296],{},[78,294,295],{},"~\u002F.multiclaw\u002F",": app preferences, workflow recordings, drafts, and MultiClaw-specific logs",[47,298,299],{},"The OS temp directory: transient working files",[11,301,302],{},"Requests that target paths outside these directories are not served by the Rust core's file access commands.",[11,304,305],{},"When you attach a file to a chat message or export data, the app uses your operating system's file picker. Access is scoped to the file or location you select — the app does not request broader directory access through this flow.",[20,307,309],{"id":308},"local-data-storage","Local data storage",[11,311,312],{},"Configuration files and session data are stored in the directories listed above. Authentication tokens are stored locally on your machine.",[86,314,316],{"type":315},"tip",[11,317,318,319,321,322,324],{},"If you share your computer, use a separate OS user account. Each OS account has its own ",[78,320,295],{}," and ",[78,323,289],{}," directories, keeping agent data and credentials isolated between users.",[20,326,328],{"id":327},"your-responsibilities","Your responsibilities",[11,330,331],{},"The desktop app handles isolation, signing, and access scoping automatically. These protections work alongside your own security practices, not instead of them:",[44,333,334,340,346,352],{},[47,335,336,339],{},[15,337,338],{},"Keep your OS updated."," WebView security patches arrive through OS updates. Delaying updates delays security fixes.",[47,341,342,345],{},[15,343,344],{},"Don't bypass code signing checks."," On macOS, don't disable Gatekeeper to run unsigned copies of the app. On Windows, install from official channels only.",[47,347,348,351],{},[15,349,350],{},"Use a strong account password."," The app authenticates against MultiClaw Cloud. A weak password on your cloud account undermines the security of your local session.",[47,353,354,357],{},[15,355,356],{},"Lock your computer."," Desktop app sessions persist while the app is open. Lock your screen when you step away to prevent unauthorized access.",[359,360,361],"style",{},"html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":247,"searchDepth":363,"depth":363,"links":364},2,[365,370,371,372,375,378,379,380],{"id":22,"depth":363,"text":23,"children":366},[367,369],{"id":41,"depth":368,"text":42},3,{"id":61,"depth":368,"text":62},{"id":68,"depth":363,"text":69},{"id":94,"depth":363,"text":95},{"id":152,"depth":363,"text":153,"children":373},[374],{"id":166,"depth":368,"text":167},{"id":188,"depth":363,"text":189,"children":376},[377],{"id":236,"depth":368,"text":237},{"id":278,"depth":363,"text":279},{"id":308,"depth":363,"text":309},{"id":327,"depth":363,"text":328},"security-privacy","The desktop app isolates the UI from the system, signs every update, and restricts file access — all enabled by default.",false,"md",{},true,7,"\u002Fsecurity-privacy\u002Fdesktop-app-security",[390,391,392,393],"security-privacy\u002Fsecurity-overview","security-privacy\u002Fdependency-and-supply-chain-security","security-privacy\u002Fnetwork-security","security-privacy\u002Fdata-residency-and-storage",{"title":6,"description":382},"desktop-app-security","help\u002Fsecurity-privacy\u002F07.desktop-app-security","2026-03-30","rA3kcK7wiPbTOZxq3mlIvbAS0xgV-rG_VxIcoNqVJEE","Desktop app security The desktop app isolates the UI from the system, signs every update, and restricts file access — all enabled by default.",[401,678,901],{"id":402,"title":403,"body":404,"category":381,"description":665,"draft":383,"extension":384,"meta":666,"navigation":386,"order":254,"path":667,"relatedArticles":668,"seo":673,"slug":674,"stem":675,"updatedAt":397,"__hash__":676,"excerpt":665,"searchText":677},"help\u002Fhelp\u002Fsecurity-privacy\u002F01.security-overview.md","Security overview",{"type":8,"value":405,"toc":650},[406,417,420,424,427,441,444,451,460,464,467,473,477,480,486,490,512,519,523,526,533,537,543,550,554,560,566,570,573,580,584,587,593,597,602,609,613,616,622,626,629,636,640,643],[11,407,408,409,412,413,416],{},"MultiClaw protects your data through multiple independent security layers: local credential storage, TLS connections, app sandboxing, and zero telemetry. Each layer works on its own, reducing the risk that a single vulnerability leads to broader exposure. The architecture follows ",[15,410,411],{},"defense-in-depth"," principles aligned with ",[15,414,415],{},"ISO\u002FIEC 27001:2022",".",[11,418,419],{},"This article gives you a high-level view of how MultiClaw handles security and privacy. Each section links to a dedicated article with full details.",[20,421,423],{"id":422},"separate-trust-zones","Separate trust zones",[11,425,426],{},"The desktop app, the local OpenClaw gateway, and MultiClaw Cloud operate as three distinct trust zones, each with its own authentication:",[44,428,429,435],{},[47,430,431,434],{},[15,432,433],{},"Desktop app",": connects to MultiClaw Cloud over HTTPS and WSS for API calls, real-time updates, agent configuration, and session data.",[47,436,437,440],{},[15,438,439],{},"Local OpenClaw gateway",": connects to MultiClaw Cloud separately over an authenticated WebSocket secured with short-lived signed tokens. These tokens rotate automatically, so a captured token expires before it can be reused.",[11,442,443],{},"Each connection enforces its own credentials. No zone shares authentication tokens with another.",[11,445,446],{},[447,448],"img",{"alt":449,"src":450},"MultiClaw security architecture — the four components and how they connect across trust boundaries","\u002Fimages\u002Fmulticlaw-security-architecture.png",[11,452,453,454,459],{},"See ",[455,456,458],"a",{"href":457},"\u002Fhelp\u002Fsecurity-privacy\u002Fnetwork-security","Network security"," for details on how each connection is secured.",[20,461,463],{"id":462},"authentication-and-login-security","Authentication and login security",[11,465,466],{},"All authentication is handled by MultiClaw Cloud. You can sign in with email and password or through Multiplai single sign-on (SSO). Sessions use short-lived tokens that rotate automatically, and repeated failed login attempts trigger temporary account lockouts.",[11,468,453,469,472],{},[455,470,463],{"href":471},"\u002Fhelp\u002Fsecurity-privacy\u002Fauthentication-and-login-security"," for details on session handling, token rotation, and lockout policies.",[20,474,476],{"id":475},"roles-and-access-control","Roles and access control",[11,478,479],{},"MultiClaw uses role-based access control (RBAC) in workspaces. Each person is assigned exactly one role — Owner or Member — which determines what they can view, create, and manage. Permissions follow a least-privilege model: users only have access to what their role requires.",[11,481,453,482,485],{},[455,483,476],{"href":484},"\u002Fhelp\u002Fsecurity-privacy\u002Froles-and-access-control"," for the full permission matrix.",[20,487,489],{"id":488},"encryption-at-rest-and-in-transit","Encryption at rest and in transit",[11,491,492,495,496,499,500,503,504,507,508,511],{},[15,493,494],{},"Config values"," are stored in your local config file (",[78,497,498],{},"~\u002F.openclaw\u002Fopenclaw.json",") as plain JSON. The file is not encrypted at rest; it is protected by your operating system's file permissions. Credentials and API keys stored in ",[15,501,502],{},"MultiClaw Cloud"," receive an additional application-layer encryption with ",[15,505,506],{},"AES-256"," on top of AWS disk encryption. All connections to external MultiClaw services use ",[15,509,510],{},"TLS 1.2 or higher",", covering both HTTPS and WebSocket (WSS) traffic. Communication between the desktop app and the local OpenClaw gateway uses an unencrypted connection on localhost only — this traffic never leaves your machine.",[11,513,453,514,518],{},[455,515,517],{"href":516},"\u002Fhelp\u002Fsecurity-privacy\u002Fdata-encryption","Data encryption"," for the full encryption model.",[20,520,522],{"id":521},"local-first-data-storage","Local-first data storage",[11,524,525],{},"Your agents, conversations, and credentials are stored on your machine by default. When you're not connected to a workspace, everything stays local. When you connect to a workspace, conversation transcripts sync to MultiClaw Cloud automatically.",[11,527,453,528,532],{},[455,529,531],{"href":530},"\u002Fhelp\u002Fsecurity-privacy\u002Fdata-residency-and-storage","Data residency and storage"," for details on where your data lives.",[20,534,536],{"id":535},"credential-and-secret-storage","Credential and secret storage",[11,538,539,540,542],{},"Credentials and other sensitive values are stored in your local config file (",[78,541,498],{},") as plain JSON, protected by operating system file permissions. The desktop app does not send stored credentials to MultiClaw Cloud. Each credential is scoped to the context that needs it.",[11,544,453,545,549],{},[455,546,548],{"href":547},"\u002Fhelp\u002Fsecurity-privacy\u002Fhow-credentials-and-secrets-are-stored","How credentials and secrets are stored"," for details on how credentials are stored, scoped, and managed.",[20,551,553],{"id":552},"sandboxed-desktop-app","Sandboxed desktop app",[11,555,556,557,559],{},"The desktop app is built on ",[15,558,17],{},", which enforces a capability-based permission model. The interface layer cannot access your filesystem or start processes on its own. Every sensitive operation goes through an explicitly declared Tauri command, limiting the potential damage from any interface-level vulnerability.",[11,561,453,562,565],{},[455,563,6],{"href":564},"\u002Fhelp\u002Fsecurity-privacy\u002Fdesktop-app-security"," for details on the sandboxing model and capability declarations.",[20,567,569],{"id":568},"browser-extension-isolation","Browser extension isolation",[11,571,572],{},"The MultiClaw Chrome Extension content script is loaded on all pages, but it only captures and transmits interaction data when a recording session is active. Event listeners are registered when the extension loads; they check whether recording is active before capturing anything, and no data is collected or sent between sessions.",[11,574,453,575,579],{},[455,576,578],{"href":577},"\u002Fhelp\u002Fsecurity-privacy\u002Fbrowser-extension-security","Browser extension security"," for full details on what the extension accesses and when.",[20,581,583],{"id":582},"privacy-and-data-handling","Privacy and data handling",[11,585,586],{},"MultiClaw Desktop does not collect usage analytics or telemetry. If the app crashes, the crash log stays on your machine. Conversation content stays on your machine unless you choose to sync it to a workspace. MultiClaw Cloud stores only the account, workspace, and session data needed to operate the service.",[11,588,453,589,592],{},[455,590,583],{"href":591},"\u002Fhelp\u002Fsecurity-privacy\u002Fprivacy-and-data-handling"," for what data MultiClaw collects, how long it's retained, and your rights.",[20,594,596],{"id":595},"signed-updates-and-supply-chain-security","Signed updates and supply chain security",[11,598,156,599,601],{},[15,600,159],{},". Before installing an update, the updater verifies the signature against the published public key and rejects any update with an invalid or missing signature. Third-party dependencies are pinned to exact versions, scanned for vulnerabilities, and reviewed before they ship.",[11,603,453,604,608],{},[455,605,607],{"href":606},"\u002Fhelp\u002Fsecurity-privacy\u002Fdependency-and-supply-chain-security","Dependency and supply chain security"," for the full scanning and review process.",[20,610,612],{"id":611},"allowed-external-connections","Allowed external connections",[11,614,615],{},"MultiClaw makes a fixed, documented set of outbound connections from your machine. Each connection has a specific purpose — API calls, real-time updates, AI execution, or update checks. No undocumented connections are made.",[11,617,453,618,621],{},[455,619,612],{"href":620},"\u002Fhelp\u002Fsecurity-privacy\u002Fallowed-external-connections"," for the full list of endpoints, protocols, and when each connection occurs.",[20,623,625],{"id":624},"incident-reporting","Incident reporting",[11,627,628],{},"If you discover a security vulnerability, you can report it directly to the MultiClaw security team. Reports are acknowledged within 24 hours and follow a structured triage and resolution process.",[11,630,453,631,635],{},[455,632,634],{"href":633},"\u002Fhelp\u002Fsecurity-privacy\u002Fincident-reporting-and-response","Incident reporting and response"," for how to submit a report and what to expect.",[20,637,639],{"id":638},"shared-responsibility","Shared responsibility",[11,641,642],{},"Security in MultiClaw is a shared effort. MultiClaw secures the infrastructure, encrypts data in transit, and hardens the app. You're responsible for protecting your credentials, managing workspace access, and configuring agents appropriately.",[11,644,453,645,649],{},[455,646,648],{"href":647},"\u002Fhelp\u002Fsecurity-privacy\u002Fshared-responsibility-model","Shared responsibility model"," for a clear breakdown of what each party owns.",{"title":247,"searchDepth":363,"depth":363,"links":651},[652,653,654,655,656,657,658,659,660,661,662,663,664],{"id":422,"depth":363,"text":423},{"id":462,"depth":363,"text":463},{"id":475,"depth":363,"text":476},{"id":488,"depth":363,"text":489},{"id":521,"depth":363,"text":522},{"id":535,"depth":363,"text":536},{"id":552,"depth":363,"text":553},{"id":568,"depth":363,"text":569},{"id":582,"depth":363,"text":583},{"id":595,"depth":363,"text":596},{"id":611,"depth":363,"text":612},{"id":624,"depth":363,"text":625},{"id":638,"depth":363,"text":639},"MultiClaw protects your data through layered security, TLS encryption in transit, app sandboxing, and a no-telemetry policy.",{},"\u002Fsecurity-privacy\u002Fsecurity-overview",[669,392,670,671,672],"security-privacy\u002Fdata-encryption","security-privacy\u002Fbrowser-extension-security","security-privacy\u002Fhow-credentials-and-secrets-are-stored","security-privacy\u002Fprivacy-and-data-handling",{"title":403,"description":665},"security-overview","help\u002Fsecurity-privacy\u002F01.security-overview","3x0_VX5XDDMQT5kwODVWQnpjsjlxJfe0Lbg5V4Kim9I","Security overview MultiClaw protects your data through layered security, TLS encryption in transit, app sandboxing, and a no-telemetry policy.",{"id":679,"title":607,"body":680,"category":381,"description":888,"draft":383,"extension":384,"meta":889,"navigation":386,"order":890,"path":891,"relatedArticles":892,"seo":895,"slug":896,"stem":897,"updatedAt":898,"__hash__":899,"excerpt":888,"searchText":900},"help\u002Fhelp\u002Fsecurity-privacy\u002F12.dependency-and-supply-chain-security.md",{"type":8,"value":681,"toc":876},[682,685,689,692,721,724,728,746,750,753,756,761,765,771,777,781,788,791,795,802,815,819,826,833,835,838,871],[11,683,684],{},"Every release of MultiClaw includes third-party code: open-source libraries, language runtimes, and external service integrations. This article explains how MultiClaw controls that supply chain so you know what protections are in place and where your responsibilities begin.",[20,686,688],{"id":687},"how-dependency-pinning-works","How dependency pinning works",[11,690,691],{},"MultiClaw pins every dependency to an exact resolved version before a release ships. Three lockfiles enforce this:",[44,693,694,703,712],{},[47,695,696,699,700],{},[15,697,698],{},"Frontend packages"," (JavaScript\u002FTypeScript): pinned in ",[78,701,702],{},"pnpm-lock.yaml",[47,704,705,708,709],{},[15,706,707],{},"Rust packages",": pinned in ",[78,710,711],{},"Cargo.lock",[47,713,714,717,718],{},[15,715,716],{},"PHP packages"," (MultiClaw Cloud): pinned in ",[78,719,720],{},"composer.lock",[11,722,723],{},"Each build rejects any installed package that differs from the lockfile. This means every build uses the same dependency graph that was tested.",[39,725,727],{"id":726},"lockfiles-and-version-ranges","Lockfiles and version ranges",[11,729,730,731,734,735,734,738,741,742,745],{},"Manifest files (",[78,732,733],{},"package.json",", ",[78,736,737],{},"Cargo.toml",[78,739,740],{},"composer.json",") define version ranges (for example, ",[78,743,744],{},"^1.2.0",") that specify which future versions are acceptable. The lockfiles override those ranges with exact versions. A dependency only moves to a newer version when a developer explicitly updates the lockfile, the test suite passes, and the change goes through code review.",[20,747,749],{"id":748},"vulnerability-scanning","Vulnerability scanning",[11,751,752],{},"Dependency vulnerability scanning is not yet automated in the build pipeline. There are no automated scanning tools running as part of the CI workflow.",[11,754,755],{},"When a dependency is updated, the change is reviewed manually. Vulnerability detection currently relies on developers monitoring advisories during updates rather than continuous automated scanning.",[86,757,758],{"type":88},[11,759,760],{},"Automated vulnerability scanning is planned but not yet in place. Until it is, lockfile pinning limits exposure by ensuring no dependency changes reach a release without a reviewed, committed lockfile update.",[20,762,764],{"id":763},"update-verification","Update verification",[11,766,767,768,770],{},"The desktop app uses the Tauri updater, which signs every release with ",[15,769,159],{}," (Ed25519 public-key signatures). Before installing an update, the updater verifies the cryptographic signature against the public key embedded in the current installation. If verification fails, the update is rejected and your current version stays unchanged.",[11,772,773,774,776],{},"This protects against tampered downloads and man-in-the-middle attacks during the update process. See ",[455,775,6],{"href":564}," for the full update flow and code-signing details.",[39,778,780],{"id":779},"openclaw-binary","OpenClaw binary",[11,782,783,784,787],{},"The OpenClaw binary is not downloaded or managed by MultiClaw. You install it separately using Homebrew, winget, apt, or the OpenClaw install script. The desktop app detects the binary on your system ",[78,785,786],{},"PATH"," and confirms it is a compatible version before connecting to the gateway.",[11,789,790],{},"MultiClaw does not verify the OpenClaw binary's integrity. The binary's authenticity depends on the package manager you used to install it and any code-signing your operating system enforces.",[20,792,794],{"id":793},"third-party-services","Third-party services",[11,796,797,798,801],{},"New third-party services that process your data go through a security review and require a signed ",[15,799,800],{},"Data Processing Agreement (DPA)"," before onboarding. This applies to any service that handles task content, agent output, or account information.",[11,803,804,805,809,810,814],{},"For the current list of subprocessors, contact ",[455,806,808],{"href":807},"mailto:privacy@multiclaw.io","privacy@multiclaw.io",". See the ",[455,811,813],{"href":812},"\u002Fprivacy","Privacy Policy"," for details on how subprocessor changes are communicated.",[20,816,818],{"id":817},"open-source-licensing","Open-source licensing",[11,820,821,822,416],{},"MultiClaw is built on open-source components. Dependencies are selected from projects with OSI-approved licenses to reduce the risk of proprietary or restrictive license obligations. License notices are included in the software distribution, as described in the ",[455,823,825],{"href":824},"\u002Fterms","Terms of Service",[11,827,828,829,832],{},"A ",[15,830,831],{},"software bill of materials (SBOM)"," — a machine-readable inventory of every third-party component in a given release — is planned for a future release. When available, it will let you audit the exact libraries and versions included in any MultiClaw build.",[20,834,328],{"id":327},[11,836,837],{},"Supply-chain security is a shared effort. MultiClaw pins dependencies, signs updates, and reviews third-party services. You are responsible for:",[44,839,840,846,852,865],{},[47,841,842,845],{},[15,843,844],{},"Keeping the desktop app updated."," Auto-updates are enabled by default. Do not disable them — updates include security patches for both MultiClaw and its bundled dependencies.",[47,847,848,851],{},[15,849,850],{},"Keeping your operating system updated."," The desktop app's WebView is provided by your OS. WebView security patches arrive through OS updates.",[47,853,854,857,858,864],{},[15,855,856],{},"Verifying OpenClaw's source."," Since MultiClaw does not verify the OpenClaw binary, install it from an official source (Homebrew, winget, apt, or ",[455,859,863],{"href":860,"rel":861},"https:\u002F\u002Fopenclaw.ai",[862],"nofollow","openclaw.ai",").",[47,866,867,870],{},[15,868,869],{},"Reviewing third-party MCP servers."," MultiClaw does not audit third-party MCP servers you add. Verify the source and permissions of any MCP server before connecting it.",[11,872,873,874,416],{},"For the full breakdown of provider and customer responsibilities, see ",[455,875,648],{"href":647},{"title":247,"searchDepth":363,"depth":363,"links":877},[878,881,882,885,886,887],{"id":687,"depth":363,"text":688,"children":879},[880],{"id":726,"depth":368,"text":727},{"id":748,"depth":363,"text":749},{"id":763,"depth":363,"text":764,"children":883},[884],{"id":779,"depth":368,"text":780},{"id":793,"depth":363,"text":794},{"id":817,"depth":363,"text":818},{"id":327,"depth":363,"text":328},"How MultiClaw pins dependencies, verifies updates, and manages third-party components in the supply chain.",{},12,"\u002Fsecurity-privacy\u002Fdependency-and-supply-chain-security",[390,893,894],"security-privacy\u002Fdesktop-app-security","security-privacy\u002Fshared-responsibility-model",{"title":607,"description":888},"dependency-and-supply-chain-security","help\u002Fsecurity-privacy\u002F12.dependency-and-supply-chain-security","2026-03-31","9fsseaw9NJ60aqjm0MoK2zT-YIuxir-t-ze8VUaFFiA","Dependency and supply chain security How MultiClaw pins dependencies, verifies updates, and manages third-party components in the supply chain.",{"id":902,"title":458,"body":903,"category":381,"description":1378,"draft":383,"extension":384,"meta":1379,"navigation":386,"order":1380,"path":1381,"relatedArticles":1382,"seo":1383,"slug":1384,"stem":1385,"updatedAt":898,"__hash__":1386,"excerpt":1378,"searchText":1387},"help\u002Fhelp\u002Fsecurity-privacy\u002F06.network-security.md",{"type":8,"value":904,"toc":1367},[905,908,912,916,1046,1050,1065,1079,1082,1085,1089,1095,1101,1104,1109,1113,1120,1126,1129,1133,1139,1146,1152,1155,1164,1167,1170,1173,1177,1184,1187,1295,1298,1322,1326,1335,1342,1353,1357],[11,906,907],{},"Every connection MultiClaw makes is encrypted and authenticated. Your machine opens no inbound ports, and each credential stays within its intended trust zone.",[11,909,910],{},[447,911],{"alt":449,"src":450},[20,913,915],{"id":914},"connection-summary","Connection summary",[104,917,918,937],{},[107,919,920],{},[110,921,922,925,928,931,934],{},[113,923,924],{},"Connection",[113,926,927],{},"Protocol",[113,929,930],{},"Authentication",[113,932,933],{},"Data carried",[113,935,936],{},"Notes",[120,938,939,970,988,1008,1028],{},[110,940,941,944,954,957,960],{},[125,942,943],{},"Desktop app → MultiClaw Cloud",[125,945,946,949,950,953],{},[15,947,948],{},"HTTPS"," (REST) and ",[15,951,952],{},"WSS"," (WebSocket)",[125,955,956],{},"Bearer token (persists until logout); WSS uses a separate short-lived HMAC token",[125,958,959],{},"Account, workspace, task, and agent configuration data; real-time status events",[125,961,962,965,966,969],{},[15,963,964],{},"TLS 1.2"," minimum, ",[15,967,968],{},"TLS 1.3"," preferred",[110,971,972,975,979,982,985],{},[125,973,974],{},"Local OpenClaw gateway → MultiClaw Cloud",[125,976,977,953],{},[15,978,952],{},[125,980,981],{},"Long-lived workspace auth token stored locally; per-session short-lived signed token (memory only)",[125,983,984],{},"Heartbeats, agent status, task execution updates, configuration sync",[125,986,987],{},"Separate trust zone from the desktop app; each uses its own credentials",[110,989,990,993,999,1002,1005],{},[125,991,992],{},"Desktop app → local OpenClaw gateway",[125,994,995,998],{},[15,996,997],{},"HTTP on localhost"," (127.0.0.1)",[125,1000,1001],{},"Session token generated at gateway start",[125,1003,1004],{},"Agent commands, conversation messages, local status queries",[125,1006,1007],{},"Not exposed on any network interface",[110,1009,1010,1013,1019,1022,1025],{},[125,1011,1012],{},"Cloud desktop viewer",[125,1014,1015,1018],{},[15,1016,1017],{},"WebRTC DataChannel"," (DTLS\u002FSCTP)",[125,1020,1021],{},"ICE negotiated via MultiClaw Cloud over WSS",[125,1023,1024],{},"JPEG video frames and input events",[125,1026,1027],{},"TURN relay used when direct peer-to-peer is unavailable",[110,1029,1030,1033,1037,1040,1043],{},[125,1031,1032],{},"LLM provider API calls",[125,1034,1035],{},[15,1036,948],{},[125,1038,1039],{},"API key stored encrypted in MultiClaw Cloud, pushed to your instance during config sync",[125,1041,1042],{},"Prompts, model responses, and tool-call payloads",[125,1044,1045],{},"Encrypted at rest and in transit; does not appear in agent responses, transcripts, or logs",[20,1047,1049],{"id":1048},"desktop-app-to-multiclaw-cloud","Desktop app to MultiClaw Cloud",[11,1051,1052,1053,1055,1056,1058,1059,1061,1062,1064],{},"Your desktop app connects to MultiClaw Cloud over ",[15,1054,948],{}," for API calls and ",[15,1057,952],{}," for real-time events. Both require ",[15,1060,964],{}," at minimum; ",[15,1063,968],{}," is preferred when available.",[11,1066,1067,1068,1071,1072,1074,1075,1078],{},"Authentication uses a ",[15,1069,1070],{},"bearer token"," issued when you sign in. The desktop app stores this token in the WebView's local storage, where it persists until you sign out. The ",[15,1073,952],{}," connection uses a separate ",[15,1076,1077],{},"short-lived HMAC token"," that expires and refreshes automatically. Even if a WebSocket token is compromised, its short lifespan limits exposure.",[11,1080,1081],{},"The desktop app always initiates outbound connections. MultiClaw Cloud does not initiate connections back to your machine.",[11,1083,1084],{},"If the HTTPS or WSS connection drops, the desktop app reconnects automatically and re-authenticates with the existing bearer token. You don't need to sign in again unless the token has been revoked (for example, after a password change or a forced sign-out by a workspace owner).",[20,1086,1088],{"id":1087},"local-openclaw-gateway-to-multiclaw-cloud","Local OpenClaw gateway to MultiClaw Cloud",[11,1090,1091,1092,1094],{},"The local OpenClaw gateway maintains its own ",[15,1093,952],{}," connection to MultiClaw Cloud. This connection operates in a separate trust zone from the desktop app — each uses its own credentials and neither shares tokens with the other.",[11,1096,1097,1098,1100],{},"The gateway authenticates with a long-lived workspace auth token stored in ",[78,1099,498],{},". For each WebSocket session, the gateway generates a separate short-lived signed token in memory and does not write it to disk. When the session ends, the gateway discards the token and generates a new one on reconnect.",[11,1102,1103],{},"If the gateway's WebSocket connection drops, the gateway reconnects and generates a fresh short-lived session token. Running tasks continue locally during brief outages — status updates sync to MultiClaw Cloud once the connection is restored.",[11,1105,453,1106,1108],{},[455,1107,548],{"href":547}," for details on how these tokens are managed.",[20,1110,1112],{"id":1111},"desktop-app-to-local-openclaw-gateway","Desktop app to local OpenClaw gateway",[11,1114,1115,1116,1119],{},"The desktop app communicates with the local OpenClaw gateway over ",[15,1117,1118],{},"HTTP on 127.0.0.1"," (localhost). This connection stays on your machine and is not exposed on any network interface — only local software can reach it.",[11,1121,1067,1122,1125],{},[15,1123,1124],{},"session token"," generated when the gateway starts. The gateway verifies the token on every request using HMAC-SHA256 and does not transmit it outside your machine.",[11,1127,1128],{},"Because this connection stays on localhost, it does not use TLS. The traffic never leaves your machine's loopback interface, so network-level interception is not possible under normal operating conditions.",[20,1130,1132],{"id":1131},"cloud-desktop-viewer-webrtc","Cloud desktop viewer (WebRTC)",[11,1134,1135,1136,1138],{},"When you view a cloud desktop, the video stream travels over a ",[15,1137,1017],{}," using DTLS\u002FSCTP encryption. The cloud desktop sends JPEG frames directly to your desktop app, and the two endpoints negotiate a direct connection when possible.",[11,1140,1141,1142,1145],{},"If a direct connection is not possible (for example, due to a restrictive firewall), MultiClaw provides a ",[15,1143,1144],{},"TURN relay"," to carry the stream. The relay forwards encrypted data without decrypting it.",[11,1147,1148,1149,1151],{},"Connection negotiation (ICE candidates) runs through MultiClaw Cloud over the same ",[15,1150,952],{}," channel used for real-time communication. ICE candidate exchange is authenticated through the existing WSS session, so unauthenticated parties cannot inject candidates.",[20,1153,1032],{"id":1154},"llm-provider-api-calls",[11,1156,1157,1158,1161,1162,416],{},"The local OpenClaw gateway calls your LLM provider (for example, ",[78,1159,1160],{},"api.openai.com",") directly over ",[15,1163,948],{},[11,1165,1166],{},"MultiClaw Cloud stores your API key in encrypted form and delivers it to your instance during configuration sync. AES-256-GCM encryption, keyed to the instance token, protects the key in transit. On the instance, the gateway decrypts the key and uses it to call your LLM provider directly.",[11,1168,1169],{},"The API key does not appear in agent responses, transcripts, or logs returned to MultiClaw Cloud.",[11,1171,1172],{},"If you rotate your API key or change providers, update the key in your workspace settings. The new key takes effect on the next configuration sync.",[20,1174,1176],{"id":1175},"outbound-connections-and-ports","Outbound connections and ports",[11,1178,1179,1180,1183],{},"MultiClaw makes only outbound connections from your machine. The desktop app does not open any inbound TCP or UDP ports. The local OpenClaw gateway listens only on ",[15,1181,1182],{},"localhost (127.0.0.1)",", so other devices on your network cannot reach it.",[11,1185,1186],{},"The table below lists every external host and port MultiClaw connects to. Share this with your IT team if you need firewall or proxy allowlisting.",[104,1188,1189,1204],{},[107,1190,1191],{},[110,1192,1193,1196,1199,1202],{},[113,1194,1195],{},"Service",[113,1197,1198],{},"Host",[113,1200,1201],{},"Port",[113,1203,927],{},[120,1205,1206,1224,1240,1260,1276],{},[110,1207,1208,1211,1216,1221],{},[125,1209,1210],{},"MultiClaw Cloud (API + WebSocket)",[125,1212,1213],{},[78,1214,1215],{},"*.multiclaw.io",[125,1217,1218],{},[78,1219,1220],{},"443",[125,1222,1223],{},"HTTPS, WSS",[110,1225,1226,1229,1234,1238],{},[125,1227,1228],{},"Cloud desktop relay (signaling)",[125,1230,1231],{},[78,1232,1233],{},"turn.multiclaw.io",[125,1235,1236],{},[78,1237,1220],{},[125,1239,948],{},[110,1241,1242,1245,1249,1257],{},[125,1243,1244],{},"Cloud desktop relay (media)",[125,1246,1247],{},[78,1248,1233],{},[125,1250,1251,734,1254],{},[78,1252,1253],{},"3478",[78,1255,1256],{},"5349",[125,1258,1259],{},"UDP",[110,1261,1262,1265,1270,1274],{},[125,1263,1264],{},"Auto-updater",[125,1266,1267],{},[78,1268,1269],{},"cdn.multiclaw.io",[125,1271,1272],{},[78,1273,1220],{},[125,1275,948],{},[110,1277,1278,1281,1289,1293],{},[125,1279,1280],{},"LLM providers (varies by config)",[125,1282,1283,1284,734,1286],{},"e.g. ",[78,1285,1160],{},[78,1287,1288],{},"api.anthropic.com",[125,1290,1291],{},[78,1292,1220],{},[125,1294,948],{},[11,1296,1297],{},"You only need to allowlist the LLM provider hosts for the models you've configured.",[86,1299,1300],{"type":315},[11,1301,1302,1303,1306,1307,1309,1310,1313,1314,1316,1317,1321],{},"If your network blocks outbound UDP, set ",[15,1304,1305],{},"WebRTC connection mode"," to ",[15,1308,1144],{}," in ",[15,1311,1312],{},"Settings → Gateway → Browser Automation",". This routes cloud desktop traffic over TCP port ",[78,1315,1220],{}," instead. See ",[455,1318,1320],{"href":1319},"\u002Fhelp\u002Ftroubleshooting\u002Fconnections-blocked-by-a-firewall-or-proxy","Connections blocked by a firewall or proxy"," for full troubleshooting steps.",[20,1323,1325],{"id":1324},"tls-and-certificate-verification","TLS and certificate verification",[11,1327,1328,1329,1331,1332,1334],{},"All external connections use ",[15,1330,964],{}," at minimum, with ",[15,1333,968],{}," preferred when both endpoints support it. The localhost connection between the desktop app and the local OpenClaw gateway is the only unencrypted path, and that traffic never leaves your machine.",[11,1336,1337,1338,1341],{},"TLS certificate verification uses your ",[15,1339,1340],{},"operating system's trust store",". MultiClaw does not currently pin certificates — it trusts the same certificate authorities your OS trusts.",[86,1343,1345],{"type":1344},"warning",[11,1346,1347,1348,321,1350,1352],{},"If your network uses deep packet inspection (DPI) that intercepts and re-signs TLS traffic, WebSocket and WebRTC connections may fail even when the domain is allowlisted. Ask your IT team to exclude ",[78,1349,1215],{},[78,1351,1233],{}," from DPI inspection.",[20,1354,1356],{"id":1355},"proxy-support","Proxy support",[11,1358,1359,1360,321,1363,1366],{},"MultiClaw respects the system ",[78,1361,1362],{},"HTTP_PROXY",[78,1364,1365],{},"HTTPS_PROXY"," environment variables. Set these in your shell profile or system environment settings before launching the app. No additional proxy configuration is needed inside MultiClaw.",{"title":247,"searchDepth":363,"depth":363,"links":1368},[1369,1370,1371,1372,1373,1374,1375,1376,1377],{"id":914,"depth":363,"text":915},{"id":1048,"depth":363,"text":1049},{"id":1087,"depth":363,"text":1088},{"id":1111,"depth":363,"text":1112},{"id":1131,"depth":363,"text":1132},{"id":1154,"depth":363,"text":1032},{"id":1175,"depth":363,"text":1176},{"id":1324,"depth":363,"text":1325},{"id":1355,"depth":363,"text":1356},"How MultiClaw secures every network connection using TLS, authenticated tokens, and no inbound ports.",{},6,"\u002Fsecurity-privacy\u002Fnetwork-security",[390,669,671],{"title":458,"description":1378},"network-security","help\u002Fsecurity-privacy\u002F06.network-security","yeEOmYYO8SAKtVIU9P-lN5DuDXT7TsATmI06m_VuXt8","Network security How MultiClaw secures every network connection using TLS, authenticated tokens, and no inbound ports.",1778463887981]