Skip to content

Security: cj-wang-sowork/atlas-Enterprise-AI-Self-Learning-Skills-System-

Security

SECURITY.md

Security Policy

This document outlines how we handle security vulnerabilities and maintain the security of the openclaw-workspace-sowork project.

Reporting a Vulnerability

⚠️ DO NOT create public GitHub issues to report security vulnerabilities.

Instead, please report security issues responsibly by:

  1. Email: Send details to the project maintainer
    1. GitHub Security Advisory: Use GitHub's private vulnerability reporting feature
      1. Response Time: We aim to respond to reports within 48 hours

      2. What to Include in a Report

        • Clear description of the vulnerability
          • Steps to reproduce (if applicable)
            • Potential impact
              • Suggested fix (if you have one)
                • Your contact information

                • Security Considerations

                • Data Isolation & Memory Protection

                  • MEMORY.md is intentionally security-gated and only loads in main sessions
                    • MEMORY.md is never loaded in group chats or sub-agent sessions
                      • The AGENTS.md boot sequence explicitly gates: "Main session only: Read MEMORY.md"
                        • All memory files are stored in memory/ directory with separate access controls

                        • Workspace Security

                          • All workspace files are plain Markdown — no executable code
                          • No external API calls in core workspace files
                          • No embedded scripts or potential injection vectors
                          • Configuration is explicit and auditable

                          • Credentials & Sensitive Data

                          • Never commit API keys, tokens, or credentials
                          • Never commit personal memory files or conversation history
                          • All sensitive files are covered by .gitignore
                          • Use environment variables for runtime secrets (see TOOLS.md)

                          • Five-Layer Learning Security

                          • The workspace implements Hermes-inspired five-layer learning with security at each level:

                            1. Enterprise Level (learn/enterprise/) - Organization-wide patterns (no PII)
                              1. Brand Level (learn/brand/) - Brand guidelines and positioning (public-safe)
                                1. Department Level (learn/department/) - Team-specific knowledge (internal-only)
                                  1. Team Level (learn/team/) - Direct team learnings (member-access)
                                    1. Personal Level (learn/personal/) - Individual patterns (private-only)

                                    2. Each level has:

                                    3. Access control markers (@public, @internal, @private)
                                    4. Version tracking for auditing
                                    5. Separation from MEMORY.md (confidential context)

                                    6. Dependency & Supply Chain Security

                                    7. This workspace has zero production dependencies — it's pure configuration
                                    8. No npm packages, pip packages, or external binaries required
                                    9. Installation is purely file-copy based
                                    10. No automated package updates needed

                                    11. GitHub Repository Settings

                                    12. We maintain the following security measures:

                                    13. ✅ Secret scanning alerts enabled
                                    14. ✅ Dependabot alerts disabled (zero dependencies)
                                    15. ✅ Code scanning ready (optional, template-based)
                                    16. ⚠️ Private vulnerability reporting (recommended for users to enable)
                                    17. ✅ Branch protection on main (enforced in settings)

                                    18. Workspace File Security

                                    19. | File | Contains | Risk Level | Security |

                                    20. |------|----------|-----------|----------|

                                    21. | AGENTS.md | Boot logic, routing | Low | Auditable, no execution |

                                    22. | SOUL.md | Brand identity | Low | Non-sensitive config |

                                    23. | MEMORY.md | Context & history | HIGH | Security-gated, main-session only |

                                    24. | TOOLS.md | API configs | Medium | Env-var based, no hardcoding |

                                    25. | USER.md | Team preferences | Low | General knowledge, no PII |

                                    26. | memory/* | Session logs | HIGH | Local storage, not version-controlled |

                                    27. | outputs/* | Agent output | Medium | May contain generated content |

                                    28. Incident Response

                                    29. If a security incident is discovered:

                                      1. Report it via the vulnerability disclosure process above
                                        1. We will investigate and provide an update within 48 hours
                                        2. A patch will be released if needed
                                        3. We will credit the reporter (unless they prefer anonymity)

                                        4. Known Limitations

                                        5. This is a configuration template, not a security framework
                                        6. Users are responsible for securing their own .env files and API keys
                                        7. Deploy with proper authentication in production environments
                                        8. Review all customizations for security implications

                                        9. Best Practices for Users

                                        10. Environment Variables: Store all credentials in .env files (ignored by git)
                                        11. Access Control: Use OS-level file permissions on memory/ and MEMORY.md
                                        12. Regular Audits: Review workspace files for accidental credential leakage
                                        13. MEMORY Isolation: Ensure AGENTS.md security gates are not bypassed
                                        14. Deployment: Use proper secret management in production (e.g., GitHub Secrets, HashiCorp Vault)

                                        15. Compliance

                                        16. This workspace is designed to support:

                                        17. GDPR: Separate data layers prevent PII leakage
                                        18. SOC 2: Auditable configuration, no hidden operations
                                        19. ISO 27001: Clear access controls and logging
                                        20. Internal policies: Customizable via USER.md and AGENTS.md

                                        21. Questions?

                                        22. For security questions that are not vulnerability reports, please open a regular GitHub Issue with the security label.

There aren't any published security advisories