security: remove read tool to prevent direct fixture access#35
Draft
roykollensvendsen wants to merge 2 commits into
Draft
security: remove read tool to prevent direct fixture access#35roykollensvendsen wants to merge 2 commits into
roykollensvendsen wants to merge 2 commits into
Conversation
The read tool gives agents direct access to raw fixture files (inbox.json, tasks.json, calendar.json) and reference policies (AGENTS.md.optimized), bypassing the intended tool-mediated data access. This enables gaming by reading evaluation data directly instead of using the proper tools. No scenario scoring requires read tool calls, and analysis of 30+ evaluations shows zero read usage by agents in practice. USER.md (the only legitimate read target) is already auto-loaded into the agent context by OpenClaw. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Keeps run_batch.py consistent with the openclaw.json.template change — local batch runs should also not expose the read tool. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remove the
readtool from the allowed tools list inopenclaw.json.templateand all scenario definitions.Problem
The
readtool gives agents direct access to raw fixture files for the current scenario. Verified by callinghandle_readdirectly:This lets an agent bypass the intended tool-mediated access (
himalaya,slack,memory_get) and get all evaluation data in one call — perfect answers with minimal cost.What read CANNOT access (path traversal is blocked)
_is_withincheck)Why this is safe to remove
read— no rubric checks forreadtool calls across all 5 scenariosreadreadtarget is already injected into agent context by OpenClawmemory_getcovers memory files — memory access has its own dedicated toolBroader context
The current security model relies on the integrity judge checking that AGENTS.md doesn't instruct gaming, rather than the environment enforcing access boundaries. The
readtool is the most clear-cut example — it provides a direct path to raw fixture data that bypasses the tool-mediated access scenarios are designed to test.Worth considering in future work:
tool_policyin pack.json is not enforced by OpenClaw — only the gateway allow-list inopenclaw.jsonmattersChanges
config/openclaw.json.template— removereadfrom allow listscenarios/*.yaml— removereadfrom tools list (all 5 scenarios)🤖 Generated with Claude Code