From a38bd4d3a2165798948c788a9ca190b323c7c2e1 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Tue, 6 Jan 2026 19:35:40 +0100 Subject: [PATCH] docs(security): explain allowlists terminology --- docs/security.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/security.md b/docs/security.md index 4d8184f5b..1dcdafcc5 100644 --- a/docs/security.md +++ b/docs/security.md @@ -52,6 +52,20 @@ When `dmPolicy="pairing"` and a new sender messages the bot: This is intentionally “boring”: it’s a small, explicit handshake that prevents accidental public bots (especially on discoverable platforms like Telegram). +## Allowlists (DM + groups) — terminology + +Clawdbot has *two* separate “who can trigger me?” layers: + +- **DM allowlist** (`allowFrom` / `discord.dm.allowFrom` / `slack.dm.allowFrom`): who is allowed to talk to the bot in direct messages. + - When `dmPolicy="pairing"`, approvals are written to a local store under `~/.clawdbot/credentials/-allowFrom.json` (merged with config allowlists). +- **Group allowlist** (provider-specific): which groups/channels/guilds the bot will accept messages from at all. + - Common patterns: + - `whatsapp.groups`, `telegram.groups`, `imessage.groups`: per-group defaults like `requireMention`; when set, it also acts as a group allowlist (include `"*"` to keep allow-all behavior). + - `groupPolicy="allowlist"` + `groupAllowFrom`: restrict who can trigger the bot *inside* a group session (WhatsApp/Telegram/Signal/iMessage). + - `discord.guilds` / `slack.channels`: per-surface allowlists + mention defaults. + +Details: https://docs.clawd.bot/configuration and https://docs.clawd.bot/groups + ## Prompt injection (what it is, why it matters) Prompt injection is when an attacker (or even a well-meaning friend) crafts a message that manipulates the model into doing something unsafe: