Security fixes target the current main branch of clawdbot-go.
Report vulnerabilities privately by opening a GitHub security advisory for the repository or by contacting the maintainer listed on the GitHub profile. Do not publish exploit details until a fix is available.
Never commit real API keys, wallet keypairs, private keys, install ledgers, or
generated runtime state. The repository is configured to ignore .env, build
caches, binaries, Rust target/, Next .next/, and TypeScript incremental
artifacts.
The web console redacts config secrets by default. Only set
GOBOT_WEB_EXPOSE_SECRETS=1 for a trusted local debugging session.
Run the hardened verification path before publishing changes:
make release-checkBuild and release with Go 1.26.4 or newer. Older 1.26 toolchains contain
reachable standard-library vulnerabilities reported by govulncheck.
When available, also run:
govulncheck ./...Trading and funding paths must remain dry-run by default. Any live transfer or trade must require explicit user opt-in and bounded limits.