| Version | Supported |
|---|---|
Latest (master) |
✅ Yes |
| Older releases | ❌ No — please update |
If you discover a security vulnerability in OCA, please do NOT open a public GitHub issue.
Instead, report it privately via:
- GitHub Security Advisories: Report a vulnerability
- Email: Contact the maintainer via GitHub profile
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We aim to respond within 72 hours and will credit you in the fix.
OCA runs with elevated privileges on Android (Termux + optional root). Key security notes:
- SSH: OCA sets up an SSH server on port 8022. Use strong passwords and consider key-based auth.
- Root (
oca-root): The root wrapper limits which commands can be run as root. Never run untrusted scripts withtsu. - AI CLIs: API keys are stored in environment variables. Keep your
.bashrcprivate. - Network: OCA binds services to
0.0.0.0by default. Use a firewall or limit to local network.
In scope:
- Installation scripts (
install.sh,bootstrap.sh,oca.sh) - Platform patches (
patches/) - Root access wrapper (
scripts/setup-root.sh)
Out of scope:
- Upstream OpenClaw vulnerabilities → report to openclaw
- Third-party AI CLI tools (Claude, Gemini, Codex, Qwen)