Please do NOT open a public GitHub issue for security vulnerabilities.
Instead, report vulnerabilities by emailing security@seekerclaw.xyz.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge your report within 48 hours and aim to provide a fix within 7 days for critical issues.
SeekerClaw takes security seriously:
- Encryption at rest: All sensitive configuration (API keys, tokens) is encrypted using Android Keystore (AES-256-GCM) before being written to disk.
- Usage analytics: Firebase Analytics tracks feature usage, service health, and model selection — no personal data, no messages, no wallet keys. Enabled by default, fully optional — disable in Settings.
setAnalyticsCollectionEnabled(false)stops all Firebase collection. - HTTPS only: All external API calls (Claude, Telegram, Solana RPCs, MCP servers) use HTTPS.
- Prompt injection defense: The Node.js agent includes content trust scoring and prompt injection detection for untrusted inputs.
- MCP server isolation: Remote tool descriptions are sanitized, results are marked as untrusted, and rug-pull detection (SHA-256 hash comparison) alerts on unexpected tool changes.
- Owner gate: Only the configured Telegram owner can issue commands to the agent.
| Version | Supported |
|---|---|
| 1.4.x | Yes |
| < 1.4 | No |