[{"data":1,"prerenderedAt":198},["ShallowReactive",2],{"page-/post/ai/explore/openclaw-2026-2-12-hooks-sessionkey-breaking":3,"surrounding-page":189},{"id":4,"title":5,"author":6,"body":7,"date":175,"description":13,"extension":176,"group":177,"lastmod":175,"meta":178,"navigation":179,"path":180,"rawbody":181,"seo":182,"showTitle":177,"stem":183,"tags":184,"versions":177,"__hash__":188},"content/post/ai/explore/openclaw-2026-2-12-hooks-sessionkey-breaking.md","OpenClaw 2026.2.12：/hooks/agent 默认拒绝 request 覆盖 sessionKey（以及一堆安全加固）","Jinx",{"type":8,"value":9,"toc":165},"minimark",[10,14,22,25,45,50,53,64,67,75,78,85,90,110,113,117,120,128,134,137,140,159,162],[11,12,13],"p",{},"如果你平时是把 OpenClaw 当“本地智能网关”用的，那 2026.2.12 这次更新我建议你至少扫一眼。",[11,15,16,17,21],{},"它不是那种“加功能”的 release，更像是：",[18,19,20],"strong",{},"把以前可能踩坑/可能被打的地方，统一收紧了一遍","。",[11,23,24],{},"来源（官方 release）：",[26,27,28,38],"ul",{},[29,30,31,32],"li",{},"Releases 列表：",[33,34,35],"a",{"href":35,"rel":36},"https://github.com/openclaw/openclaw/releases",[37],"nofollow",[29,39,40,41],{},"v2026.2.12（release 页面入口在列表里）：",[33,42,43],{"href":43,"rel":44},"https://github.com/openclaw/openclaw/releases/tag/v2026.2.12",[37],[46,47,49],"h2",{"id":48},"breakinghooksagent-默认拒绝-payload-sessionkey-覆盖","Breaking：/hooks/agent 默认拒绝 payload sessionKey 覆盖",[11,51,52],{},"官方原文（我照搬关键句，避免理解偏差）：",[54,55,56],"blockquote",{},[11,57,58,59,63],{},"Hooks: POST /hooks/agent now rejects payload sessionKey overrides by default. To keep fixed hook context, set hooks.defaultSessionKey (recommended with hooks.allowedSessionKeyPrefixes: ",[60,61,62],"span",{},"\"hook:\"","). If you need legacy behavior, explicitly set hooks.allowRequestSessionKey: true.",[11,65,66],{},"翻译成“人话”就是：",[11,68,69,70,74],{},"以前你可能在外部请求里塞一个 ",[71,72,73],"code",{},"sessionKey","，就能把消息路由到某个会话。",[11,76,77],{},"现在默认不让了。",[11,79,80,81,84],{},"我觉得这挺合理的：",[18,82,83],{},"外部入口能随便指定 sessionKey，本质上就是“可控路由”","，安全边界很难守。",[86,87,89],"h3",{"id":88},"迁移思路按官方提示","迁移思路（按官方提示）",[26,91,92,103],{},[29,93,94,95,98,99,102],{},"更推荐：配置 ",[71,96,97],{},"hooks.defaultSessionKey","，并配合 ",[71,100,101],{},"hooks.allowedSessionKeyPrefixes: [\"hook:\"]"," 固定 hook 会话上下文。",[29,104,105,106,109],{},"如果你确实有“老系统强依赖 request 指定 sessionKey”的玩法：显式开 ",[71,107,108],{},"hooks.allowRequestSessionKey: true","（但你得自己对入口做风控/鉴权）。",[11,111,112],{},"（我个人会倾向第一种，省心。）",[46,114,116],{"id":115},"其他我会关心的点ssrf-与-browser-控制鉴权","其他我会关心的点：SSRF 与 browser 控制鉴权",[11,118,119],{},"在 2026.2.12 的 Fixes 里，官方提了好几条安全方向：",[26,121,122,125],{},[29,123,124],{},"URL 输入（input_file / input_image）的 SSRF deny policy、allowlist、审计日志等",[29,126,127],{},"loopback browser control HTTP routes 需要 auth（并且没配置会自动生成 token）",[11,129,130,131,21],{},"我读完后的感受是：",[18,132,133],{},"OpenClaw 越来越像一个“可以长期跑、还不太容易被打穿”的服务了",[46,135,136],{"id":136},"给你一个超短自检清单",[11,138,139],{},"你如果打算升级/已经升级，我建议你按顺序过一下：",[141,142,143,153,156],"ol",{},[29,144,145,146,149,150,152],{},"你有没有用到 ",[71,147,148],{},"/hooks/agent"," + request 传 ",[71,151,73],{},"？有就赶紧看 Breaking。",[29,154,155],{},"你有没有开放任何 HTTP 入口到公网/局域网？有就确保 auth/token 都配齐。",[29,157,158],{},"你是不是有“拿 URL 让模型去抓文件/图片”的玩法？有就看一下 allowlist 是否影响现有工作流。",[11,160,161],{},"升级这事儿，通常是“怕麻烦”。",[11,163,164],{},"但安全这事儿，麻烦一点往往更便宜。",{"title":166,"searchDepth":167,"depth":167,"links":168},"",2,[169,173,174],{"id":48,"depth":167,"text":49,"children":170},[171],{"id":88,"depth":172,"text":89},3,{"id":115,"depth":167,"text":116},{"id":136,"depth":167,"text":136},"2026-02-14T00:00:00.000Z","md",null,{},true,"/post/ai/explore/openclaw-2026-2-12-hooks-sessionkey-breaking","---\ntitle: OpenClaw 2026.2.12：/hooks/agent 默认拒绝 request 覆盖 sessionKey（以及一堆安全加固）\nauthor: Jinx\ndate: 2026-02-14\nlastmod: 2026-02-14\ntags: [\"OpenClaw\", \"安全\", \"更新\"]\n---\n\n如果你平时是把 OpenClaw 当“本地智能网关”用的，那 2026.2.12 这次更新我建议你至少扫一眼。\n\n它不是那种“加功能”的 release，更像是：**把以前可能踩坑/可能被打的地方，统一收紧了一遍**。\n\n来源（官方 release）：\n- Releases 列表：\u003Chttps://github.com/openclaw/openclaw/releases>\n- v2026.2.12（release 页面入口在列表里）：\u003Chttps://github.com/openclaw/openclaw/releases/tag/v2026.2.12>\n\n## Breaking：/hooks/agent 默认拒绝 payload sessionKey 覆盖\n\n官方原文（我照搬关键句，避免理解偏差）：\n\n> Hooks: POST /hooks/agent now rejects payload sessionKey overrides by default. To keep fixed hook context, set hooks.defaultSessionKey (recommended with hooks.allowedSessionKeyPrefixes: [\"hook:\"]). If you need legacy behavior, explicitly set hooks.allowRequestSessionKey: true.\n\n翻译成“人话”就是：\n\n以前你可能在外部请求里塞一个 `sessionKey`，就能把消息路由到某个会话。\n\n现在默认不让了。\n\n我觉得这挺合理的：**外部入口能随便指定 sessionKey，本质上就是“可控路由”**，安全边界很难守。\n\n### 迁移思路（按官方提示）\n\n- 更推荐：配置 `hooks.defaultSessionKey`，并配合 `hooks.allowedSessionKeyPrefixes: [\"hook:\"]` 固定 hook 会话上下文。\n- 如果你确实有“老系统强依赖 request 指定 sessionKey”的玩法：显式开 `hooks.allowRequestSessionKey: true`（但你得自己对入口做风控/鉴权）。\n\n（我个人会倾向第一种，省心。）\n\n## 其他我会关心的点：SSRF 与 browser 控制鉴权\n\n在 2026.2.12 的 Fixes 里，官方提了好几条安全方向：\n\n- URL 输入（input_file / input_image）的 SSRF deny policy、allowlist、审计日志等\n- loopback browser control HTTP routes 需要 auth（并且没配置会自动生成 token）\n\n我读完后的感受是：**OpenClaw 越来越像一个“可以长期跑、还不太容易被打穿”的服务了**。\n\n## 给你一个超短自检清单\n\n你如果打算升级/已经升级，我建议你按顺序过一下：\n\n1. 你有没有用到 `/hooks/agent` + request 传 `sessionKey`？有就赶紧看 Breaking。\n2. 你有没有开放任何 HTTP 入口到公网/局域网？有就确保 auth/token 都配齐。\n3. 你是不是有“拿 URL 让模型去抓文件/图片”的玩法？有就看一下 allowlist 是否影响现有工作流。\n\n升级这事儿，通常是“怕麻烦”。\n\n但安全这事儿，麻烦一点往往更便宜。\n",{"title":5,"description":13},"post/ai/explore/openclaw-2026-2-12-hooks-sessionkey-breaking",[185,186,187],"OpenClaw","安全","更新","-UX1MKB3w9w0Un8gJrFBphDRROcqlY8V6vZDYXWEaxI",[190,194],{"title":191,"path":192,"stem":193,"children":-1},"OpenClaw 安装入门（Windows）","/post/zzao/openclaw/openclaw-install-windows","post/zzao/openclaw/openclaw-install-windows",{"title":195,"path":196,"stem":197,"children":-1},"假设你是AI，你的Skill应该是什么样的","/post/zzao/ai-skill-structure","post/zzao/ai-skill-structure",1779005084793]