diff --git a/src/commands/doctor-security.ts b/src/commands/doctor-security.ts
index 28d9b6f782..45fb85e4f7 100644
--- a/src/commands/doctor-security.ts
+++ b/src/commands/doctor-security.ts
@@ -6,6 +6,7 @@ import type { OpenClawConfig, GatewayBindMode } from "../config/config.js";
 import { resolveGatewayAuth } from "../gateway/auth.js";
 import { isLoopbackHost, resolveGatewayBindHost } from "../gateway/net.js";
 import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
+import { normalizeStringEntries } from "../shared/string-normalization.js";
 import { note } from "../terminal/note.js";
 
 export async function noteSecurityWarnings(cfg: OpenClawConfig) {
@@ -84,7 +85,9 @@ export async function noteSecurityWarnings(cfg: OpenClawConfig) {
   }) => {
     const dmPolicy = params.dmPolicy;
     const policyPath = params.policyPath ?? `${params.allowFromPath}policy`;
-    const configAllowFrom = (params.allowFrom ?? []).map((v) => String(v).trim());
+    const configAllowFrom = normalizeStringEntries(
+      Array.isArray(params.allowFrom) ? params.allowFrom : undefined,
+    );
     const hasWildcard = configAllowFrom.includes("*");
     const storeAllowFrom = await readChannelAllowFromStore(params.provider).catch(() => []);
     const normalizedCfg = configAllowFrom
diff --git a/src/security/audit-channel.ts b/src/security/audit-channel.ts
index f0522b32ed..363d5dfe70 100644
--- a/src/security/audit-channel.ts
+++ b/src/security/audit-channel.ts
@@ -9,13 +9,11 @@ import { formatCliCommand } from "../cli/command-format.js";
 import { resolveNativeCommandsEnabled, resolveNativeSkillsEnabled } from "../config/commands.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
+import { normalizeStringEntries } from "../shared/string-normalization.js";
 import type { SecurityAuditFinding, SecurityAuditSeverity } from "./audit.js";
 
 function normalizeAllowFromList(list: Array<string | number> | undefined | null): string[] {
-  if (!Array.isArray(list)) {
-    return [];
-  }
-  return list.map((v) => String(v).trim()).filter(Boolean);
+  return normalizeStringEntries(Array.isArray(list) ? list : undefined);
 }
 
 function classifyChannelWarningSeverity(message: string): SecurityAuditSeverity {