OpenClaw
Security

OpenClaw Security Best Practices

OpenClaw gives an AI agent system-level access to your machine. That power is also the risk. This guide distills the most important hardening steps from community experts into three progressive tiers you can follow regardless of your hosting platform.

Synthesized from multiple expert sources. See sources at the bottom.

Accounts You Should Never Connect

Regardless of how well you harden your setup, these accounts should never be connected to OpenClaw. Even a single misconfiguration or prompt injection could compromise them.

× Primary email accounts
× Banking or financial services
× Password managers (1Password, Bitwarden)
× Work accounts (Slack, Google Workspace)
× Social media with irreplaceable history
× Cryptocurrency wallets or exchanges
× Government or healthcare portals
× Your primary GitHub account

The rule: Every account connected to OpenClaw should be one you could lose without significant impact. Use dedicated burner accounts for notifications, bot tokens, and test repos.

The Threat Model

Assume OpenClaw will process untrusted input — messages from new users, web search results, pasted logs, links. Attackers will try to:

Expose the gateway

Make the gateway port reachable from the internet to hijack your instance.

Prompt injection

Hide instructions inside emails, documents, or web pages that trick the agent into running commands.

Credential theft

Steal API keys from disk, environment variables, logs, or memory files.

Supply chain attacks

Swap or inject malicious code through skill updates and dependencies.

The goal isn't to make OpenClaw "perfectly safe" — it's to build a setup where a single failure is annoying, not catastrophic.

1

Essential Security

If you skip these, don't run OpenClaw.

Run on isolated hardware

Never run OpenClaw on your primary machine. Use a VPS, spare laptop, or Raspberry Pi. If the agent is compromised, the attacker only gets access to that isolated environment — not your workstation with SSH keys and browser sessions.

Bind gateway to localhost

The single most important configuration. Never bind to 0.0.0.0. Exposed gateways are found by scanners within hours.

# gateway.yaml

gateway:

host: "127.0.0.1"

port: 18789

# Verify it's bound correctly

ss -tlnp | grep 18789

# Should show 127.0.0.1:18789, NOT 0.0.0.0:18789

Use Tailscale or SSH tunnels for remote access

Never open port 18789 in your firewall. Instead, use encrypted tunnels:

# SSH port forwarding

ssh -N -L 18789:127.0.0.1:18789 user@your-server-ip

# Then open http://localhost:18789 locally

# Or install Tailscale for always-on private access

curl -fsSL https://tailscale.com/install.sh | sh

tailscale up --ssh

Lock down file permissions

Credential files must be readable only by the OpenClaw user. This is basic but constantly skipped.

chmod 700 ~/.openclaw

chmod 600 ~/.openclaw/openclaw.json

chmod 600 ~/.openclaw/gateway.yaml

chmod -R 600 ~/.openclaw/credentials/

Enable gateway auth and disable mDNS

Keep device authentication enabled so misrouted requests can't take over your instance. Disable mDNS to stop broadcasting your installation on the local network.

# gateway.yaml

controlUi:

dangerouslyDisableDeviceAuth: false

mdns:

enabled: false

Set DM policy to pairing or allowlist

Prevent strangers from sending commands to your bot. Never use "dmPolicy": "open" with "allowFrom": ["*"].

# openclaw.json

"channels": {

"whatsapp": { "dmPolicy": "pairing" },

"telegram": { "dmPolicy": "pairing" }

}

Run the built-in security audit

OpenClaw checks for common misconfigurations. Run this after setup and every few weeks.

openclaw security audit --deep

2

Recommended Hardening

Where most users should aim. The best effort-to-protection ratio.

Use tool allowlists, not denylists

Denylists fail because attackers find alternatives. With an allowlist, if a command isn't listed, it cannot run.

# tools.yaml — only these commands can execute

tools:

shell:

allowlist:

- "ls"

- "cat"

- "grep"

- "head"

- "tail"

- "find"

Restrict filesystem access

Scope the agent to specific directories. A prompt injection that steals SSH keys starts with the agent being able to read ~/.ssh.

# tools.yaml

filesystem:

allowedPaths:

- "/home/openclaw/workspace"

deniedPaths:

- "~/.ssh"

- "~/.aws"

- "~/.openclaw/credentials"

- "/etc"

Harden your channels

Each messaging platform has its own attack surface:

  • WhatsApp: Use DM pairing or allowlist with specific phone numbers. Use a dedicated number.
  • Discord: Require mentions in guilds. Disable DMs. Limit to specific channels.
  • Telegram: Use the official Bot API. Keep DMs pairing-only.

Encrypt credentials at rest

Default plaintext storage makes credentials easy targets. Use age or pass to encrypt sensitive config files.

# Encrypt with age

age-keygen -o ~/.age-key.txt

chmod 600 ~/.age-key.txt

age --encrypt --armor --recipient $(cat ~/.age-key.txt | grep "public key" | cut -d: -f2) \

< ~/.openclaw/openclaw.json > ~/.openclaw/openclaw.json.age

Lock down MCP servers

Each MCP server is code running with your agent's permissions. Use explicit allowlists, pin versions, and disable risky servers like filesystem, shell, and ssh.

  • Never use "enableAllProjectMcpServers": true
  • Always version pin: "version": "0.3.0" (not "latest")
  • Set "autoUpdate": false

Monitor weekly, maintain monthly

Set up automated checks for exposed ports, disabled auth, prompt injection patterns in session logs, and unusual API usage spikes. Monthly, review session logs, update software, audit installed skills, and rotate your gateway token.

# Quick weekly check

ss -tlnp | grep 18789

openclaw security audit --deep

grep -r "IGNORE PREVIOUS" ~/.openclaw/agents/*/sessions/

3

Advanced Hardening

Defense-in-depth for power users. Even Tier 3 doesn't make the NEVER list safe.

Container isolation

Run OpenClaw inside Docker or rootless Podman with no-new-privileges, cap-drop: ALL, and a read-only filesystem. Containers won't prevent everything, but they make a lot of attacks harder and recovery simpler. Never mount /var/run/docker.sock or your entire home directory into the container.

Credential brokering

Place a LiteLLM proxy between OpenClaw and your model providers. OpenClaw never sees real API keys — LiteLLM injects them. This also gives you rate limiting, cost controls, and centralized request logging.

Network egress filtering

Deploy a Squid proxy with a strict domain allowlist. Deny all outbound traffic by default and only allow domains you explicitly need (npm registry, GitHub, your messaging provider). Blocked domains get logged so you can audit exfiltration attempts.

Separate agents by risk profile

Don't give one agent all privileges. Create separate agents scoped to their role:

  • File agent: filesystem access, no shell, no internet
  • Dev agent: shell allowlisted, no credentials
  • Research agent: web access via proxy, no file writes

Review skills before installing

Research has found that 26% of agent skills contain vulnerabilities. The ClawdHub skill registry has no moderation process. Download, extract, and read the source code before installing any skill. Search for eval(, exec(, unexpected fetch( calls, and credential access beyond what's documented.

Have an incident response plan

Write down what to do when (not if) something goes wrong. Your first 5 minutes should be: stop OpenClaw, block all network traffic, preserve logs. Then rotate every credential, check provider dashboards for spikes, and review session logs. If you suspect host compromise, rebuild from scratch — don't try to clean it.

What Hardening Cannot Fix

Even with all three tiers, these risks remain:

Prompt injection

A malicious email, document, or web page can manipulate the agent into acting against your interests. No configuration fully prevents this.

Supply chain attacks

You can review code, but you can't catch everything. Dependencies can change between audits.

Zero-day vulnerabilities

Unknown bugs in OpenClaw, Node.js, or model provider APIs can be exploited before patches exist.

Cost runaway

Scheduled jobs and recursive agent behavior can spike API costs unexpectedly. Set spending limits with your provider.

Sources & Further Reading

This guide synthesizes recommendations from the following community resources. Each goes deeper on specific topics.

How to Harden OpenClaw Security: Complete 3-Tier Implementation Guide

AI Maker (Substack) — Full Ansible playbook, Docker/Podman sandbox, Squid proxy, and exec approvals

OpenClaw Tips: Configuration, Optimization & Security

Dreams AI Can Buy — Core config files, thinking levels, Telegram usage, and proactive automation

OpenClaw Security Best Practices Guide

LumaDock — Practical gateway hardening, channel lockdown, and tool scoping for VPS deployments

A Security-First Guide to Running OpenClaw (in 9 Steps)

Reddit r/ChatGPT — Dedicated hardware, Tailscale, Matrix E2E encryption, systemd hardening

How to Use OpenClaw Safely: Best Practices and Security Tips

Shawn Kanungo — High-level overview of safe installation, permission limiting, and oversight principles