OpenClaw Security Guide

Practical Setup for Safe AI Agents

OpenClaw is a powerful AI automation platform that can read messages, access files, and execute commands on your computer. This makes it extremely useful — but also potentially dangerous if it is not secured properly.

This guide explains simple and practical steps to secure OpenClaw, based on official documentation and real-world security incidents.

🔑

Unauthorized Access

🔓

Data Leaks

⚠️

Malicious Plugins

💀

Dangerous Commands

1

Run the Built-In OpenClaw Security Audit

OpenClaw includes a built-in security checker that scans your configuration and warns about dangerous settings. Run it regularly to catch issues before they become problems.

Basic Security Check

openclaw security audit

Deep Scan

For a more thorough analysis of your configuration:

openclaw security audit --deep

Auto-Fix Mode

Automatically apply recommended security fixes:

openclaw security audit --fix

The audit checks for common issues such as:

  • Exposed authentication credentials
  • Dangerous filesystem permissions
  • Unsafe allowlists
  • Browser control exposure

Best practice: Run this after every configuration change to maintain security posture.

2

Keep the OpenClaw Interface Private

By default, the OpenClaw dashboard runs locally on http://127.0.0.1:18789. This means only your computer should access it. Never expose this port directly to the internet.

Recommended Setup

  • Keep the interface bound to localhost (127.0.0.1)
  • Access remotely only through VPN or SSH tunnel
  • Block the port in your firewall for extra safety

Why this matters: If the gateway is public, anyone could potentially send commands to your AI agent and compromise your system.

3

Always Enable Gateway Authentication

OpenClaw's gateway controls communication between messaging apps, agents, and tools. You should always enable authentication in the gateway configuration.

Configuration Example

gateway:
  auth:
    password: STRONG_RANDOM_PASSWORD

Why Authentication Matters

  • Prevents unauthorized users from controlling the agent
  • Blocks remote command execution attempts
  • Protects WebSocket access from attackers

Critical: Weak or missing authentication has already led to real-world attacks on OpenClaw deployments. Always use a strong, randomly-generated password.

4

Run OpenClaw in an Isolated Environment

Security experts recommend never running OpenClaw directly on your main workstation. Isolation protects your main system if the agent is compromised.

Safer Deployment Options

  • Docker container with restricted permissions
  • Virtual machine (VirtualBox, VMware)
  • Cloud VPS with built-in isolation
  • Separate server hardware

Docker Example

docker run --name openclaw \
  -p 127.0.0.1:18789:18789 \
  openclaw/openclaw

Cloud deployments also benefit from built-in firewalls and additional isolation layers that prevent lateral movement.

5

Limit What the AI Agent Can Do

OpenClaw agents can interact with powerful tools like shell commands, browser automation, APIs, and file system access. Always restrict tools using allowlists to prevent misuse.

Allowlist Configuration Example

tools:
  allow:
    - web_search
    - calendar
    - email

Best Practices

  • Never give the AI full system access
  • Specify exactly which tools are needed
  • Remove tools that are no longer in use
  • Review permissions regularly

Security researchers strongly recommend strict tool whitelisting to prevent dangerous commands from executing.

6

Keep Credentials Out of Logs and Prompts

OpenClaw interacts with external services like Gmail, Slack, APIs, and messaging platforms. Never place credentials directly inside prompts or chat messages.

Better Approaches

  • Store credentials in environment variables
  • Use OAuth integrations where available
  • Implement secret manager systems
  • Never paste credentials in chat or logs

Secure Pattern

# Bad: Don't do this
password = "my-secret-key"

# Good: Use environment variables
password = process.env.API_KEY

Avoid storing secrets inside logs or session history. Treat credentials like nuclear codes — never expose them.

7

Be Careful With Skills and Extensions

OpenClaw supports community extensions called skills. These are powerful but risky. Malicious skills have already been discovered stealing crypto wallet keys, API credentials, and browser data.

Before Installing a Skill

  • Check the repository and its maintainer
  • Read the code for suspicious patterns
  • Look for recent updates and security advisories
  • Install only trusted extensions from known sources

Important: Treat skills like any other executable code. A skill can access your files, network, and system just like a regular program.

Red Flags

  • Skills requesting unusual file system access
  • Making unexpected network requests
  • Modified or outdated repositories
  • No clear documentation or source code
8

Protect Against Prompt Injection

AI agents process content from emails, websites, chat messages, and documents. Attackers can hide instructions inside that content to trick your agent into executing unwanted commands.

Vulnerable Input Sources

  • Email messages and attachments
  • Web pages and feeds
  • Chat messages and channel content
  • Documents and PDFs
  • Third-party API responses

Mitigation Strategies

  • Validate and sanitize all external input
  • Use system prompts that disallow agent override
  • Implement content filtering for suspicious patterns
  • Log all AI interactions for audit trails
  • Use guardrails to restrict agent capabilities

Prompt injection is a sophisticated attack. Stay vigilant and treat external content as untrusted by default.