OpenClaw is one of the most interesting open source projects to emerge in 2026. It’s a personal AI assistant that runs on your own hardware, connects to messaging platforms like WhatsApp, Telegram, Slack, and Discord, and can read files, execute shell commands, control a browser, and manage your entire development workflow autonomously. It has over 211,000 GitHub stars and is growing fast.

It’s also, by default, a significant security risk.

That’s not a criticism of the project — the OpenClaw team has built one of the most thorough security models in open source AI. The problem is that most people skip the configuration. They install it, connect their messaging apps, drop in an API key, and start using it. And that’s how you end up with an autonomous AI agent running on your machine with unrestricted filesystem access, shell execution, and no authentication.

This guide covers how to set up OpenClaw securely from day one.

Why OpenClaw Security Matters More Than Most Tools

OpenClaw isn’t a chatbot. It’s an autonomous agent with real capabilities:

  • Full filesystem access — it can read, write, and delete files on your machine
  • Shell execution — it can run any command your user account can run
  • Browser control — it can navigate the web, fill forms, and interact with authenticated sessions
  • Messaging integration — it receives and responds to messages across 11+ platforms
  • Background scheduling — it can set up cron jobs and webhooks that run without your involvement

When a tool has that much access, a misconfiguration isn’t just a bug — it’s an open door. And people have walked through it.

Real-World Incidents

This isn’t theoretical. Major security firms have documented what happens when OpenClaw runs without proper hardening:

Bitsight observed over 30,000 exposed OpenClaw instances between January 27 and February 8, 2026. These were found in healthcare, finance, government, and insurance sectors — running on the open internet with weak or no authentication. A high-severity remote code execution vulnerability (CVE-2026-25253, CVSS 8.8) affected over 42,000 exposed instances.

CrowdStrike warned that a misconfigured OpenClaw instance can be “commandeered as a powerful AI backdoor agent” through prompt injection, allowing attackers to “leak sensitive data from connected systems or hijack agentic capabilities to conduct reconnaissance, move laterally, and execute adversaries’ instructions.”

Cisco tested the ClawHub skill marketplace and found that 7.1% of marketplace skills leaked sensitive credentials — API keys, tokens, even credit card numbers. A malicious skill reached the #1 spot in the marketplace.

Meta banned OpenClaw from its corporate networks entirely, citing “unpredictable autonomous behavior incompatible with enterprise security protocols.”

The core issue

OpenClaw is powerful by design. That power is exactly what makes unsecured instances dangerous. Every capability you give it — file access, shell execution, web browsing — is a capability an attacker gets if they compromise it.

The Three-Layer Security Model

OpenClaw’s security architecture operates on three layers, and you need all three configured properly:

  1. Identity — Who can interact with the agent (authentication, DM pairing, allowlists)
  2. Scope — What the agent can access (sandboxing, tool policies, filesystem restrictions)
  3. Model — Acknowledging that AI models can be manipulated, so enforcement happens through tooling, not prompts

The OpenClaw docs put it well: “Use tool policies, not system prompts, as the security boundary.” An AI model can be tricked into ignoring instructions. A tool policy that blocks shell execution cannot be talked around.

Step 1: Gateway Authentication

The Gateway is OpenClaw’s control plane — the process that manages all communication between you, your messaging platforms, and the AI. If someone gets access to your Gateway, they control the agent.

Three authentication modes are available:

Generate a strong random token and configure it as the Gateway authentication method:

# Generate a secure token
openssl rand -hex 32

Set it via environment variable (OPENCLAW_GATEWAY_TOKEN) or in your config file under gateway.auth.token. This is the recommended approach for most setups.

Password Mode

A shared password via OPENCLAW_GATEWAY_PASSWORD. Simpler, but less secure than a random token. If you use this, make it long and random — OpenClaw allows trivially weak passwords like “a”, and that’s been exploited in the wild.

Trusted Proxy Mode

Delegates authentication to a reverse proxy like Caddy, nginx, or Traefik. The proxy handles identity (via headers like x-forwarded-user) and OpenClaw trusts it. Only use this if you already have a properly configured reverse proxy infrastructure.

Non-negotiable

Never run the Gateway without authentication. Never bind it to 0.0.0.0 (all interfaces). Keep it on loopback (127.0.0.1) unless you specifically need LAN or remote access — and if you do, use Tailscale or an SSH tunnel.

Step 2: DM Pairing Policy

When someone messages your OpenClaw bot on WhatsApp, Telegram, or any other connected platform, what happens? The DM policy controls this, and the default matters a lot.

Four policies are available:

  • pairing (default, recommended) — Unknown senders get a time-limited pairing code. Messages are ignored until you approve the code via openclaw pairing approve <channel> <code>. This is the right default for most people.
  • allowlist — Only pre-approved sender IDs can interact. More restrictive, good for production.
  • open — Anyone can message your bot. Requires explicit "*" in the allowFrom config. This is dangerous and should only be used with full understanding of the implications.
  • disabled — Blocks all DMs entirely.

For group chats, always enable requireMention: true so the bot only responds when explicitly mentioned, rather than processing every message in the group.

Session Isolation

Set session.dmScope to per-channel-peer. This creates separate sessions for each person on each platform, preventing one user’s context from leaking into another user’s conversation. Without this, cross-user data leakage is possible.

Step 3: Tool Policies

This is where the real hardening happens. OpenClaw’s tool policy system lets you control exactly which capabilities the agent has access to.

Deny Dangerous Groups by Default

OpenClaw organizes tools into groups. Start by denying the most powerful ones:

  • group:runtime — Shell execution, process management (exec, bash, process)
  • group:fs — Filesystem read/write/edit operations
  • group:automation — Cron jobs, Gateway control, webhooks

Only re-enable specific tools from these groups when a particular agent or workflow genuinely needs them.

Execution Security

The tools.exec.security setting controls shell command execution:

  • deny — Blocks all shell execution. Safest option.
  • ask — Requires your approval for each command before it runs. Good middle ground.
  • allow — Permits execution without approval. Never use this in production or on a machine with sensitive data.

Filesystem Restrictions

Enable tools.fs.workspaceOnly: true to restrict file operations to the designated workspace directory. This prevents the agent from reading your SSH keys, browsing your home directory, or accessing files outside its scope.

Elevated Mode

Elevated mode lets sandboxed agents bypass the sandbox for host-level execution. Disable it globally:

{
  "tools": {
    "elevated": {
      "enabled": false
    }
  }
}

If you must enable it for specific workflows, use tools.elevated.allowFrom to restrict which users can trigger it.

Step 4: Sandboxing

OpenClaw supports Docker-based sandboxing that isolates agent execution in containers. This is your strongest boundary against a compromised or manipulated agent.

Sandbox Modes

  • off — No sandboxing. Agent runs directly on your host.
  • non-main — Sandboxes group and channel sessions, but not your primary DM session.
  • all — Everything runs in a container. Most secure.

Workspace Access

Within the sandbox, control what the agent can see:

  • none — No access to host filesystem
  • ro — Read-only access (mounted at /agent)
  • rw — Read-write access (mounted at /workspace)

OpenClaw blocks dangerous bind mounts automatically — Docker sockets, /etc, /proc, /sys, and /dev cannot be mounted into the sandbox.

Important caveat

The OpenClaw docs are honest about this: “This sandboxing is not a perfect security boundary, but it materially limits filesystem and process access.” Docker sandboxing is a strong layer of defense, but it’s not absolute. Treat it as one layer in a defense-in-depth strategy, not the only one.

Step 5: The Hardened Baseline Configuration

Here’s the minimal secure configuration the OpenClaw team recommends. Start with this and only open up what you need:

{
  gateway: {
    mode: "local",
    bind: "loopback",
    auth: {
      mode: "token",
      token: "replace-with-openssl-rand-hex-32-output"
    }
  },
  session: {
    dmScope: "per-channel-peer"
  },
  tools: {
    profile: "messaging",
    deny: [
      "group:automation",
      "group:runtime",
      "group:fs",
      "sessions_spawn"
    ],
    fs: { workspaceOnly: true },
    exec: { security: "deny", ask: "always" },
    elevated: { enabled: false }
  },
  channels: {
    whatsapp: {
      dmPolicy: "pairing",
      groups: { "*": { requireMention: true } }
    }
  }
}

This gives you a working assistant that can answer questions and interact through messaging, but cannot execute commands, access your filesystem, or run automated tasks without explicit configuration changes.

Step 6: Plugin and Skill Security

The ClawHub marketplace has over 50 integrations, and they execute in-process with full Gateway privileges. That means a malicious skill has the same access as OpenClaw itself.

Best practices:

  • Only install skills from trusted sources. Check the author, review the code, and look at the community feedback before installing.
  • Pin exact versions. Don’t use latest — a compromised update could introduce malicious behavior.
  • Use explicit allowlists. Rather than allowing all tools a skill requests, review and approve each one individually.
  • Scan before installing. Cisco released an open-source Skill Scanner tool specifically for evaluating ClawHub skills.

The 7.1% credential leak rate Cisco found in the marketplace is a concrete reminder that community-contributed code is untrusted code until you verify it.

Step 7: Secrets and Credentials

OpenClaw needs API keys for AI model providers, messaging platform tokens, and potentially keys for integrations. How you store and manage these matters.

Keep Secrets Out of Config Files in Git

Use environment variables or the ~/.openclaw/.env file for all sensitive values. Never commit API keys, tokens, or passwords to version control.

OpenClaw’s precedence order for environment variables:

  1. Process environment variables (highest priority)
  2. ./.env (local directory)
  3. ~/.openclaw/.env (user-level)
  4. openclaw.json env block (lowest priority)

File Permissions

Lock down the OpenClaw state directory:

chmod 700 ~/.openclaw/
chmod 600 ~/.openclaw/openclaw.json
chmod 600 ~/.openclaw/.env
chmod 600 ~/.openclaw/credentials/*

Credential Rotation

Rotate all credentials immediately after any suspected compromise. This includes:

  • Gateway authentication token
  • All messaging platform tokens (WhatsApp, Telegram, Discord, etc.)
  • AI provider API keys
  • Integration-specific keys and tokens

Use Scoped, Short-Lived Tokens

Where possible, use API keys with the minimum required permissions and short expiration times. A full-access, never-expiring API key is the worst-case scenario if compromised.

Step 8: Network Security

Bind to Loopback

Keep the Gateway bound to 127.0.0.1. This means it only accepts connections from your local machine — no one on your network or the internet can reach it directly.

Remote Access via Tailscale or SSH

If you need remote access to your OpenClaw instance, use Tailscale Serve/Funnel or an SSH tunnel. Both encrypt traffic and authenticate connections without exposing the Gateway to the internet.

OpenClaw has built-in Tailscale integration. It also supports TLS certificate pinning via gateway.remote.tlsFingerprint to prevent man-in-the-middle attacks.

Disable mDNS Broadcasting

By default, OpenClaw broadcasts its presence via mDNS/Bonjour on your local network. This can leak your username and filesystem paths. Set mDNS to minimal or off on any Gateway that isn’t strictly local:

{
  gateway: {
    mdns: "off"
  }
}

Step 9: Run the Security Audit

OpenClaw ships with a built-in security audit tool. Run it regularly:

# Standard audit
openclaw security audit

# Deep inspection with live Gateway probing
openclaw security audit --deep

# Auto-fix common issues
openclaw security audit --fix

# Machine-readable output for CI/CD
openclaw security audit --json

The audit checks for weak authentication, exposed endpoints, overly permissive tool policies, missing sandboxing, and other common misconfigurations. It classifies findings by severity (Critical, Warning, Info) and provides specific remediation steps.

Step 10: Choose the Right Model

Not all AI models handle adversarial input equally well. The OpenClaw team recommends Anthropic’s Claude Opus 4.6 for its resistance to prompt injection attacks. Newer, instruction-hardened models are generally better at refusing manipulation attempts.

This matters because prompt injection is the primary attack vector against AI agents. An attacker who can inject instructions into the model’s context — through a malicious website, a crafted message, or a poisoned document — can potentially redirect the agent’s actions. A model that resists these attacks is a meaningful security layer.

The Prompt Injection Problem

Even with all of these controls in place, prompt injection remains an inherent challenge for any AI agent system. If your OpenClaw instance processes untrusted content — messages from other people, web pages, documents — that content could contain instructions designed to manipulate the agent.

Mitigations:

  • Sandbox everything that touches untrusted input. If the agent reads external content, it should be running in a sandbox with restricted tool access.
  • Use a “reader agent” pattern. Have a separate, heavily restricted agent summarize untrusted content before passing the summary to your main agent.
  • Keep secrets out of agent-reachable paths. If the agent can read a file, assume an attacker could extract its contents through prompt injection.
  • Don’t rely on system prompts for security. An attacker who can inject text into the context can potentially override system-level instructions. Use tool policies and sandboxing — these can’t be talked around.
Honest assessment

OpenClaw’s own documentation states: “There is no ‘perfectly secure’ setup.” This is true of all autonomous AI agents. The goal isn’t to eliminate risk — it’s to reduce it to a level you’re comfortable with through layered defenses.

Security Checklist

Before running OpenClaw, verify each of these:

  • Gateway authentication is enabled (token mode with a strong random token)
  • Gateway is bound to loopback, not 0.0.0.0
  • DM policy is set to pairing or allowlist
  • Session scope is per-channel-peer
  • group:runtime, group:fs, and group:automation are denied by default
  • exec.security is set to deny or ask
  • elevated.enabled is false
  • Filesystem access is restricted to workspace only
  • All secrets are in environment variables, not config files in git
  • File permissions are set (700 for directory, 600 for config/credentials)
  • mDNS is set to minimal or off
  • Group chats have requireMention: true
  • Skills/plugins are vetted, version-pinned, and allowlisted
  • openclaw security audit --deep passes without critical findings
  • Node.js version is 22.12.0+ (patches CVE-2025-59466 and CVE-2026-21636)

Final Thoughts

OpenClaw represents what’s coming in AI tooling — autonomous agents that can act on your behalf across multiple platforms and systems. The power is real, and so are the risks.

The good news is that the OpenClaw team takes security seriously. The project has formal TLA+ verification of its security properties, a MITRE ATLAS-based threat model, built-in audit tooling, and documentation that’s more detailed than most enterprise software. They’ve been transparent about the limitations and honest about what their sandboxing can and can’t do.

The bad news is that none of that matters if you don’t configure it. The 30,000+ exposed instances Bitsight found weren’t running some exotic configuration — they were running with defaults that weren’t hardened, exposed to the internet, with weak or missing authentication.

Take the time to set it up properly. Use the hardened baseline. Run the security audit. Treat your OpenClaw instance like what it is: a powerful tool that needs boundaries to be safe.