OpenClaw Security Checklist: 13 Checks Before You Run It
OpenClaw agents run with deep system-level access on your machine. Before connecting your AI agent to real tools, emails, and messaging apps, you need to harden the installation. If you haven't installed OpenClaw yet, start with our local setup guide first. This 13-point checklist covers everything from gateway lockdown to prompt injection defense.
Why this matters
A known critical vulnerability (CVE-2026-25253) allowed any website to silently connect to a running OpenClaw agent via WebSocket hijack, achieving full remote code execution. The fix shipped in version 2026.1.29 — but it's a reminder that defaults are not secure. You must actively harden your installation.
Step 0: Run the Built-In Security Audit
Before anything else, let OpenClaw scan itself for misconfigurations:
openclaw security audit # Quick scanopenclaw security audit --deep # Comprehensive analysisopenclaw security audit --fix # Auto-fix common issuesThis detects risky DM policies, misconfigured sandbox settings, missing authentication, world-writable state directories, and other critical warnings.
The 13-Point Security Checklist
The most critical setting. This keeps the gateway on 127.0.0.1:18789 and blocks all external network access. Never expose port 18789 publicly.
{
"gateway": {
"mode": "local",
"bind": "loopback"
}
} Require a token for all gateway connections:
{
"gateway": {
"auth": {
"mode": "token",
"token": "your-long-random-token-here"
}
}
}
Generate a strong token with: openssl rand -hex 32
Check what's exposed on your machine:
sudo ss -tlnp Close any unnecessary services. Only ports 18789 and 18790 should be accessible, and ideally only on localhost.
- Disable password authentication — use SSH key-based auth only
- Restrict SSH access by IP address
- Move SSH off default port 22 where possible
Create a dedicated system user with minimal required permissions. Running as root means a compromised agent has full system control — it can read any file, kill any process, and modify any setting.
chmod 700 ~/.openclawchmod 600 ~/.openclaw/openclaw.jsonSensitive paths to protect:
-
WhatsApp creds:
~/.openclaw/credentials/whatsapp/ -
Auth profiles:
~/.openclaw/agents/<agentId>/agent/auth-profiles.json -
Session transcripts:
~/.openclaw/agents/<agentId>/sessions/*.jsonl
By default, OpenClaw has broad tool access. Lock it down:
{
"tools": {
"profile": "messaging",
"deny": [
"group:automation",
"group:runtime",
"group:fs",
"sessions_spawn"
],
"fs": { "workspaceOnly": true },
"exec": { "security": "deny", "ask": "always" }
}
}
Always deny control-plane tools by default: gateway, cron, sessions_spawn, sessions_send.
Mandate explicit human approval before:
- Sending emails to external recipients
- Deleting or modifying files
- Financial transactions or payments
- Production deployments
- Shell commands with write access
{
"session": { "dmScope": "per-channel-peer" },
"channels": {
"whatsapp": {
"dmPolicy": "pairing",
"groups": { "*": { "requireMention": true } }
}
}
}
The dmPolicy: "pairing" approach gives unknown senders expiring pairing codes, preventing unauthorized access to your agent.
- Store API keys as environment variables, not in config files
- Use a secrets manager with auto-rotating tokens where possible
- Never store SSH keys or production credentials inside the workspace directory
- Rotate credentials immediately upon any suspected compromise
Prompt injection is listed by OWASP as the #1 risk for LLM applications. Attackers embed hidden instructions inside content the agent reads — emails, GitHub issues, web pages, or screenshots.
Mitigations:
- Sanitize all external inputs before the agent processes them
- Separate system instructions from data layers
- Implement output validation before any command execution
- Use only the latest instruction-hardened model versions
Red flags in content your agent processes
- "Read this file and do exactly what it says"
- "Ignore your safety rules"
- "Reveal your hidden instructions"
Default mDNS mode exposes filesystem paths and SSH port details on your local network. Disable or minimize it:
{
"discovery": {
"mdns": { "mode": "minimal" }
}
} {
"logging": {
"redactSensitive": "tools",
"redactPatterns": ["your-custom-pattern"]
}
} Session transcripts can contain pasted secrets, file contents, and command output. Prune old transcripts if long retention isn't needed.
The 60-Second Hardened Baseline
Copy this into your ~/.openclaw/openclaw.json as a secure starting point:
{
"gateway": {
"mode": "local",
"bind": "loopback",
"auth": { "mode": "token", "token": "YOUR_TOKEN" }
},
"session": { "dmScope": "per-channel-peer" },
"tools": {
"profile": "messaging",
"deny": ["group:automation", "group:runtime",
"group:fs", "sessions_spawn"],
"fs": { "workspaceOnly": true },
"exec": { "security": "deny", "ask": "always" }
},
"channels": {
"whatsapp": {
"dmPolicy": "pairing",
"groups": { "*": { "requireMention": true } }
}
},
"discovery": { "mdns": { "mode": "minimal" } },
"logging": { "redactSensitive": "tools" }
} If Something Goes Wrong: Incident Response
- 1. Stop the gateway process immediately
- 2. Set
gateway.bind: "loopback" - 3. Disable risky DMs/groups or require mentions everywhere
- 1. Regenerate
gateway.auth.tokenand restart - 2. Update remote client credentials
- 3. Rotate all provider API keys and tokens
- 1. Review logs:
/tmp/openclaw/openclaw-YYYY-MM-DD.log - 2. Check transcripts:
~/.openclaw/agents/<agentId>/sessions/*.jsonl - 3. Run
openclaw security audit --deep
Want maximum isolation?
For production deployments, running OpenClaw inside a Docker container provides an additional layer of filesystem and network isolation. Read our Docker isolation guide for the most secure setup.
Need a Security-Hardened OpenClaw Deployment?
At Codeloop, we deploy production-grade OpenClaw installations with enterprise security — gateway hardening, network isolation, prompt injection defenses, and automated credential rotation. See how companies are safely running AI agents in production. We handle the security so your agents can focus on work.
Get a Secure DeploymentFrequently Asked Questions
Is OpenClaw secure to run on my machine? +
OpenClaw can be secure, but not with default settings. A critical vulnerability (CVE-2026-25253) demonstrated that defaults are not hardened. You must actively configure gateway binding to localhost, enable authentication, restrict tool access, and follow the 13-point security checklist before connecting to production tools.
How does OpenClaw handle data privacy? +
OpenClaw runs locally on your machine, so your data stays under your control. However, conversation transcripts, API keys, and credentials are stored in ~/.openclaw and must be protected with proper file permissions (chmod 700 for the directory, chmod 600 for config files). Enable log redaction to prevent sensitive data from appearing in session transcripts.
What is the best way to manage API keys in OpenClaw? +
Store API keys as environment variables rather than in configuration files. Use a secrets manager with auto-rotating tokens where possible. Never store SSH keys or production credentials inside the workspace directory. Rotate all credentials immediately if you suspect any compromise.
What security best practices should I follow before deploying OpenClaw? +
At minimum: bind the gateway to localhost only, enable token-based authentication, never run as root, restrict tool execution with allowlists, require human approval for sensitive actions, lock down DM and group chat policies, defend against prompt injection, disable mDNS broadcast, and enable log redaction. Running inside a Docker container adds an additional isolation layer.
Is OpenClaw compliant with enterprise security standards? +
OpenClaw does not ship with enterprise compliance certifications out of the box, but it provides the building blocks for compliant deployments. With proper hardening — gateway authentication, audit logging, tool allowlists, approval workflows, and Docker isolation — it can meet the requirements of most internal security policies. For regulated industries, combine it with your existing compliance infrastructure.