Security Best Practices
Essential security hardening for your OpenClaw deployment β from network isolation to skill auditing.
OpenClaw is a powerful AI agent with deep system access β file read/write, shell commands, browser control, and more. This power demands robust security practices. Multiple CVEs have been disclosed in 2026, and ClawHub has faced malware campaigns. This guide covers everything you need to lock down your deployment.
Known Vulnerabilities (2026)
One-click RCE via token exfiltration β WebSocket origin header not validated. Patch: v2026.1.29+
safeBins bypass using GNU long-option abbreviations. Patch: v2026.3.12+
Command injection in Docker sandbox via insecure PATH handling. Patch: v2026.1.29+
skills.status endpoint leaks sensitive config data (e.g., Discord API tokens). Patch: v2026.2.14+
Indirect prompt injection β web content not sanitized before LLM processing. Ongoing mitigation.
1. Network Security
Never expose gateway to the internet
Bind to localhost only (127.0.0.1:18789). The default 0.0.0.0 binding exposes your API to all interfaces. Use SSH tunneling or Tailscale for remote access.
Use a reverse proxy with TLS
If you must expose externally, use Cloudflare Tunnel or Nginx with TLS termination. Never run plain HTTP in production.
Set a strong gateway password
Use gateway.auth.token or gateway.auth.password with a high-entropy value. Rotate tokens regularly.
2. Docker Hardening
docker run --read-only --cap-drop=ALLRun with read-only filesystem and drop all Linux capabilities
--memory=2g --cpus=2Set resource limits to prevent denial-of-service from runaway processes
--network=none (for isolated tasks)Disable network for tasks that don't need internet access
OPENCLAW_TZ=Your/TimezoneSet timezone explicitly for accurate logging and cron execution
3. ClawHub Skill Safety
The ClawHavoc campaign demonstrated that 800+ malicious skills infiltrated ClawHub β including credential stealers and malware loaders disguised as popular tools.
- Always review source code before installing any skill
- Verify the publisher's identity and history
- Pin skill versions β never use 'latest' in production
- Check VirusTotal scan results (now integrated into ClawHub)
- Be suspicious of skills requiring 'prerequisites' or external downloads
- Monitor skill comments for encoded malicious payloads
- Restrict tool access β use hard tool restrictions to block sensitive file access
4. Credentials & Secrets
Move secrets to environment variables
Never hardcode API keys in openclaw.config.yaml. Use env vars or the built-in secrets manager (openclaw secrets workflow).
Encrypt credential storage
Default ~/.openclaw/credentials/ uses plaintext. Migrate to system keychain or a secrets manager.
Use spending limits on API keys
Create dedicated API keys with spending caps for each provider. Rotate monthly.
Lock file permissions
chmod 600 ~/.openclaw/openclaw.config.yaml β prevent other users from reading your config.
5. Sandbox & Permissions
- Never grant sudo access to OpenClaw agents
- Use tools.profile = 'session' to restrict per-session permissions
- Create explicit allowlists for tools like screen_record and system.which
- Separate workspaces for personal and company automation
- Set SOUL.md and AGENTS.md as read-only at runtime to prevent tampering
- Disable implicit workspace plugin autoloads (default since v2026.3.12)
6. Keep Updated
OpenClaw updates frequently with critical security patches. Enable the built-in auto-updater or check releases weekly.