Guides

How to Actually Secure OpenClaw: A Step-by-Step Hardening Guide

OpenClaw ships with authentication disabled and binds to all interfaces. This step-by-step guide covers every hardening measure you need - from authentication and sandboxing to MCP security and network isolation - backed by real CVEs and security research.

Priya Raghavan By Priya Raghavan 12 min read
How to Actually Secure OpenClaw: A Step-by-Step Hardening Guide

OpenClaw is the most popular personal AI agent on the planet. It is also, by a wide margin, the most attacked. With 130-plus GitHub security advisories, a poisoned skill marketplace, agents leaking confidential data, and context-window failures that delete your emails, the question is not whether you should harden your install - it is how fast you can do it.

The official docs cover security settings, but they are scattered across dozens of pages and assume you already know what you are looking for. This guide puts everything in one place, in order of priority, with the exact configuration you need at each step. No jargon detours, no vague advice. Just the things you need to do, right now, to stop being an easy target.

Before You Start

You will need:

  • OpenClaw v2026.2.19 or later (earlier versions lack critical patches)
  • Terminal access to the machine running OpenClaw
  • About 30 minutes for the full hardening process
  • A text editor for ~/.openclaw/openclaw.json

If you are running a version older than v2026.2.19, stop here and update first. Over 40 security fixes shipped in the February 2026 releases alone, including patches for CVE-2026-25253 (1-click RCE via WebSocket hijack), CVE-2026-24763 (Docker sandbox bypass), and CVE-2026-27001 (prompt injection via workspace paths).

# Check your version
openclaw --version

# Update to latest
brew upgrade openclaw    # macOS
# or
curl -fsSL https://get.openclaw.ai | sh   # Linux

Step 1: Enable Authentication

Why this is first: OpenClaw historically shipped with authentication disabled by default. Maor Dayan's research found 42,000-plus exposed instances on the public internet, most with zero authentication. If someone can reach your Gateway port (18789), they own your machine.

Open ~/.openclaw/openclaw.json and add:

{
  "gateway": {
    "auth": {
      "mode": "token",
      "token": "YOUR-LONG-RANDOM-TOKEN-HERE"
    }
  }
}

Generate a strong token:

openclaw doctor --generate-gateway-token

Copy the output and paste it into the config. This token is now required for every WebSocket connection to your Gateway. Without it, connections are refused.

If you use Tailscale, you can alternatively use "mode": "trusted-proxy" and let Tailscale handle identity. But a token is simpler and works everywhere.

Step 2: Bind to Localhost Only

Why: Binding to 0.0.0.0 exposes your agent to your entire network - and if your router has UPnP enabled or you are on a shared network, potentially the internet.

{
  "gateway": {
    "bind": "loopback",
    "auth": {
      "mode": "token",
      "token": "YOUR-LONG-RANDOM-TOKEN-HERE"
    }
  }
}

The "loopback" setting restricts connections to 127.0.0.1 only. If you genuinely need remote access, use "tailnet" with Tailscale or put a reverse proxy with TLS in front of it. Never use "lan" or "custom" without a firewall.

Step 3: Lock Down File Permissions

Why: OpenClaw stores API keys, OAuth tokens, and session data in ~/.openclaw/. If another user or process on your machine can read these files, they can impersonate your agent. Leaked secrets were one of the 255 findings in the Argus audit.

chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.json
chmod -R 600 ~/.openclaw/credentials/

That is:

  • 700 on the directory: only your user can enter it
  • 600 on config files: only your user can read or write them

Verify with ls -la ~/.openclaw/ - you should see -rw------- for files and drwx------ for directories.

Step 4: Restrict Tool Access

Why: OpenClaw's tool system is its biggest attack surface. A prompt injection attack does not need to escape a sandbox if the agent already has permission to run shell commands, spawn new sessions, and read your entire filesystem. The OWASP Top 10 for Agentic Applications lists Tool Misuse (ASI02) and Unexpected Code Execution (ASI05) as top risks.

Add this to your config:

{
  "tools": {
    "profile": "messaging",
    "deny": [
      "group:automation",
      "group:runtime",
      "group:fs",
      "sessions_spawn",
      "sessions_send"
    ],
    "fs": {
      "workspaceOnly": true
    },
    "exec": {
      "security": "allowlist",
      "allowBinaries": ["git", "node", "python3", "npm", "pip"],
      "ask": "always",
      "applyPatch": {
        "workspaceOnly": true
      }
    }
  }
}

Here is what each setting does:

SettingEffect
profile: "messaging"Starts with a minimal tool set, not the full suite
deny arrayBlocks automation, runtime execution, filesystem, and session-spawning tools entirely
fs.workspaceOnly: trueAgent can only touch files inside the workspace directory - not your home folder, not /etc/, not your SSH keys
exec.security: "allowlist"Only the binaries you explicitly list can be executed
exec.ask: "always"Every command requires your manual approval before running

Critical: The deny list uses a "deny always wins" policy. Even if a skill or prompt tries to re-enable a denied tool, the deny rule takes precedence.

If you need the agent to run code (for instance, as a coding assistant), you can swap "messaging" for "coding" and adjust the deny list - but keep exec.ask: "always" so you see every command before it runs.

Step 5: Enable Sandboxing

Why: Sandboxing is your last line of defense. If a prompt injection bypasses tool restrictions, the sandbox limits what the compromised agent can actually do on your system. CVE-2026-24763 was a sandbox bypass - patched, but it shows that sandboxing is a layer, not a guarantee. Defense in depth means having multiple layers.

{
  "sandbox": {
    "mode": "all",
    "scope": "session",
    "workspaceAccess": "ro",
    "docker": {
      "image": "openclaw-sandbox:bookworm-slim",
      "network": "none",
      "readOnlyRoot": true
    },
    "prune": {
      "idleHours": 1
    }
  }
}
SettingEffect
mode: "all"Everything runs in a sandbox, no exceptions
scope: "session"Each session gets its own isolated container
workspaceAccess: "ro"Read-only mount of workspace files - agent can read your code but cannot modify the host filesystem directly
network: "none"No network access from inside the sandbox
readOnlyRoot: trueContainer root filesystem is read-only
prune.idleHours: 1Containers are cleaned up after 1 hour of inactivity

If you need the agent to write files (for a coding workflow), change workspaceAccess to "rw" - but understand this means a compromised agent can modify your project files.

Note: OpenClaw's sandbox explicitly blocks network: "host", seccompProfile: "unconfined", and apparmorProfile: "unconfined". If any skill or config tries to set these, the sandbox will reject the request.

Step 6: Disable Elevated Mode

Why: Elevated mode bypasses all sandbox restrictions. It exists for trusted operations, but it is the single biggest privilege escalation vector if an attacker can trick the agent into requesting it.

{
  "tools": {
    "elevated": {
      "enabled": false
    }
  }
}

If you absolutely need elevated mode for specific operations, use "enabled": "ask" instead of true, and set a narrow allowlist. But for most users, disabling it entirely is the safest choice.

Step 7: Harden MCP Connections

Why: MCP (Model Context Protocol) servers are the primary extension mechanism for AI agents - and they are a documented attack vector. Invariant Labs demonstrated tool poisoning attacks where malicious instructions hidden in MCP tool descriptions cause the agent to exfiltrate SSH keys and credentials. CyberArk showed that even tool outputs can carry injection payloads. And Invariant demonstrated a WhatsApp data exfiltration attack where a "sleeper" MCP server first advertised a harmless tool, then silently hijacked message history.

Audit Your MCP Servers

Install and run MCP-Scan:

npx @invariantlabs/mcp-scan

This checks for prompt injection in tool descriptions, known toxic flows, and tool poisoning patterns.

Pin Versions

Never use latest tags for MCP servers. Pin exact versions in your config to prevent "rug pull" attacks where a server changes behavior after you have approved it.

Minimize MCP Servers

Only install MCP servers you actively use. Each one is an additional attack surface. Remove any you installed to "try out" and forgot about.

Network-Isolate MCP Servers

If an MCP server does not need internet access, run it in a container with network: "none". For servers that do need network access, use a filtering proxy that restricts which domains they can reach.

Step 8: Secure the Browser Tool

Why: The browser tool can make HTTP requests on behalf of the agent. Without SSRF protection, a prompt injection could direct the agent to access internal services, cloud metadata endpoints (169.254.169.254), or other machines on your local network.

{
  "browser": {
    "ssrfPolicy": {
      "dangerouslyAllowPrivateNetwork": false
    },
    "hostnameAllowlist": [
      "github.com",
      "stackoverflow.com",
      "docs.python.org"
    ]
  }
}

Set dangerouslyAllowPrivateNetwork to false (the name tells you everything). The hostname allowlist restricts which external sites the browser can reach. If you do not need the browser tool at all, deny it entirely in your tools config.

Step 9: Disable Discovery and mDNS

Why: By default, OpenClaw broadcasts its presence on the local network via mDNS/Bonjour. This makes it trivially discoverable for anyone on the same network - including the guest at the coffee shop.

{
  "discovery": {
    "mdns": {
      "mode": "off"
    }
  }
}

Or via environment variable:

export OPENCLAW_DISABLE_BONJOUR=1

Step 10: Manage Secrets Properly

Why: OpenClaw config files have been a target for credential theft. RedLine and Lumma infostealers added OpenClaw config paths to their harvest lists. Storing API keys directly in openclaw.json means a single file read exfiltrates everything.

Do:

  • Use environment variables for API keys: export ANTHROPIC_API_KEY=sk-...
  • Use your OS keychain (macOS Keychain, GNOME Keyring, Windows Credential Manager)
  • Use a dedicated secret manager for production setups (HashiCorp Vault, 1Password CLI, AWS Secrets Manager)

Do not:

  • Store API keys directly in openclaw.json
  • Store keys in .env files inside your workspace (agents can read workspace files)
  • Commit secrets to git

Enable log redaction to prevent secrets from leaking into logs:

{
  "logging": {
    "redactSensitive": "tools",
    "redactPatterns": [
      "sk-[a-zA-Z0-9]{20,}",
      "ghp_[a-zA-Z0-9]{36}",
      "AKIA[0-9A-Z]{16}"
    ]
  }
}

Step 11: Secure DMs and Group Chat

Why: If you have connected OpenClaw to messaging platforms (WhatsApp, Discord, Slack), anyone who can DM the agent or mention it in a group can interact with it. The Summer Yue incident started with normal conversation that escalated when the agent lost track of its safety constraints.

{
  "session": {
    "dmScope": "per-channel-peer"
  },
  "channels": {
    "whatsapp": {
      "dmPolicy": "pairing",
      "groups": {
        "*": {
          "requireMention": true
        }
      }
    },
    "discord": {
      "dmPolicy": "pairing",
      "groups": {
        "*": {
          "requireMention": true
        }
      }
    }
  }
}
SettingEffect
dmScope: "per-channel-peer"Prevents conversation context from leaking between different users or channels
dmPolicy: "pairing"Requires a pairing code (expires after 1 hour) before someone can DM the agent
requireMention: trueIn group chats, the agent only responds when explicitly mentioned - no "always listening" mode

Step 12: Audit ClawHub Skills

Why: The ClawHub supply chain attack compromised 1,184 skills. 91% contained prompt injection and 100% contained malicious code. The #1 ranked skill - "What Would Elon Do" - had 9 vulnerabilities including active data exfiltration via hidden curl commands and 4,000 faked downloads. Skills are not apps - they are raw markdown instructions that become part of the agent's prompt. A malicious skill IS a prompt injection by design.

Immediate actions:

  1. List all installed skills: Check ~/.openclaw/skills/ or equivalent
  2. Remove anything you did not manually audit: If you installed a skill because it had good reviews, re-evaluate it. Download counts and stars were faked at scale
  3. Read the SKILL.md of everything you keep: The entire skill is just a markdown file. If it contains instructions to run commands, access URLs, or read files outside the workspace, it is suspicious
  4. Install SecureClaw: Adversa AI's open-source security plugin runs 55 automated checks mapped to OWASP Agentic Top 10 and MITRE ATLAS
# Run SecureClaw audit
openclaw skill install secureclaw
openclaw skill run secureclaw audit

Step 13: Run the Built-In Security Audit

Why: OpenClaw ships with its own security audit command that checks for common misconfigurations. Run it after applying all the changes above to catch anything you missed.

# Standard audit
openclaw security audit

# Deep audit (checks plugin safety, policy drift, model hygiene)
openclaw security audit --deep

# Auto-fix common issues
openclaw security audit --fix

The audit checks: gateway authentication, browser exposure, elevated mode allowlists, filesystem permissions, plugin safety, and policy drift from your intended configuration.

The Complete Hardened Configuration

Here is everything from the steps above in a single openclaw.json. Copy it, replace the token, and adjust the exec allowlist for your needs:

{
  "gateway": {
    "mode": "local",
    "bind": "loopback",
    "auth": {
      "mode": "token",
      "token": "REPLACE-WITH-YOUR-GENERATED-TOKEN"
    }
  },
  "session": {
    "dmScope": "per-channel-peer"
  },
  "tools": {
    "profile": "messaging",
    "deny": [
      "group:automation",
      "group:runtime",
      "group:fs",
      "sessions_spawn",
      "sessions_send"
    ],
    "fs": {
      "workspaceOnly": true
    },
    "exec": {
      "security": "allowlist",
      "allowBinaries": ["git", "node", "python3", "npm", "pip"],
      "ask": "always",
      "applyPatch": {
        "workspaceOnly": true
      }
    },
    "elevated": {
      "enabled": false
    }
  },
  "sandbox": {
    "mode": "all",
    "scope": "session",
    "workspaceAccess": "ro",
    "docker": {
      "image": "openclaw-sandbox:bookworm-slim",
      "network": "none",
      "readOnlyRoot": true
    },
    "prune": {
      "idleHours": 1
    }
  },
  "browser": {
    "ssrfPolicy": {
      "dangerouslyAllowPrivateNetwork": false
    }
  },
  "channels": {
    "whatsapp": {
      "dmPolicy": "pairing",
      "groups": {
        "*": {
          "requireMention": true
        }
      }
    }
  },
  "discovery": {
    "mdns": {
      "mode": "off"
    }
  },
  "logging": {
    "redactSensitive": "tools",
    "redactPatterns": [
      "sk-[a-zA-Z0-9]{20,}",
      "ghp_[a-zA-Z0-9]{36}",
      "AKIA[0-9A-Z]{16}"
    ]
  }
}

What This Does Not Fix

Honesty matters. Even with every setting above enabled, some risks remain:

  • Prompt injection is not solved. No AI agent can reliably distinguish instructions from data. Anthropic, OpenAI, and Google DeepMind jointly tested 12 published defenses and achieved bypass rates above 90% on most of them. Sandboxing and tool restrictions limit the blast radius, but they do not eliminate the attack vector.
  • Context window overflow. Long-running sessions can cause the agent to lose track of safety constraints as earlier instructions fall outside the context window. Keep sessions short, or restart periodically.
  • Model choice matters. Weaker models are more susceptible to prompt injection. Anthropic Opus 4.6+ and GPT-5 have stronger instruction-following, but no model is immune. Do not use small or fine-tuned models for high-privilege agent tasks.
  • Zero-day vulnerabilities. OpenClaw has had 130-plus advisories. More will come. Subscribe to their security advisories on GitHub and update promptly.

Consider the Alternatives

If the hardening process above feels like a lot - it is. You are spending 30 minutes (at minimum) securing a tool that shipped with all of these protections off by default. That is a design choice worth questioning.

Two alternatives worth evaluating:

  • NanoClaw: A lightweight OpenClaw alternative in about 500 lines of TypeScript. Uses OS-level container isolation. Small enough to audit in under 10 minutes. 7,000-plus GitHub stars. MIT license.
  • Cloud-hosted agents like Claude Code, GitHub Copilot, or Cursor run in vendor-managed infrastructure where sandboxing, authentication, and network isolation are handled for you. You trade self-hosting control for not having to be your own security team.

The right choice depends on your threat model. If you need local control and are willing to maintain it, the hardened OpenClaw config above is solid. If you just want an AI assistant that works without a security checklist, a managed solution might be the more honest answer.

Sources

Tagged
OpenClaw AI Security Hardening Docker Sandboxing MCP AI Agents Cybersecurity DevSecOps
How to Actually Secure OpenClaw: A Step-by-Step Hardening Guide
About the author AI Education & Guides Writer

Priya is an AI educator and technical writer whose mission is making artificial intelligence approachable for everyone - not just engineers.