OpenClaw security best practices

OpenClaw can read your files, run terminal commands, browse the web, send emails, and interact with your accounts. That is the whole point. But it also means a poorly secured setup can cause real damage, especially if you install a malicious skill or expose the gateway to the internet without protection.

Here is how to keep things locked down without making OpenClaw useless.

The baseline: run it isolated

• Use Docker. Not your main machine. A container gives you a clean boundary between OpenClaw and everything else.
• Run as non-root. If an attacker (or a bad skill) gets shell access inside the container, they should not be root.
• Read-only filesystem where possible. Use tmpfs for temporary storage.
• Dedicated VPS for always-on setups. Not your personal laptop. A cheap 2GB VPS is enough.

Network security

• Bind the gateway to localhost (127.0.0.1). Not 0.0.0.0. The gateway runs on port 18789 by default.
• Use an SSH tunnel if you need remote access to the gateway UI. Do not expose the port directly.
• Firewall everything except SSH on your VPS. Use UFW on Ubuntu.
• VPN or Tailscale for accessing OpenClaw from multiple locations without opening ports.

Authentication and secrets

• Set a strong gateway token in .env. This is the password to your OpenClaw instance. Make it long and random.
• Store API keys in .env, not in openclaw.json or any config file that might get committed to git.
• Restrict .env permissions: chmod 600. Only the owner should read it.
• Never commit .env to version control. Add it to .gitignore always.
• Use SSH keys (not passwords) for VPS access.

Skill safety

Skills are the biggest attack surface. A malicious skill can steal your API keys, exfiltrate data, burn tokens, or override your agent configuration.

• Read the source code before installing. Look for base64-encoded commands, unfamiliar network requests, hardcoded webhooks, or file writes outside the workspace.
• Use scanning tools: SkillCheck by Repello (browser-based), DefenseClaw (open-source scanner), Bitdefender AI Skills Checker.
• Run openclaw security audit after installing any new skill.
• Test in an isolated environment first with non-sensitive data.
• Beware typosquatting. Check that the skill name matches the official author.

Detailed skill evaluation steps in the how to evaluate skills safely guide.

Prompt injection defense

OpenClaw processes data from emails, web pages, chat messages, and files. Any of these can contain instructions that trick the agent into doing something unintended.

• Assume all external input is hostile. Design workflows accordingly.
• Use separate agents for processing untrusted content vs. taking privileged actions. The agent that reads email should not be the same agent that can run shell commands.
• Implement input sanitization where possible.
• Log everything. If something goes wrong, you need to see what happened.

Monitoring and maintenance

• Run openclaw security audit regularly, especially after config changes or new skills.
• Monitor logs for unexpected behavior: unusual network requests, shell commands you did not expect, or token usage spikes.
• Keep OpenClaw updated. New versions fix security issues.
• Review installed skills periodically. Remove what you no longer use.
• Back up your config regularly. If something breaks, you want a clean restore point.

The short checklist

• Run in Docker, not on your main machine
• Bind gateway to 127.0.0.1
• Strong gateway token in .env
• API keys in .env, chmod 600
• Firewall everything except SSH
• Read skill source code before installing
• Run openclaw security audit after changes
• Monitor logs for unexpected behavior
• Keep OpenClaw updated
• Separate agents for untrusted content vs. privileged actions