OpenClaw Security Best Practices: How to Harden Your AI Agent Setup

29 March 2026
20 min read

🎯 Quick Answer

OpenClaw is safe when configured correctly — but out of the box, it runs with broad permissions that can expose your API keys, filesystem, and personal data. Following OpenClaw security best practices means enabling sandbox mode, locking down API key storage, restricting file access to whitelisted directories, and monitoring what your agent actually does. This guide covers every layer, from the basics to production-grade hardening.

Don't want to configure security manually? Atomic Bot is a native desktop app that packages OpenClaw with sandbox enabled by default, encrypted key storage, and automatic updates — no JSON configs, no Docker, no terminal.

  • Download for macOS
  • Download for Windows
  • Run in Cloud

    • 🔐 Is OpenClaw Safe? Understanding the Security Model

    The short answer: yes, OpenClaw is safe to use — but "safe" depends entirely on how you configure it. OpenClaw is an open-source project with over 250,000 GitHub stars, active maintainers, and a transparent codebase anyone can audit. That transparency is a genuine security advantage over closed-source alternatives.

    But OpenClaw is also an AI agent with real capabilities. It can read and write files, execute shell commands, send emails, and browse the web. Those capabilities are the whole point — and also the reason OpenClaw security requires deliberate attention.

    Here is how the security model works at each layer:

    • Gateway process — the single entry point for all incoming messages, running on port 18789 by default. Controls which channels (Telegram, WhatsApp, Signal, Discord, etc.) can send commands to the agent and at what rate
    • Agent loop — decides which skills to invoke based on the AI model's output. This is where prompt injection attacks could redirect behavior
    • Skills system — each skill is a directory containing a SKILL.md file with metadata and instructions. Skills can be bundled, installed globally, or stored in a workspace. Installing a skill from ClawHub is effectively running third-party code on your host
    • OpenClaw sandbox mode — an optional Docker-based isolation layer that runs tool execution inside containers. Off by default, which is the primary security concern for new users

    The critical point: OpenClaw's default configuration prioritizes functionality over security. Sandbox mode is disabled, file access is unrestricted, and API keys can end up in plain-text config. As one of OpenClaw's own maintainers warned on Discord: if you can't understand how to run a command line, this is far too dangerous of a project to use safely. Every practice in this guide exists to close those defaults.

    ⚠️ OpenClaw Security Risks You Should Know

    Before hardening your setup, you need to understand what you are defending against. These are the concrete OpenClaw security risks that apply to every installation, ranked by likelihood and impact.

    Risk Likelihood Impact Default Protection
    API key exposure in logs or config High Critical — unauthorized billing, data access ⚠️ Partial (log redaction available, off by default)
    Prompt injection via untrusted input Medium High — agent executes unintended actions ❌ None
    Unrestricted filesystem access High High — agent reads/writes anywhere the user can ❌ None
    Uncontrolled code execution Medium Critical — arbitrary shell commands ❌ None (sandbox off)
    Malicious skills from ClawHub Low Critical — data exfiltration, prompt injection ❌ None (no vetting process)
    Gateway exposed to public internet Medium High — unauthorized remote access ⚠️ Partial (loopback-only by default)

    Cisco's AI security research team tested a third-party OpenClaw skill and found it performed data exfiltration and prompt injection without user awareness. According to cybersecurity firm Gen Threat Labs, more than 18,000 OpenClaw instances are already exposed to internet attacks, and almost 15 percent of them contain malicious instructions. Every one of these OpenClaw security concerns is addressable. The rest of this guide shows you how.

    Prompt Injection & Agent Hijacking

    Prompt injection is the most discussed AI security vulnerability, and it applies directly to OpenClaw. The attack works like this: an attacker embeds malicious instructions inside content that the agent processes — an email body, a web page, a document — and the AI model treats those instructions as legitimate commands.

    In OpenClaw's context, this means:

    • Email/Gmail skill: a crafted email could instruct the agent to forward sensitive messages to an external address
    • Browser/web_fetch skill: a malicious web page could inject instructions that get passed to the agent loop
    • Files skill: a document containing hidden prompt injection text could redirect the agent's behavior

    OpenClaw's official security documentation is explicit about this: even if only you can message the bot, prompt injection can still happen via any untrusted content the bot reads — web search results, browser pages, emails, docs, attachments, pasted code. The sender is not the only threat surface; the content itself can carry adversarial instructions.

    Mitigation is layered: restrict what the agent can do (sandbox mode, tool allowlists), use strong frontier models (smaller/cheaper models are far more susceptible to injection), and monitor what the agent actually does (logging, approval workflows).

    API Key Exposure

    Your OpenClaw API key configuration — stored in ~/.openclaw/openclaw.json — can contain credentials for Anthropic, OpenAI, Google, OpenRouter, and any other service your skills use. Without deliberate action, these credentials are:

    • Stored in the config file — readable by any process running as your user
    • Potentially logged in full if you run OpenClaw with debug-level logging or /verbose mode enabled
    • At risk if the config is committed to version control — a common mistake when sharing configurations

    A single leaked API key can result in thousands of dollars in unauthorized charges. OpenClaw agent loops can burn through tokens fast if something goes wrong. This is the highest-impact, most-common OpenClaw security vulnerability in practice.

    Uncontrolled File System & Code Execution

    Without OpenClaw sandbox mode enabled, the agent can:

    • Read any file your user account can read (SSH keys, browser cookies, password stores, ~/.aws credentials)
    • Write to any directory your user account can write to
    • Execute arbitrary shell commands via the exec tool
    • Delete files if explicitly or accidentally instructed to do so

    This is not a bug — it is the default behavior. The agent runs with your user's full permissions because that is the simplest configuration. As OpenClaw's documentation states: if sandboxing is off, tools run on the host. Locking it down requires explicit action.

    ✅ OpenClaw Security Best Practices (Core Checklist)

    These six OpenClaw best practices cover the essential hardening steps for any installation. Each one is independent — you can implement them in any order, and each one reduces your attack surface regardless of the others.

    ✅ OpenClaw Security Best Practices (Core Checklist)

    These six OpenClaw best practices cover the essential hardening steps for any installation. Each one is independent — you can implement them in any order, and each one reduces your attack surface regardless of the others.

    1. Enable Sandbox Mode

    OpenClaw sandbox mode runs tool execution inside Docker containers, isolating the agent from your host filesystem and network. This single setting eliminates the two highest-impact risks (filesystem access and code execution) in one step.

    How to enable:

    // ~/.openclaw/openclaw.json
{
  agents: {
    defaults: {
      sandbox: {
        mode: "all",              // "off", "non-main", "all"
        scope: "session",         // "session", "agent", "shared"
        workspaceAccess: "none",  // "none", "ro", "rw"
        docker: {
          image: "openclaw-sandbox:bookworm-slim",
          network: "none"         // No network access from sandbox
        }
      }
    }
  }
}

    Sandbox mode options:

    Mode Behavior
    "off" No sandboxing — tools run directly on the host (default)
    "non-main" Sandbox sub-agents and background tasks; main session runs on host
    "all" Sandbox everything — all tool execution runs in Docker containers

    What sandbox mode restricts:

    • Tool execution (exec, read, write, edit, browser) runs inside an isolated Docker container
    • Network access disabled by default (network: "none") — the container cannot reach the internet
    • Filesystem access limited to the sandbox workspace only
    • Agent cannot access host files unless explicitly mounted via docker.binds

    What sandbox mode does NOT restrict:

    • The Gateway process itself — it always runs on the host
    • Tools explicitly configured as elevated — these bypass sandboxing and run on the host
    • API calls from the Gateway to LLM providers — those happen outside the sandbox

    Verify your sandbox is working:

    openclaw sandbox explain
openclaw sandbox explain --session agent:main:main

    2. Secure Your API Keys

    Move your API keys out of the plain-text config and into environment variables or a secrets manager. OpenClaw supports three secret reference methods: environment variables, file-based, and exec-based (running a command to fetch the secret).

    Method 1: Environment variables (simplest)

    # Add to ~/.openclaw/.env or your shell profile
export ANTHROPIC_API_KEY="sk-ant-xxxxxxxxxxxxx"
export OPENAI_API_KEY="sk-xxxxxxxxxxxxx"
export OPENCLAW_GATEWAY_TOKEN="your-gateway-token"

    Then reference them in your config with ${} syntax:

    // ~/.openclaw/openclaw.json
{
  gateway: {
    auth: {
      mode: "token",
      token: "${OPENCLAW_GATEWAY_TOKEN}"
    }
  },
  models: {
    providers: {
      anthropic: {
        apiKey: "${ANTHROPIC_API_KEY}"
      }
    }
  }
}

    Method 2: SecretRef with file provider (more secure)

    Store keys in the ~/.openclaw/credentials/ directory with restricted permissions:

    # Create credentials directory
mkdir -p ~/.openclaw/credentials
chmod 700 ~/.openclaw/credentials

# Store each key as a separate file
echo -n "sk-ant-xxxxxxxxxxxxx" > ~/.openclaw/credentials/anthropic
chmod 600 ~/.openclaw/credentials/anthropic

    Reference them in config:

    {
  models: {
    providers: {
      anthropic: {
        apiKey: {
          $secretRef: {
            provider: "file",
            key: "anthropic"
          }
        }
      }
    }
  }
}

    Additional OpenClaw API key hygiene:

    • Rotate keys every 90 days at minimum
    • Use separate API keys for OpenClaw — never share keys with other applications
    • Set billing alerts and spending caps on every API provider dashboard — agent loops can burn through tokens fast
    • Never commit openclaw.json to version control with keys inline — use environment variable references or SecretRef
    • Enable log redaction to prevent keys from appearing in logs (see section 5)

    3. Restrict File System Permissions

    Even with sandbox mode enabled, you should explicitly control which host directories the agent can access and in what mode.

    Workspace access levels:

    Setting Behavior
    workspaceAccess: "none" Sandbox cannot access the host workspace (skills are mirrored in)
    workspaceAccess: "ro" Read-only access to the workspace directory
    workspaceAccess: "rw" Full read-write access to the workspace

    Mounting additional directories (if needed):

    {
  agents: {
    defaults: {
      sandbox: {
        mode: "all",
        workspaceAccess: "ro",
        docker: {
          binds: [
            "/home/user/data:/data:ro"  // host:container:mode
          ]
        }
      }
    }
  }
}

    Principles:

    • Default to workspaceAccess: "none" and only relax when you have a specific reason
    • Use ro (read-only) mounts for any directory the agent only needs to read
    • Never mount sensitive directories (~/.ssh, ~/.aws, ~/.gnupg, ~/Library/Keychains)
    • Keep the workspace on a separate partition or volume if running on a server
    • Lock down the config file itself: chmod 600 ~/.openclaw/openclaw.json and chmod 700 ~/.openclaw

    4. Use Gateway Security

    The Gateway is OpenClaw's front door. By default it binds to loopback (localhost only), but if you expose it to a network — or even if you don't — you should harden authentication and access control.

    // ~/.openclaw/openclaw.json
{
  gateway: {
    port: 18789,
    bind: "loopback",   // "loopback" or "all"
    auth: {
      mode: "token",    // Require token for all connections
      token: "${OPENCLAW_GATEWAY_TOKEN}"
    }
  }
}

    Gateway security checklist:

    • Keep bind set to "loopback" unless remote access is genuinely needed — this was the single most common misconfiguration found across 18,000+ exposed instances
    • Use a strong gateway token (at least 32 random characters)
    • If exposing to a network, place the Gateway behind a reverse proxy (nginx, Caddy) with TLS
    • Use allowFrom lists on channels to restrict which users can message the bot
    • In group chats, enable mention gating so the agent only responds to direct @mentions
    • Set dmScope: "per-channel-peer" if multiple people message the bot — without it, all users share the same conversation context

    Verify your gateway security:

    openclaw security audit

    This command inspects your configuration for common pitfalls and will warn if the gateway is bound to 0.0.0.0 without a token or if dangerous debug flags are enabled.

    5. Run Regular Security Audits

    An OpenClaw security audit is not a one-time event — it is a periodic review of what your agent has been doing, which skills have access to what, and whether your configuration has drifted.

    Built-in security tools:

    # Quick security check
openclaw security audit

# Deep audit with auto-fix suggestions
openclaw security audit --deep

# Fix auto-correctable issues
openclaw security audit --fix

# Verify effective sandbox policy for a session
openclaw sandbox explain

# General config health check
openclaw doctor --fix

    Enable log redaction:

    {
  logging: {
    level: "info",
    redact: "tools"   // "off", "tools", "all"
  }
}
    Redaction Mode Behavior
    "off" No redaction — API keys and secrets visible in logs (dangerous)
    "tools" Redact sensitive data from tool output only (recommended)
    "all" Aggressive redaction — can make debugging harder

    Monthly audit checklist:

    • Run openclaw security audit --deep and review all warnings
    • Review agent logs for unexpected actions (file access outside workspace, unfamiliar API calls)
    • Verify that sandbox mode is still enabled — config changes or updates can reset it
    • Check installed skills against a known-good list — remove anything you did not install
    • Review API key usage on provider dashboards — look for anomalous spending patterns
    • Keep /reasoning and /verbose disabled in public channels — verbose output can include tool arguments, URLs, and data the model processed

    6. Keep OpenClaw Updated

    OpenClaw's maintainers patch security vulnerabilities as they are discovered and reported. Running an outdated version means running with known, published exploits. Addressing OpenClaw security vulnerabilities in 2026 specifically: version v2026.1.29 forcibly removed the auth: none option that previously allowed anyone with your Gateway URL to control your agent, and subsequent patches addressed skill permission escalation and log redaction issues.

    # Check current version
openclaw --version

# Update to latest
npm update -g openclaw

# Verify the update and check for config issues
openclaw doctor --fix

    Update hygiene:

    • Subscribe to the OpenClaw GitHub repository's security advisories (Watch → Custom → Security alerts)
    • Review changelogs before updating — OpenClaw uses strict JSON schema validation, and unknown or invalid keys will prevent the Gateway from starting
    • Back up your openclaw.json and credentials directory before every update
    • Test the update in a non-production workspace first if you run OpenClaw for critical tasks
    • After updating, run openclaw sandbox recreate --all to rebuild sandbox containers with the latest image

    🛡️ OpenClaw Security Hardening Guide (Advanced)

    The core checklist above covers personal and small-team installations. This OpenClaw security hardening section is for production deployments, always-on servers, and environments where the agent handles sensitive data.

    Network Isolation & Docker Security

    Running OpenClaw with full Docker sandboxing and network isolation adds a strong boundary between the agent and your host system. Combined with proxy-based allowlists, this is the most effective OpenClaw security hardening approach for server deployments.

    # docker-compose.yml — hardened OpenClaw setup
version: '3.8'
services:
  openclaw:
    image: openclaw/openclaw:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:size=100M
    volumes:
      - openclaw-data:/home/openclaw/.openclaw
      - ./openclaw.json:/home/openclaw/.openclaw/openclaw.json:ro
    env_file:
      - .env
    networks:
      - openclaw-internal
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1.0'

  # Proxy for allowlisted outbound traffic (API providers only)
  squid:
    image: ubuntu/squid:latest
    volumes:
      - ./squid-allowlist.conf:/etc/squid/squid.conf:ro
    networks:
      - openclaw-internal
      - external

networks:
  openclaw-internal:
    driver: bridge
    internal: true  # No direct internet — route through proxy
  external:
    driver: bridge

volumes:
  openclaw-data:

    Key Docker hardening measures in this config:

    • no-new-privileges — prevents privilege escalation inside the container
    • read_only: true — container filesystem is immutable; only the data volume is writable
    • tmpfs for /tmp — temporary files are memory-only and disappear on restart
    • internal: true network — the container cannot reach the internet directly; outbound traffic routes through a Squid proxy with a domain allowlist (e.g., only *.anthropic.com, *.openai.com)
    • Resource limits — cap memory and CPU to prevent runaway processes
    • Config mounted as ro (read-only) — the agent cannot modify its own configuration

    For the nested sandbox (OpenClaw's own Docker-in-Docker sandboxing), set sandbox.docker.network: "none" in openclaw.json to ensure sandboxed tool execution has no network access at all.

    Logging & Monitoring Agent Actions

    In production, you need a complete audit trail of every action the agent takes. OpenClaw's built-in logging covers the basics; a monitoring stack gives you alerting and historical analysis.

    {
  logging: {
    level: "info",
    file: "/var/log/openclaw/agent.log",
    consoleStyle: "json",  // Machine-parseable output
    redact: "tools"
  },
  hooks: {
    internal: {
      enabled: true,
      entries: {
        "command-logger": { enabled: true }  // Audit trail of all commands
      }
    }
  }
}

    What to monitor and alert on:

    • File access outside the workspace directory (should never happen with sandbox enabled — if it does, something is wrong)
    • Skill invocations at unusual hours or at abnormal frequency
    • Failed authentication attempts on the Gateway
    • API spending spikes (set up alerts on Anthropic/OpenAI dashboards)
    • Agent loop iterations exceeding a threshold (may indicate a stuck or hijacked agent)
    • /verbose or /reasoning being enabled in non-trusted channels

    For server deployments, output logs in JSON format (consoleStyle: "json") and pipe them into your existing monitoring stack (Datadog, Grafana, ELK) using a standard log shipper like Filebeat or Fluentd.

    Multi-User Access Control

    If multiple people message a single OpenClaw agent (common in team and family setups), you need session isolation to prevent one user from accessing another's conversation context.

    Configure DM scope isolation:

    {
  session: {
    dmScope: "per-channel-peer",  // Isolate by sender ID
    identityLinks: {
      // Link same person across channels
      alice: ["telegram:123456", "discord:789012"],
      bob: ["telegram:654321"]
    }
  }
}
    DM Scope Behavior
    "main" All DMs share one session (default — single-user only!)
    "per-peer" Isolate by sender ID across all channels
    "per-channel-peer" Isolate by sender + channel combination

    Channel-level access control:

    {
  channels: {
    whatsapp: {
      allowFrom: ["+15555550123", "+15555550456"]  // Whitelist specific numbers
    },
    telegram: {
      allowFrom: ["123456789"]  // Whitelist by Telegram user ID
    }
  }
}

    Without allowFrom restrictions, anyone who discovers your bot can send it commands. Without dmScope isolation, Alice's private conversation topics could leak to Bob. Both settings are essential for any multi-user deployment.

    A note on Atomic Bot: If the security configuration described in this guide feels like a lot of manual work, it is — because securing a CLI-based agent framework requires editing JSON5 config files, managing environment variables, setting up Docker sandboxing, and maintaining proxy configurations by hand. Atomic Bot ships with all security settings configured  by default. For users who want OpenClaw's capabilities without the security administration overhead, it is the path of least resistance.

    ❓ FAQ

    Is OpenClaw safe to use?

    Yes, OpenClaw is safe to use when configured correctly. It is an open-source project with a transparent codebase and active maintenance. The security risks come from its default configuration, which prioritizes ease of use over lockdown. Enabling sandbox mode, securing your API keys, and restricting file access are the three highest-impact steps you can take. The project's own documentation is candid about the risks — OpenClaw should be treated as untrusted code execution with persistent credentials, and users should harden accordingly.

    What are the main OpenClaw security risks?

    The primary OpenClaw security risks are API key exposure (keys stored in config by default), unrestricted filesystem access (the agent can read and write anywhere your user account can), prompt injection (malicious content in emails, web pages, or documents redirecting the agent's behavior), uncontrolled code execution (shell commands enabled by default), and malicious skills from ClawHub (no vetting process for third-party skills). All five are addressable through the practices in this guide.

    How do I run a security audit on OpenClaw?

    Use the built-in CLI command: openclaw security audit --deep. This inspects your configuration and environment for common pitfalls — it will warn if the gateway is bound to 0.0.0.0 without a token, if dangerous debug flags are enabled, or if sandbox mode is off. Run openclaw security audit --fix to auto-correct some issues. Complement this with manual checks: review API provider dashboards for anomalous spending, verify installed skills against a known-good list, and ensure sandbox containers are up to date with openclaw sandbox recreate --all.

    What is OpenClaw sandbox mode?

    Sandbox mode runs OpenClaw's tool execution inside isolated Docker containers using the openclaw-sandbox:bookworm-slim image. Configure it by setting agents.defaults.sandbox.mode to "all" in your openclaw.json. When enabled, the agent's tools (exec, read, write, browser) run inside containers with no network access (docker.network: "none") and no host filesystem access (workspaceAccess: "none") by default. The Gateway process itself still runs on the host. Use openclaw sandbox explain to verify your effective sandbox policy.

    Are there known OpenClaw security vulnerabilities in 2026?

    Yes. Version v2026.1.29 forcibly removed the auth: none option that previously allowed completely unauthenticated access to the Gateway. Subsequent patches addressed skill permission escalation and log redaction gaps. A Harvard/MIT research team published "Agents of Chaos," a red-teaming study documenting significant security implications of giving AI agents broad system access. Cisco's security team found third-party skills performing data exfiltration. All patches are documented in GitHub security advisories. Running npm update -g openclaw brings you to the latest patched version.

    read also

    OpenClaw Use Cases: How The Best AI Agent Automates Work and Life

    This article walks you through 15 most powerful ways to use OpenClaw with specific examples — copy them, use them for inspiration, and automate your work and life.

    Read article
    10 min read

    OpenClaw System Requirements: What You Actually Need to Run It

    Before you install OpenClaw, make sure your machine can handle it. Here are the minimum and recommended system requirements for every platform — macOS, Windows, Linux, VPS, and even Raspberry Pi.

    Read article
    10 min read

    How to Install OpenClaw: Complete Step-by-Step Guide (2026)

    There are five ways to install OpenClaw, but the fastest path on any platform is Atomic Bot — a desktop app for macOS and Windows that handles the entire installation in a few clicks.

    Read article
    20 min read

    Atomic Bot © 2026 Atomic bot, we comply with GDPR, CCIA, etc.

    BlogPrivacy PolicyTerms of Servicesupport@atomicbot.ai