Security Guide

Important: OpenClaw connects to real messaging surfaces. Treat inbound DMs as untrusted input. This guide explains how to secure your OpenClaw installation.

If you believe you've found a security issue in OpenClaw, report it privately. Do not open a public issue. The project's Security page on GitHub describes how to report and what to include (reproduction steps, impact, and if possible a minimal PoC). Past advisories and patched versions are listed in the GitHub Security Advisories—keep OpenClaw updated to a patched release.

OpenClaw publishes security advisories for known vulnerabilities. Check GitHub Security Advisories for the full list. When a CVE or advisory is released, upgrade to the patched version promptly. Run openclaw update or follow Release notes for version history. Node.js 22.12.0+ is required—it includes fixes (e.g. CVE-2025-59466, CVE-2026-21636). Stay on supported versions to avoid known issues.

The OpenClaw project runs a formal Trust & Security Program covering the full ecosystem (CLI, Gateway, apps, ClawHub, extensions). Full details: trust.openclaw.ai.

Four phases

• Transparency – Threat model developed openly (input manipulation, auth & access, data security, infrastructure, operations, supply chain). Community can contribute via pull requests.
• Product Security Roadmap – Defensive engineering goals (prompt-injection protection, privacy, access control, supply-chain verification) tracked as public GitHub issues.
• Code Review – Comprehensive security assessment of the codebase and apps (agent execution, tools, gateway, auth, ClawHub, build pipeline).
• Security Triage – Formal process for receiving and responding to vulnerability reports, with defined SLAs (e.g. critical: first response 24h, fix target 7 days).

Reporting a vulnerability

Report to the repo where the issue lives: Core/Gateway/apps → openclaw/openclaw; ClawHub → openclaw/clawhub; Trust/threat model → openclaw/trust. If unsure, email security@openclaw.ai. Include severity, impact, reproduction steps, and remediation advice. Good-faith researchers are not pursued legally. There is no formal bug bounty program; see the SECURITY.md for full reporting requirements, out-of-scope items, and Report Acceptance Gate.

Verify your setup

Run openclaw security audit --deep (and optionally --fix) to check DM policy, allowFrom, exec security, gateway binding, and workspace exposure. Defaults are secure (pairing, exec deny, gateway auth). Follow progress: Trust program, GitHub security-labeled issues.

Keep gateway authentication configured for any non-loopback use. From 2026.2.19, when gateway.auth.mode is "none", the security audit reports gateway.http.no_auth: it warns for loopback and flags critical severity if the Gateway HTTP APIs are reachable from the network. Use token or other auth in production; reserve "none" only for intentional local loopback setups.

Infrastructure & identity (2026.2.21)

Gateway lock and tool-call synthetic IDs now use SHA-256 instead of SHA-1, with the same truncation length so behavior stays deterministic. Owner-ID obfuscation uses a dedicated HMAC secret from config (ownerDisplaySecret), so obfuscation is decoupled from gateway token handling and easier to control. The embedded agent runner has a capped retry limit with an explicit retry_limit error when retries do not converge (see GitHub Security Advisories for advisories such as GHSA-76m6-pj3w-v7mf).

Node.js Version

OpenClaw requires Node.js 22.12.0 or later. This version includes important security fixes (e.g. CVE-2025-59466, CVE-2026-21636). Verify with node --version.

Web Interface

The Control UI / web interface is intended for local use only. Do not bind it to the public internet; it is not hardened for public exposure.

Docker

When running in Docker: the official image runs as a non-root user. For additional hardening, use --read-only when possible and limit capabilities with --cap-drop=ALL:

docker run --read-only --cap-drop=ALL \
  -v openclaw-data:/app/data \
  openclaw/openclaw:latest

See SECURITY.md for full guidance.

Many users run OpenClaw on a separate machine or VM (e.g. dedicated Mac Mini, guest WiFi) so the agent does not have access to their personal accounts or credentials. Giving the agent its own accounts (Gmail, GitHub, etc.) instead of sharing yours reduces risk—if the agent is compromised, your identity is not. Trust is earned: even with your own setup, supervising the agent (e.g. approving posts before they go out) is common until you are comfortable. See DM pairing and sandboxing below.

OpenClaw uses a layered security approach:

• DM Pairing - Unknown senders require explicit approval
• Sandboxing - Group and untrusted sessions can run in isolated containers
• Tool Policies - Granular control over which tools agents can use
• Allowlists - Control who can interact with your assistant
• Local-First - All data stays on your machine

Default behavior on Telegram/WhatsApp/Signal/iMessage/Microsoft Teams/Discord/Google Chat/Slack:

• DM Pairing (dmPolicy="pairing") - Unknown senders receive a short pairing code
• The bot does not process messages from unpaired contacts
• Approve with: openclaw pairing approve <channel> <code>
• Once approved, the sender is added to a local allowlist

Opening DM Access

To allow public DMs (not recommended for most users):

• Set dmPolicy="open"
• Include "*" in the channel allowlist (allowFrom)
• This allows anyone to message your assistant

Warning: Only use open DM policy if you understand the security implications and have proper sandboxing configured.

Sensitive integrations: email and X (Twitter)

Email (Gmail, etc.): Giving OpenClaw access to your main inbox is a significant prompt-injection and phishing vector—inbound email can contain instructions or links meant to steer the agent. Unless you need email automation, avoid connecting your primary account; if you do, use a dedicated account or strict filters. See Tips & best practices for more.

X (Twitter): X has been tightening enforcement on bots and automated posting. Do not give OpenClaw its own X account or rely on it for automated X posting; account restrictions are common. Prefer other channels for automation.

Default Behavior

• Main Session: Tools run on the host with full access (for trusted use)
• Non-Main Sessions: Can be configured to run in Docker sandboxes

Enabling Sandboxing

To sandbox group chats and non-main sessions:

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "non-main"
      }
    }
  }
}

This runs non-main sessions (groups/channels) inside per-session Docker sandboxes. Bash commands then run in Docker for those sessions.

Sandbox Tool Policies

Default Allowlist:

• bash, process, read, write, edit
• sessions_list, sessions_history, sessions_send, sessions_spawn

Default Denylist:

• browser, canvas, nodes, cron
• discord, gateway

You can customize these lists per session or globally.

For group chats, OpenClaw provides several security layers:

• Group Allowlists - Control which groups the bot can access
• Mention Gating - Require @mentions in groups (default)
• Sandboxing - Groups can run in isolated Docker containers
• Activation Modes - Control when the bot responds

Example Group Configuration

{
  "channels": {
    "telegram": {
      "groups": {
        "*": {
          "requireMention": true
        },
        "123456789": {
          "requireMention": false,
          "activation": "always"
        }
      }
    }
  }
}

Gateway Authentication

The Gateway can be secured with:

• Token Authentication - Required for non-loopback binds
• Password Authentication - Set via gateway.auth.mode
• Loopback-Only - Default binding to 127.0.0.1 for local access

Remote Access Security

For remote Gateway access:

• SSH Tunnels - Encrypted tunnel to localhost
• Tailscale - Secure VPN with authentication
• Gateway Tokens - Required for non-loopback access

Never expose the Gateway directly to the internet without proper authentication.

Connecting your OpenClaw agent to social networks like Moltbook introduces additional security considerations:

Mitigation Strategies

To secure your agent when connecting to social networks:

• Use Sandboxing: Configure Moltbook interactions to run in sandboxed sessions
• Isolate Deployment: Run OpenClaw in a VM, Docker container, or dedicated hardware
• Network Restrictions: Block outbound access except to approved endpoints
• Monitor Activity: Enable verbose logging and monitor what your agent posts
• Review Skills: Manually review skill files before installation, especially those from external sources
• Manual Control: Some users prefer to start/stop the gateway manually for social network interactions
• Least Privilege: Use restrictive tool policies and file system permissions

OpenClaw is designed for privacy:

• Local Storage - All data stored on your machine
• No Cloud Sync - Your conversations never leave your device
• Encrypted Credentials - Channel credentials stored securely
• LLM Provider - Only your chosen LLM provider receives messages (Anthropic, OpenAI, etc.)

Note: When connecting to social networks like Moltbook, your agent's posts and interactions are publicly visible. Review what your agent shares to ensure you're comfortable with the information being exposed.

Your workspace, memories, and configuration are stored as files you can inspect, edit, or delete at any time.

Deploying OpenClaw in business or enterprise environments requires additional security considerations:

Enterprise Security Recommendations

• IT Policy: Establish clear policies about AI agent usage in business environments
• Approved Deployments: Only allow OpenClaw on approved, isolated systems (VMs, containers)
• Access Controls: Implement strict allowlists and DM pairing for all channels
• Monitoring: Enable comprehensive logging and monitoring for all OpenClaw instances
• Network Isolation: Deploy in isolated network segments with restricted outbound access
• Regular Audits: Use openclaw doctor and security scanning tools regularly
• Employee Training: Educate staff about security risks and proper usage
• Data Classification: Restrict access to sensitive data directories and systems

Skills from ClawHub and other sources can pose security risks if not properly vetted. Malicious skills have been discovered that attempt to steal cryptocurrency, access sensitive data, or compromise systems.

Skills Security Best Practices

• Review Before Installing: Always read skill code before installation
• Verify Source: Check skill author, ratings, and community reviews
• Use Sandboxing: Run untrusted skills in sandboxed environments
• Monitor Activity: Watch for suspicious behavior after installing new skills
• Limit Permissions: Use tool policies to restrict what skills can access
• Regular Audits: Review installed skills periodically
• Report Malicious Skills: Report suspicious skills to the OpenClaw community

Security policy files (SHIELD.md)

You can give your agent a written security policy in a file called SHIELD.md—a community proposal that tells the agent how to react when something matches a known threat (e.g. block this skill, ask before that tool call). Log, require approval, or block. There’s no runtime enforcement; the model has to be instructed to follow it, so keep using sandboxing and tool policies too. The SHIELD guide covers how it fits with AGENTS.md, SOUL.md, and MEMORY.md, and how to fill it (e.g. from threat feeds like MoltThreat).

How to Review Skills Safely

Before installing any skill, follow this review process:

1. Check the Source: Verify the skill author and check for community reviews or ratings
2. Read the Code: Open the skill file (SKILL.md) and review the tools and instructions
3. Look for Red Flags:
   • Suspicious external API calls
   • File system access to sensitive directories
   • Cryptocurrency wallet access
   • Data exfiltration to external servers
   • Unnecessary permissions or tool access
4. Test in Isolation: If unsure, test the skill in a sandboxed environment first
5. Monitor After Installation: Watch Gateway logs and system activity after installing

For more information about skills security, see the Skills Guide.

Recommended Security Setup

1. Use DM Pairing - Keep default pairing policy for DMs
2. Enable Sandboxing - Sandbox non-main sessions for groups
3. Configure Allowlists - Explicitly allow trusted contacts
4. Use Mention Gating - Require mentions in group chats
5. Review Skills - Always review skill code before installation
6. Run Doctor - Regularly run openclaw doctor to check for misconfigurations
7. Review Logs - Monitor Gateway logs for suspicious activity
8. Keep Updated - Regularly update OpenClaw for security patches
9. Isolate Deployments - Use VMs, Docker containers, or dedicated hardware for production use

Security Checklist

• ✅ DM pairing enabled for all channels
• ✅ Group allowlists configured
• ✅ Sandboxing enabled for non-main sessions
• ✅ Skills reviewed before installation
• ✅ Gateway bound to loopback or secured with authentication
• ✅ Regular security audits with openclaw doctor
• ✅ Credentials stored securely
• ✅ LLM provider credentials secured

Use the built-in commands to check and harden your setup:

openclaw doctor
openclaw security audit --deep --fix

openclaw doctor surfaces risky DM policies, misconfigured sandbox settings, missing authentication, and other warnings. For threat-model and hardening guidance (including automated fixes), use openclaw security audit --deep and --fix as described in the official gateway security docs.

These checks help you find:

• Risky DM policies
• Misconfigured sandbox settings
• Missing authentication
• Security warnings