Security Hardening Checklist

Production hardening for OpenClaw deployments

This checklist helps you harden OpenClaw for production. Not every item applies to every deployment—personal use on a home machine has different needs than a shared team setup. Use judgement and see the full Security guide for context. For a step-by-step walkthrough that follows this checklist, see Security Hardening Walkthrough.

Gateway & Auth

  • Gateway auth — Never use gateway.auth.mode: "none" when the Gateway is reachable from the network. Use token or other auth.
  • Binding — Bind to 127.0.0.1 or a private IP unless you intentionally expose the Gateway; use a reverse proxy (Caddy, nginx) with TLS for public access.
  • Control UI — Intended for local use only. Do not expose to the public internet.
  • Run openclaw security audit --deep — Catches gateway.http.no_auth and other issues. Use --fix for auto-fixable items.

DM Policy & Allowlists

  • DM pairing — Keep dmPolicy: "pairing" (default). Unknown senders get a code; approve explicitly.
  • Allowlists — Use allowFrom to restrict who can message your assistant. Avoid "*" unless you understand the risk.
  • Open DMs — Only use dmPolicy: "open" with proper sandboxing and isolation.

Sandboxing

  • Non-main sessions — Consider sandbox.mode: "non-main" for group chats and untrusted channels so bash/tools run in Docker.
  • Tool policies — Restrict which tools run in sandboxed sessions. Review default allowlists.
  • Separate machine/VM — For higher assurance, run OpenClaw on a dedicated machine or VM, not your daily driver.

Runtime & Dependencies

  • Node.js 22.12.0+ — Required. Includes security fixes (CVE-2025-59466, CVE-2026-21636).
  • Updates — Keep OpenClaw updated. Check GitHub Security Advisories.
  • Skills — Review skill scripts before installing. Use VirusTotal scan status on ClawHub. See Security guide.

Docker

  • Non-root — Official image runs as non-root. Keep it that way.
  • Read-only — Use --read-only when possible.
  • Capabilities — Use --cap-drop=ALL to limit capabilities.
Hardened Docker run
docker run --read-only --cap-drop=ALL \
  -v openclaw-data:/app/data \
  openclaw/openclaw:latest

Credentials & API Keys

  • Secrets — Use openclaw secrets or SecretRef for API keys. Avoid plaintext in config.
  • Spending limits — Set limits on Anthropic, OpenAI, and other provider accounts to avoid runaway costs.
  • Dedicated accounts — Give the agent its own Gmail, GitHub, etc. instead of sharing yours.

Related