Is OpenClaw safe?

Page scope: Trust and risk overview for new operators—not the production hardening checklist. For deploy-time settings use Security hardening; for a guided pass use the hardening walkthrough.

Short answer: OpenClaw is as safe as you configure it. The project ships sensible defaults (DM pairing, local Gateway binding in many setups), but an agent with shell, browser, and skills is powerful. Treat it like a small server that can read files and call APIs—not like a read-only chatbot.

This page explains real risks and concrete fixes. For step-by-step hardening, use the hardening checklist and walkthrough. Official advisories: GitHub Security.

OpenClaw sits between untrusted input (anyone who can DM your bot) and trusted capabilities (your disk, APIs, calendar, shell). Security is about narrowing that gap:

• Who can talk to the agent? Pairing and allowlists.
• What can the agent touch? Workspace scope, sandboxing, skill permissions.
• Who can reach the Gateway? Bind address, auth mode, reverse proxy TLS.
• What code runs on install? Skill review and ClawHub scanning.

1. Run openclaw security audit --deep and fix critical items (use --fix where safe).
2. Confirm Gateway auth is not none if the process is reachable beyond localhost.
3. Set DM policy to pairing on every channel you enable.
4. Install only skills you have read; prefer ClawHub listings with VirusTotal status (skills guide).
5. Put the Gateway on a dedicated user or VM if it has shell access to important data.
6. Back up ~/.openclaw/ but treat backups as sensitive (they contain tokens).

Detailed items: Security hardening checklist.

• DM pairing — Unknown senders get a code; you approve explicitly.
• Community scanning — ClawHub uses VirusTotal on published skills (not a guarantee—still review).
• Doctor and audit CLI — Surfaces misconfigurations before attackers do.
• Official security program — trust.openclaw.ai for coordinated disclosure.

Consider a different architecture if you need:

• Strict compliance without operator time — You must prove controls; self-hosted agents need ongoing review.
• Public anonymous chat — Open inboxes with shell tools are high risk unless heavily sandboxed.
• Zero outbound network — Many skills and providers assume internet access.

For minimal footprint and stricter defaults, some teams evaluate ZeroClaw on edge hardware—different tradeoffs, not automatically safer without configuration.

Is OpenClaw safe for WhatsApp personal use? Yes, for many people, if you use pairing, do not expose the Gateway publicly, and avoid installing random skills. See WhatsApp setup.

Did OpenClaw have security issues? Like any active project, advisories exist—check GitHub Security Advisories and keep versions current (upgrading).

Is my data sent to the model provider? Messages and tool output go to whichever LLM provider you configure. Read their data policies; use local models (Ollama) if you need on-prem inference.