Skip to content
BrainRoad BrainRoad

OpenClaw Security in 2026: How to Run It Safely (Hardening Checklist)

BrainRoad ·
Beacon the lighthouse character shining light on a security checklist, representing OpenClaw security hardening.
Share
On this page

Your OpenClaw instance is probably on the internet right now. You didn’t mean to put it there. You followed the quick-start guide, it worked on your laptop, and then at some point it ended up on a VPS or a home server with a port open. OpenClaw’s default configuration binds to 0.0.0.0 — every network interface — with no gateway authentication. The result: your agent’s full control interface is reachable by anyone with a port scanner.

Bitsight watched this happen in real time. On January 27, 2026, they counted 679 exposed instances. By February 8 — eleven days later — that number was 31,674. A 46x jump. Scanners weren’t discovering old deployments. People were spinning up new ones daily and walking away without hardening them. There’s a reason for that, and it goes deeper than carelessness — I’ll get to it after the threat picture.

Microsoft’s Defender Security Research Team calls the category plainly: ‘untrusted code execution with persistent credentials’ — and says it is ‘not appropriate’ to run on a standard personal or enterprise workstation. That is not a framing you typically see from Microsoft. They mean it. If an attacker reaches your control plane, they don’t just get your server. They get everything your agent can touch: your email, your API keys, your messaging accounts, your connected services.

What OpenClaw Security Risks Look Like in Practice

OpenClaw isn’t dangerous the way a misconfigured database is dangerous. A misconfigured database exposes data. A misconfigured OpenClaw instance exposes an agent — a piece of software that has credentials, can send messages, make API calls, read files, and run shell commands. SecurityScorecard frames the escalation this way: if an attacker compromises an exposed instance, they inherit whatever access the agent already has.

That inheritance is the problem. Your agent probably has OAuth grants, API keys for OpenAI or Anthropic, a WhatsApp or Telegram session, maybe email access. OpenClaw stores all of it in plaintext Markdown and JSON files under ~/.openclaw/. Credentials, conversation memories, OAuth tokens — all sitting on disk, readable by any process with access to that directory. Hudson Rock warned that commodity infostealers — RedLine, Lumma, Vidar — are already building specific capabilities to harvest these file structures.

SecurityScorecard puts it directly: treat your OpenClaw agent as an additional identity inside your environment, with its own access and blast radius. It doesn’t show up in your IAM dashboard. There’s no human login trail. Misuse may not surface until after the damage is done.

For more context on how agentic AI tools create this kind of identity risk, see our overview of agentic AI — including how the draft-first review model changes the risk profile.

Why OpenClaw’s Default Settings Are This Dangerous

Here’s the thing that the quick-start guides skip: OpenClaw was built for localhost. The original design assumed one trusted operator, one machine, one trust boundary. That’s actually a reasonable threat model for a personal assistant running on your own computer. The problem is that ‘personal assistant on your laptop’ and ‘personal assistant on a VPS reachable from anywhere’ are completely different threat models — and the defaults didn’t change when people moved to the second scenario.

The default bind is 0.0.0.0. The default auth token is openclaw-dev. Those two facts together explain 93.4% of the exposure SecurityScorecard found. It’s not that operators are reckless. It’s that the tool’s defaults were designed for a sandboxed, local context and the deployment pattern outran the defaults.

OpenClaw’s own documentation is explicit about the trust model: the gateway is built for one user per trust boundary. It’s not a multi-tenant system. It’s not designed to be internet-facing without hardening in front of it. The official guidance says to bind to loopback and use SSH tunnels or an identity-aware reverse proxy for any remote access. Most quick-start deployments skip both steps.

This also explains why the CVE attack surface is what it is. CVE-2026-25253 (CVSS 8.8) works because the control UI trusted a gatewayUrl parameter from the query string without validation. On page load, it auto-connected to the specified URL and transmitted the stored authentication token via WebSocket. One malicious link, and the token leaves your machine in milliseconds. The attacker then has a WebSocket connection to your local instance — bypassing localhost restrictions through your own browser — and can disable sandboxing and execute arbitrary commands on the host.

The CVEs to Patch Before Anything Else

Three CVEs matter most in the current landscape. Patch these before you do anything else on this list.

CVE-2026-25253 (CVSS 8.8) — One-click RCE via token exfiltration

The Control UI auto-connected to an attacker-controlled URL from the query string, transmitting the auth token via WebSocket. Full exploit chain leads to arbitrary command execution. Hunt.io identified 17,500+ instances vulnerable to this class at disclosure time.

CVE-2026-24763 and CVE-2026-25157 — Command injection

Two separate command injection vulnerabilities in the gateway, allowing arbitrary command execution through improperly sanitized input fields. Disclosed in rapid succession after CVE-2026-25253.

CVE-2026-22708 — Indirect prompt injection via web browsing

OpenClaw does not sanitize web content before feeding it into the language model's context. A malicious webpage can contain hidden CSS-invisible instructions the agent interprets as commands. The web itself becomes a command-and-control channel.

Run openclaw security audit —deep before patching to get a baseline, then again after to confirm remediation. The audit checks bind address and auth state, tool blast radius, exec policy drift, network exposure surfaces, disk permissions, and plugin supply chain — not just CVE fingerprints.

OpenClaw Hardening Checklist: 8 Steps for Safe Deployment

What you’ll have when done: an OpenClaw instance that does not expose its control plane to the internet, requires authentication for every API call, runs as a non-root user in an isolated container, stores credentials with appropriate file permissions, and logs all tool actions for review. Total setup time: 45–90 minutes depending on your current state.

Prerequisites: root or sudo access to the host, OpenClaw installed and running locally, a reverse proxy available (Nginx or Caddy work fine), and basic familiarity with your terminal. If you’ve connected OpenClaw to any production accounts, disconnect them before starting and reconnect only after the hardening steps are complete.

1

Bind to loopback only

In openclaw.json, set gateway.bind: "loopback" (or 127.0.0.1). This is the single highest-impact change. It takes 30 seconds and immediately closes the default exposure path. Restart the gateway and confirm with netstat -tlnp | grep 18789 — you should see 127.0.0.1:18789, not 0.0.0.0:18789. Time: 5 minutes.

2

Replace the default auth token

Set gateway.auth.password to a strong random token (32+ characters). Never leave the openclaw-dev default in place. The official docs recommend a long random string for any deployment outside localhost. If you're using device auth or trusted-proxy auth, configure trustedProxies carefully and never allow the loopback trusted-proxy header path to be set by external traffic. Time: 5 minutes.

3

Put a reverse proxy with auth in front

Route all external access through Nginx or Caddy with HTTP basic auth or OAuth (Authelia, Authentik, or similar). The proxy should be the only network path to the gateway — no direct port-forwarding. Configure strict trustedProxies settings and overwrite rules so external traffic cannot spoof internal headers. The OpenClaw docs call this configuration explicitly: the proxy must be the sole ingress. Time: 20–30 minutes.

4

Run in an isolated container as a non-root user

Run OpenClaw in Docker with a dedicated non-root user. Microsoft recommends a fully isolated environment — a dedicated virtual machine or separate physical system — for any evaluation or production use. At minimum: dedicated container, non-root UID, no --privileged flag, limited volume mounts. Drop capabilities: --cap-drop ALL --cap-add only what execution requires. Time: 20–30 minutes.

5

Tighten ~/.openclaw/ file permissions

Run openclaw security audit --fix. This sets 600 permissions on files and 700 on directories under ~/.openclaw/, which means only the owner can read them. On Windows, it uses ACL resets. Verify: ls -la ~/.openclaw/ should show -rw------- on credential files, not -rw-r--r--. Time: 2 minutes.

6

Lock down DM and group policies to allowlists

Open DM policies let strangers trigger your agent. Set explicit allowlists for who can initiate conversations with tool-enabled agents. The openclaw security audit --fix command flips open group policies to allowlists automatically. Verify inbound access controls under the audit's gateway.* check results. Time: 10 minutes.

7

Disable or sandbox exec tools unless you need them

If you don't need shell execution, disable it. If you do need it, enable Docker sandbox mode and set exec approvals to ask or allowlist mode rather than auto-allow. The audit will flag security="full" with autoAllowSkills and open DM policies as a combined blast-radius risk. Review every tool your agent can reach and disable anything you're not actively using. Time: 15 minutes.

8

Enable audit logging and run the built-in audit

Set logging.redactSensitive: "tools" in your config. Run openclaw security audit --json after every config change or before any network surface change. Treat the JSON output as a pre-flight checklist. Structured check IDs (gateway.bind_no_auth, tools.exec.security_full_configured, etc.) give you specific finding references to track. Time: 5 minutes to configure, ongoing.

How to Vet OpenClaw Skills Before You Install Them

This section deserves its own heading because the supply chain risk is severe and underappreciated. Koi Security audited 2,857 skills on ClawHub and found 341 malicious ones — roughly 12% of the entire registry. The primary campaign, called ClawHavoc, distributed Atomic Stealer (AMOS), a macOS infostealer, through 335 skills that all shared a single command-and-control IP address. Skills had professional documentation and plausible names: ‘solana-wallet-tracker’, ‘youtube-summarize-pro’. The malware was buried in a fake ‘Prerequisites’ section.

The default ClawHub registry has minimal vetting requirements — a GitHub account at least a week old. That’s the entire barrier to publishing a malicious skill.

  • Only install skills from publishers you can independently verify — check their GitHub history, not just their ClawHub profile
  • Read the full skill source before installing, including any prerequisite or setup instructions that ask you to download external files
  • Enable an explicit plugin allowlist in your config — do not allow any plugin not on the list
  • Never install skills that request broader permissions than their stated purpose requires
  • If a skill asks you to download something outside the package manager as part of setup, treat it as suspicious
  • Check the audit’s skills.* and plugins.* findings after any new install

The ~/.openclaw/ directory is already a predicted target for commodity infostealers. A malicious skill that runs once has everything it needs — API keys, OAuth tokens, conversation memories — in a predictable location on disk. Skill vetting is not optional hardening. It’s a core part of OpenClaw security in 2026.

What a Managed Setup Ships by Default

If you’re evaluating whether to self-host and harden OpenClaw versus use a managed AI agent platform, the comparison is worth being direct about. The hardening checklist above is real work. It takes time to implement correctly, and it requires ongoing maintenance as the project evolves — OpenClaw as of early 2026 had no dedicated security team and no bug bounty program.

A managed setup like BrainRoad ships the hardening by default. No exposed control plane — the gateway doesn’t bind to a public interface. Container isolation is handled at the infrastructure level, with each agent running in its own isolated workspace. Mail access is gated to IMAP-only egress, which limits the blast radius if the agent is compromised. And critically: the review queue means that anything the agent prepares — a reply, a follow-up, an action — waits for the owner to approve before it goes anywhere external.

That last piece matters for a different reason than pure security. Microsoft’s recommendation is to use dedicated, non-privileged credentials and continuous monitoring as part of the operating model. A managed platform builds the review step into the workflow so the owner stays in the loop before anything gets sent, posted, or changed outside the system. This is speed, not friction. The agent works at full pace inside your workspace — reading, researching, drafting the reply. There is one gate, and it sits at the door: the moment something would actually leave your business, it waits for you. And that gate narrows as the agent earns it — approve the same kind of reply enough times and it stops asking for that kind.

Beacon the lighthouse illuminating a security checklist, cream body with red stripe, amber glow on dark navy background. Even the brightest systems need the right guardrails — let Beacon light the way through every setting, permission, and potential gap in your OpenClaw setup.

For a full breakdown of the cost and effort differences between self-hosting and managed deployment, the real monthly cost of running a personal AI agent covers the numbers — including infrastructure, maintenance time, and what’s typically absorbed by managed platforms.

Self-hosting remains the right choice for technical users who want full control and can commit to the hardening work. The checklist above is complete enough to get there. But ‘I’ll harden it later’ is how 93.4% of deployments end up unauthenticated on the public internet.

How to Verify Your OpenClaw Security Hardening Is Working

  • netstat -tlnp | grep 18789 shows 127.0.0.1:18789, not 0.0.0.0:18789 — loopback bind confirmed
  • Accessing your gateway URL from a separate network (not via your tunnel) returns a connection refused or proxy auth challenge, not the control UI
  • openclaw security audit —json returns zero findings with severity ‘high’ or ‘critical’ under gateway.* and tools.exec.* prefixes
  • ls -la ~/.openclaw/ shows -rw------- on all credential and config files — no group or world-readable permissions
  • Your reverse proxy logs show all requests hitting the proxy layer, with no direct traffic reaching port 18789 from external IPs
  • A new ClawHub skill install triggers the plugin allowlist check in your audit output — if it doesn’t appear, allowlist enforcement isn’t active

Signs Your OpenClaw Instance May Already Be Compromised

If you’ve been running OpenClaw with default settings for any period of time, run through this list before trusting the instance.

  • Unexpected outbound connections from the host in your firewall or network logs
  • API key usage spikes in your OpenAI or Anthropic billing dashboard at times you weren’t active
  • Messages sent from connected accounts (email, WhatsApp, Telegram) you don’t recognize
  • New skills or plugins installed that you didn’t add
  • Modified files in ~/.openclaw/ with timestamps you don’t recognize
  • Any external service (email provider, cloud console) showing login activity from an unknown IP or session

Your OpenClaw Security Checklist for This Week

Run these in order. The first three have the highest immediate impact.

1

Run the security audit right now

openclaw security audit --deep gives you a structured finding list with check IDs and severities. Do this before changing anything — you need the baseline. If you see gateway.bind_no_auth or gateway.auth_missing in the output, treat this as urgent.

2

Fix bind address and auth within the hour

Set gateway.bind: "loopback" and gateway.auth.password to a 32+ character random string. These two changes close the default exposure path that accounts for 93.4% of unauthenticated deployments. Restart the gateway. Confirm netstat output shows 127.0.0.1 binding only.

3

Run --fix for automatic remediations

openclaw security audit --fix applies safe automatic changes: flips open group policies to allowlists, sets 600/700 permissions on state and config files, and restores logging.redactSensitive: "tools". It won't touch anything requiring manual judgment.

4

Set up your reverse proxy before re-enabling remote access

If you need remote access, configure Nginx or Caddy with an auth layer first. If you're accessing it only locally, keep the loopback bind and use an SSH tunnel for remote sessions. Do not open port 18789 directly to the internet under any configuration.

5

Audit every installed skill this week

Go through your ClawHub-installed skills one by one. Verify the publisher independently. Remove anything you don't actively use. Enable a plugin allowlist so future installs require explicit approval. This is the step most hardening guides skip — 12% of the ClawHub registry was malicious at the time of the Koi Security audit.

6

Run the audit again and schedule it monthly

After completing steps 1–5, run openclaw security audit --json again and confirm zero high/critical findings. Add a monthly calendar reminder. OpenClaw is a fast-moving project: new CVEs and config-surface changes appear quickly. Treating the audit as a one-time task is how security drift happens.

What This Means for How You Run OpenClaw Going Forward

  • SecurityScorecard found 42,665 exposed OpenClaw instances as of January 31, 2026, with 93.4% lacking authentication — the default openclaw-dev token and 0.0.0.0 bind address are the direct cause
  • Microsoft classifies the runtime as ‘untrusted code execution with persistent credentials’ — the risk is not the server, it’s every downstream service the agent can reach
  • CVE-2026-25253 (CVSS 8.8) allows one-click remote code execution through a single malicious link; patch this before any other hardening step
  • 12% of audited ClawHub skills were malicious at time of disclosure — skill vetting is not optional, it’s a core part of the security model
  • Bind to loopback, set a strong auth token, put an identity-aware proxy in front, run as non-root in an isolated container, and run openclaw security audit —fix — these five steps close the most dangerous exposure paths
  • A managed platform ships most of this hardening by default; self-hosting is the right call only if you’re prepared to own the ongoing maintenance

Frequently Asked Questions About OpenClaw Security

Is OpenClaw safe to run in 2026?

OpenClaw can be run safely, but not with default settings. As of early 2026, it had no dedicated security team and no bug bounty program. Running it with default configuration on a machine with access to production credentials or messaging accounts is high-risk. The hardening steps in this guide — loopback bind, strong auth, reverse proxy, container isolation, non-root execution, skill vetting — reduce the risk to an acceptable level for most personal-assistant use cases. Microsoft recommends deploying it only in a fully isolated environment with dedicated non-privileged credentials and a rebuild plan as part of the operating model.

What is CVE-2026-25253 and do I need to patch it?

CVE-2026-25253 (CVSS 8.8) is a one-click remote code execution vulnerability in OpenClaw’s control UI. The UI trusted a gatewayUrl parameter from the query string without validation, auto-connected to attacker-controlled URLs, and transmitted the stored auth token via WebSocket. That token gives an attacker full control of your local instance — including the ability to disable sandboxing and execute arbitrary commands. Yes, you need to patch it. Hunt.io identified 17,500+ vulnerable instances at the time of disclosure. Update to the patched version and run the security audit afterward to confirm remediation.

How do I stop OpenClaw from being exposed to the internet?

Set gateway.bind: “loopback” (or 127.0.0.1) in your openclaw.json config. This makes the gateway listen only on the local loopback interface, not on all network interfaces. For remote access, use an SSH tunnel to reach 127.0.0.1:18789 rather than opening the port directly. If you need a public-facing deployment, put an identity-aware reverse proxy (Nginx or Caddy with an auth layer) in front, and configure strict trustedProxies settings so external traffic cannot bypass authentication.

Are ClawHub skills safe to install?

Many are, but the registry has a significant vetting gap. Koi Security audited 2,857 skills and found 341 malicious ones — roughly 12% of the registry — as part of the ClawHavoc campaign. 335 of those delivered Atomic Stealer macOS malware through fake prerequisite instructions. Vet each skill by independently verifying the publisher’s GitHub history, reading the full source before installing, and watching for any setup step that asks you to download files from outside the package. Enable a plugin allowlist so future installs require explicit approval.

What files does OpenClaw store credentials in, and how do I secure them?

OpenClaw stores API keys, OAuth tokens, WhatsApp credentials, Telegram bot tokens, Discord OAuth tokens, and conversation memories in plaintext Markdown and JSON files under ~/.openclaw/. Run openclaw security audit —fix to set 600 permissions on files and 700 on directories, making them readable only by the owner. Avoid syncing this directory to cloud storage or backup services that might expose the contents. Hudson Rock has warned that RedLine, Lumma, and Vidar malware families are building specific capabilities to harvest these file structures.

Sources

Topics

AI Agent Platform

Stay updated

Get AI strategy insights delivered weekly. No fluff, no spam.

Related Articles