OpenClaw Hardening Checklist: 15 Steps to Secure Your Setup

Update to the Latest Version

Ensure you're running OpenClaw 2026.2.25 or later. This patches CVE-2026-25253 (one-click RCE, CVSS 8.8), CVE-2026-24964, and seven other critical vulnerabilities. If you're on any version before February 2026, you are actively exploitable.

openclaw --version
# If below 2026.2.25:
openclaw update --latest

Enable Authentication

OpenClaw ships with no authentication by default. Anyone who can reach your instance can execute commands, install skills, and access your data. Enable built-in authentication immediately.

# In config.yaml:
auth:
  enabled: true
  method: "token"
  token: "your-strong-random-token-here"

Use a minimum 32-character random token. Never use default or predictable values.

Bind to Localhost Only

SecurityScorecard found 135,000+ OpenClaw instances exposed to the public internet. Most were running on 0.0.0.0:3000 — the default. Bind to localhost so only local connections work.

# In config.yaml:
server:
  host: "127.0.0.1"
  port: 3000

If you need remote access, use a reverse proxy with TLS (Step 5) or SSH tunneling. Never expose OpenClaw directly.

Disable Auto-Install for Skills

By default, AI agents can install skills without user confirmation. This means a compromised or manipulated agent can install malicious skills autonomously. Require manual approval for every installation.

# In config.yaml:
skills:
  auto_install: false
  require_confirmation: true

Deploy Behind a Reverse Proxy with TLS

Place nginx, Caddy, or Traefik in front of OpenClaw. This provides TLS encryption, rate limiting, request filtering, and access logging. A reverse proxy also hides OpenClaw's version and headers from attackers.

# Nginx example:
server {
    listen 443 ssl;
    server_name openclaw.yourdomain.com;
    ssl_certificate /etc/ssl/cert.pem;
    ssl_certificate_key /etc/ssl/key.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header X-Real-IP $remote_addr;
        limit_req zone=openclaw burst=20;
    }
}

Firewall Rules — Block Unnecessary Ports

Only port 443 (HTTPS) should be accessible externally if you need remote access. Block everything else.

# UFW example:
sudo ufw default deny incoming
sudo ufw allow 22/tcp   # SSH (restrict to your IP)
sudo ufw allow 443/tcp  # HTTPS only
sudo ufw enable

Network Isolation — Run in a Separate Namespace

For maximum security, run OpenClaw in a Docker container or separate network namespace. This limits the blast radius if an agent is compromised. A containerized setup prevents malicious skills from accessing your host filesystem.

docker run -d --name openclaw \
  --network=openclaw-net \
  -p 127.0.0.1:3000:3000 \
  -v openclaw-data:/data \
  --read-only \
  openclaw/openclaw:latest

Audit Every Skill Before Installation

This is the single most important practice. Never install a skill you haven't reviewed. Read the source code. Check for shell execution, external API calls, file system access beyond what's needed, and obfuscated code (base64, eval, dynamic imports). See my audit methodology for a complete framework.

What to look for:

• Shell commands: exec(), spawn(), system()
• External calls: fetch(), http.request() to unknown domains
• File access: Reading ~/.ssh/, ~/.aws/, browser credential stores
• Obfuscation: Base64-encoded strings, eval(), dynamic require()
• Excessive permissions: Requesting shell access for a "productivity" tool

Use Only Trusted Skill Sources

ClawHub has 820+ confirmed malicious skills out of ~10,700 total. That's roughly 20% of the registry. Don't browse ClawHub like an app store. Treat every skill as potentially hostile until verified. Use security-audited skill packs from trusted sources, or audit everything yourself.

Restrict Agent Permissions

OpenClaw agents can request file system access, shell execution, OAuth tokens, and network access. Apply the principle of least privilege: grant only the permissions each agent actually needs. A writing assistant doesn't need shell access. An OSINT tool doesn't need to modify your filesystem.

# In agent config:
permissions:
  filesystem: "read-only"  # or "none"
  shell: false
  network: ["api.openai.com"]  # whitelist only
  oauth: false

Pin Skill Versions

Skills can be updated by their authors at any time. An initially safe skill could push a malicious update. Pin specific versions and re-audit before upgrading.

# In skills.yaml:
installed:
  - name: "my-trusted-skill"
    version: "1.2.3"  # pinned
    auto_update: false

Enable Comprehensive Logging

Log every skill installation, agent action, API call, and authentication event. Without logs, you can't detect a breach. Ship logs to a central location.

# In config.yaml:
logging:
  level: "info"
  file: "/var/log/openclaw/audit.log"
  include_agent_actions: true
  include_skill_events: true

Monitor Outbound Network Connections

Malicious skills exfiltrate data through outbound HTTP requests. Monitor what domains your OpenClaw instance connects to. Flag any connections to unknown external APIs, Telegram bots, or suspicious endpoints.

# Quick check with ss:
ss -tunp | grep openclaw

# Or with tcpdump:
tcpdump -i any -n host $(pgrep openclaw) port 443

Set Up Integrity Monitoring

Monitor your skill directory for unauthorized changes. If a file changes that you didn't modify, investigate immediately. Use tools like inotifywait or AIDE.

# Simple file watcher:
inotifywait -m -r /path/to/openclaw/skills/ \
  -e modify -e create -e delete

Scheduled Security Reviews

Hardening is not a one-time event. Schedule monthly reviews:

• Monthly: Check for new OpenClaw CVEs and updates
• Monthly: Review installed skills against known malicious skill lists
• Quarterly: Full re-audit of all installed skills
• Immediately: Re-audit after any skill update or new CVE disclosure