This document consolidates security and hardening best practices for the OpenClaw Gateway, drawing from official documentation and recent security advisories.
OpenClaw is designed primarily for a personal assistant deployment model, assuming one trusted operator per gateway. It is not intended for multi-tenant environments with untrusted or adversarial users. For such scenarios, run separate gateway instances for each trust boundary.
For a secure starting point, consider the following configuration, which keeps the Gateway local, isolates DMs, and disables potentially dangerous tools by default:
{
"gateway": {
"mode": "local",
"bind": "loopback",
"auth": {
"mode": "token",
"token": "replace-with-long-random-token"
}
},
"session": {
"dmScope": "per-channel-peer"
},
"tools": {
"profile": "messaging",
"deny": ["group:automation", "group:runtime", "group:fs", "sessions_spawn", "sessions_send"],
"fs": {
"workspaceOnly": true
},
"exec": {
"security": "deny",
"ask": "always"
}
},
"elevated": {
"enabled": false
},
"channels": {
"whatsapp": {
"dmPolicy": "pairing",
"groups": {
"*": {
"requireMention": true
}
}
}
}
}- Do Not Expose Publicly: Never expose the OpenClaw gateway directly to the public internet. It typically runs on port 18789. Publicly exposed gateways are easily discoverable.
- Bind to Localhost: Configure the gateway to listen only for connections from the local machine by binding it to
127.0.0.1(localhost) orloopbackin youropenclaw.json. - Firewall Rules: Implement strict firewall rules to block all unnecessary inbound and outbound connections, allowing only essential traffic.
- Secure Remote Access: For remote access, use secure methods like SSH tunneling or a VPN (e.g., Tailscale) instead of direct exposure.
- Docker Considerations: If using Docker, be aware that it can bypass UFW rules. Configure rules in the
DOCKER-USERchain to control exposure.
- Enable Gateway Authentication: Always enable gateway authentication and use a strong, randomly generated authentication token. Generate a token with
openclaw doctor --generate-gateway-token. - Manage Access Tokens: Treat your gateway authentication token like a password. Rotate it regularly and store it securely (e.g., as an environment variable, not in plaintext config files).
- Restrict Chat and Messaging: If integrating with chat platforms, use allowlists to specify which user IDs can interact with your agent.
- Direct Messages (DMs) and Groups:
- For DMs, use the default
pairingpolicy (dmPolicy: "pairing") to require approval for unknown senders. - For group chats, require the bot to be explicitly mentioned to respond (
requireMention: true). - Isolate DM sessions using
session.dmScope: "per-channel-peer"to prevent context leakage.
- For DMs, use the default
- Run in a Docker Container: The recommended approach is to run OpenClaw within a Docker container for process isolation, filesystem restrictions, and network controls.
- Harden Docker Configuration:
- Do not mount your home directory or the Docker socket.
- Use read-only filesystems where possible.
- Drop unnecessary Linux capabilities.
- Run the container as a non-root user.
- Enable Sandbox Mode: For tasks that execute code, enable OpenClaw's sandbox mode to prevent malicious or compromised prompts from accessing your system or network. Configure this in
agents.defaults.sandbox.
- Avoid Plaintext Storage: Never store API keys, tokens, or other sensitive information in plaintext configuration files.
- Use Secure Storage Mechanisms: Load credentials from environment variables or use dedicated secrets management solutions (e.g., Hashicorp Vault, AWS Secrets Manager).
- Ensure your configuration and state files are private.
~/.openclaw/openclaw.jsonshould have permissions600(user read/write only).- The
~/.openclawdirectory should have permissions700(user access only). ~/.openclaw/credentials/and its contents should also be600.
- Principle of Least Privilege: Only grant the agent the permissions and tools it absolutely needs.
- Audit Third-Party Skills: Be extremely cautious with third-party skills, as they can contain malicious code. Research has shown a significant number of skills on marketplaces may be malicious.
- Lock down who can message the bot using DM pairing and allowlists.
- Require mentions in group chats.
- Run agents that process untrusted content in a sandbox with a minimal toolset.
- Use the latest, most powerful models, as they are generally more resistant to prompt injection.
- Enable Logging: Turn on comprehensive logging for all agent activities (command executions, API calls, file access). Store logs in a secure, separate location where the agent cannot modify them.
- Log Redaction: Keep log redaction enabled (
logging.redactSensitive: "tools") to prevent sensitive information from leaking into logs. - Incident Response Plan: Have a plan for suspected compromises, including stopping the gateway and revoking API keys.
The OpenClaw project is under active development, and new vulnerabilities are discovered.
- Keep Software Updated: Regularly update OpenClaw and its dependencies to ensure you have the latest security patches.
- Be Aware of Recent Threats: Stay informed about new vulnerabilities. Notable past vulnerabilities include:
- ClawJacked (High Severity): Allowed malicious websites to hijack locally running OpenClaw instances via WebSocket connections and brute-force password. Patched in v2026.2.25.
- Remote Code Execution (Critical - CVE-2026-25253): A malicious link could trick the Control UI into sending an auth token to an attacker-controlled server, leading to RCE. Patched in v2026.1.29.
- Authentication Bypass (High Severity - CVE-2026-26327): Allowed attackers on the same local network to intercept credentials by spoofing a legitimate gateway.
- Other Vulnerabilities: Server-Side Request Forgery (SSRF - CVE-2026-26322), missing webhook authentication (CVE-2026-26319), and path traversal (CVE-2026-26329).
By diligently applying these practices, you can significantly enhance the security posture of your OpenClaw Gateway deployment.