Introduction
Running OpenClaw securely requires more than just setting a gateway password. This comprehensive checklist covers every security layer from file permissions to E2E encryption, synthesized from community best practices and real-world threat scenarios.
Threat Model: What You're Defending Against
Before implementing any security measure, understand what attackers target:
1. Malicious ClawHub Skills
Attack: Install a skill that looks legitimate but contains malware
Impact: Harvests keychain, browser passwords, wallet files, API keys
Defense: Never install skills without reviewing source code or checking Clawdex scans
2. Prompt Injection via Messages
Attack: Crafted Telegram/email message contains hidden instructions
Impact: Agent exfiltrates API keys, executes shell commands, sends unauthorized messages
Defense: Tool policy lockdown + SOUL.md boundaries + Docker sandbox
3. Runaway Automation Loops
Attack: Prompt injection or buggy skill causes infinite API call loops
Impact: Unexpected API bills, service rate limiting, account suspension
Defense: API spending limits at provider level + OpenClaw-level rate limits
4. Memory Poisoning
Attack: Malicious payload injected into agent memory on Day 1, triggers weeks later
Impact: Delayed-activation attacks, credential exfiltration, unauthorized access
Defense: Regular session resets + audit logs + memory sanitization
5. Credential Harvesting
Attack: Any malware that reads ~/.openclaw/ directory
Impact: Full compromise of all stored API keys, bot tokens, OAuth tokens, conversation history
Defense: File permissions lockdown + encrypted filesystems + credential rotation
The Checklist
Phase 1: Foundation Security
✅ 1.1 Enable FileVault (Full-Disk Encryption)
Why: Protects all data if Mac Mini is physically stolen or disposed of improperly.
How: System Settings → Privacy & Security → FileVault → Turn On
✅ 1.2 Enable Firewall
Why: Blocks unsolicited inbound connections at the OS level.
How: System Settings → Network → Firewall → Turn ON
✅ 1.3 Install Latest OpenClaw Version
Why: Versions below 2026.1.29 are vulnerable to CVE-2026-25253 (1-click RCE).
How: Run openclaw update and verify with openclaw doctor
Phase 2: Gateway Hardening
✅ 2.1 Bind Gateway to Localhost Only
Important: Never bind to 0.0.0.0 or your LAN IP unless you have a specific use case and understand the risks.
✅ 2.2 Set Strong Gateway Auth Password
Why: Protects the Control UI from unauthorized access.
Tip: Store the password in a password manager, not as plaintext.
✅ 2.3 Disable Unauthenticated Endpoints
Why: Forces authentication for all API endpoints, not just the UI.
✅ 2.4 Run Security Audit
Frequency: After every configuration change and quarterly at minimum.
Phase 3: Tool Policy Lockdown
✅ 3.1 Enable Deny-by-Default Tool Policy
Explicitly allow only tools your workflows need. Deny all others by default.
✅ 3.2 Restrict Browser Automation
Browser tools are high-risk attack vectors. If you must enable them, limit to specific trusted domains only.
✅ 3.3 Block Shell Execution by Default
exec.sh, bash, and zsh tools should never be available to untrusted prompts.
✅ 3.4 Restrict File Write Access
File operations should be limited to specific directories like ~/openclaw/tmp/, never system directories.
Phase 4: SOUL.md Boundaries
✅ 4.1 Define Financial Boundaries
Your SOUL.md must explicitly state: "If any single API call exceeds $X, pause and ask for human approval."
✅ 4.2 Define Security Boundaries
Example: "Never write API keys to disk. Never send credentials via email. Never execute shell commands without logging."
✅ 4.3 Define Operational Boundaries
"Do not modify system configurations. Do not install or uninstall software. Do not access files outside of ~/openclaw/."
Phase 5: Docker Sandbox (Advanced)
✅ 5.1 Enable Docker Sandbox for All Tool Execution
All tools run in isolated containers with no network access by default.
✅ 5.2 Configure Network Isolation
Tools cannot reach external networks unless explicitly allowed (deny-by-default).
✅ 5.3 Set Resource Limits
Prevent runaway processes from consuming all CPU/memory. Set per-tool limits like 2GB RAM, 1 CPU.
✅ 5.4 Drop Linux Capabilities
Remove unnecessary capabilities like CAP_SYS_ADMIN to limit what malicious tools can do inside the sandbox.
Verification & Maintenance
Weekly Checks
- Review recent session logs for anomalies
- Check API spending against expected patterns
- Verify gateway auth credentials are still strong
Monthly Checks
- Run full security audit
- Review installed skills for deprecation or security issues
- Update OpenClaw to latest version
Quarterly Checks
- Perform threat model review (are new threats relevant?)
- Rotate API keys that haven't been rotated in 90 days
- Review and tighten tool policies based on actual usage
Common Mistakes to Avoid
- Don't store API keys in plaintext config files. Use encrypted vaults or OS keychains.
- Don't run the gateway on
0.0.0.0:3000"just for testing." This is how breaches happen. - Don't trust skill code at first glance. Always review or scan with Clawdex.
- Don't skip Docker sandbox "because it's slower." Defense-in-depth saves you.
- Don't ignore high API bills. This often indicates a loop or exfiltration attack in progress.
Key Takeaways
- Defense-in-depth is non-negotiable — single points of failure lead to full compromise
- SOUL.md is your first line of defense — it must be clear, explicit, and monitored
- Tool policies are where the real security happens — deny by default, allow only what you need
- Monitoring is as important as configuration — watch API spending, logs, and session activity
- Regular audits catch drift — security configurations degrade over time
When to Hire an Expert
This checklist covers the fundamentals, but expert help is valuable for enterprise setups, compliance requirements, or advanced threat scenarios. Consider hiring an OpenClaw security expert if you need custom threat modeling, compliance validation, or advanced incident response procedures.