How to Secure Your OpenClaw Deployment: The Complete Security Guide

OpenClaw is incredibly powerful — it can execute commands, read files, browse the web, and interact with your entire digital life. That power comes with responsibility. A misconfigured OpenClaw deployment is a security incident waiting to happen.

In this guide, we’ll systematically harden your OpenClaw installation against the most common attack vectors.

The Threat Model

Before hardening, understand what we’re defending against:

Threat	Description	Severity
Prompt Injection	Malicious input tricks the AI into executing harmful commands	🔴 Critical
Unauthorized Access	Someone gains access to your bot and issues commands	🔴 Critical
Data Exfiltration	Sensitive files accessed and sent through messaging channels	🟡 High
Resource Abuse	Excessive API usage, crypto mining, or denial of service	🟡 High
Session Hijacking	Stolen session tokens used to impersonate you	🟡 High

Layer 1: Environment Isolation

Never run OpenClaw on your primary machine. Use a dedicated environment.

Option A: Dedicated VPS

# Recommended: Create a low-privilege user
sudo useradd -m -s /bin/bash openclaw
sudo passwd openclaw

# Lock down sudo access
# openclaw should NOT have sudo privileges

Option B: Docker Container (Recommended)

# docker-compose.yml
services:
  openclaw:
    build: .
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:size=200M,mode=1777
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
    deploy:
      resources:
        limits:
          cpus: "2.0"
          memory: 2G
          pids: 100
    networks:
      - openclaw-net

networks:
  openclaw-net:
    driver: bridge
    internal: false  # Set to true to block outbound internet

Option C: Firejail Sandbox (Linux)

# Install firejail
sudo apt install firejail

# Run OpenClaw in a sandbox
firejail --private --net=none --nosound \
  --whitelist=~/.openclaw \
  openclaw gateway start --foreground

Layer 2: Access Control

Restrict Who Can Send Commands

# ~/.openclaw/config.yaml
security:
  authentication:
    # Only these users can interact with the bot
    allowed_users:
      telegram:
        - 987654321       # Your Telegram ID
      discord:
        - "12345678901234"  # Your Discord ID
      whatsapp:
        - "+1234567890"     # Your phone number

    # Block everyone else — deny by default
    default_action: "deny"

    # Log unauthorized attempts
    log_unauthorized: true
    alert_on_unauthorized: true

Passphrase Protection

Add an extra layer — require a passphrase before the bot accepts commands:

security:
  authentication:
    passphrase:
      enabled: true
      hash: "${OPENCLAW_PASSPHRASE_HASH}"  # bcrypt hash
      session_timeout: "4h"    # Re-authenticate after 4 hours
      max_attempts: 3          # Lock after 3 failed attempts
      lockout_duration: "30m"

Generate a passphrase hash:

openclaw auth generate-hash
# Enter passphrase: ●●●●●●●●●●●●
# Hash: $2b$12$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Layer 3: Tool Permissions

Control exactly what OpenClaw can and cannot do:

# ~/.openclaw/config.yaml
tools:
  command_execution:
    enabled: true
    sandboxed: true
    
    # Whitelist approach — only allow specific commands
    allowed_commands:
      - "git *"
      - "npm *"
      - "node *"
      - "python3 *"
      - "ls *"
      - "cat *"
      - "grep *"
      - "curl *"
      - "docker ps"
      - "docker logs *"
    
    # Explicitly block dangerous commands
    blocked_commands:
      - "rm -rf *"
      - "sudo *"
      - "chmod 777 *"
      - "dd *"
      - "mkfs *"
      - "shutdown *"
      - "reboot *"
      - "> /dev/*"
      - "wget * | bash"
      - "curl * | sh"
    
    # Require user approval for these
    require_approval:
      - "rm *"
      - "mv *"
      - "cp *"
      - "docker run *"
      - "docker exec *"
      - "npm install *"

  file_access:
    enabled: true
    sandboxed: true
    
    # Only allow access to specific directories
    allowed_paths:
      - "/home/openclaw/workspace"
      - "/home/openclaw/projects"
    
    # Block access to sensitive locations
    blocked_paths:
      - "/etc/shadow"
      - "/etc/passwd"
      - "~/.ssh/*"
      - "~/.gnupg/*"
      - "~/.openclaw/config.yaml"  # Prevent reading its own config
      - "*.env"
      - "*secret*"
      - "*credential*"
      - "*password*"

  browser:
    enabled: true
    blocked_domains:
      - "*.bank.*"
      - "*.gov.*"
      - "mail.google.com"
      - "accounts.google.com"
    require_approval:
      - form_submission
      - file_download

Layer 4: Prompt Injection Defense

Prompt injection is the biggest risk with AI assistants. Here’s how to mitigate it:

security:
  prompt_injection:
    # Enable the built-in injection detection filter
    detection: true
    
    # Actions when injection is detected
    on_detection: "block_and_alert"  # block_and_alert | warn | log_only
    
    # Input sanitization
    sanitize_input:
      strip_unicode_control_chars: true
      max_input_length: 10000
      reject_base64_payloads: true
    
    # System prompt anchoring — makes it harder to override instructions
    system_prompt_position: "both"  # before and after user input
    
    # Tool call validation
    validate_tool_calls:
      enabled: true
      # AI must explain WHY it's using a tool before executing
      require_reasoning: true
      # Human-in-the-loop for dangerous operations
      approval_required_tools:
        - command_execution
        - file_delete
        - browser_form_submit

Additional Defense: Input Filtering

security:
  input_filters:
    # Block messages containing common injection patterns
    block_patterns:
      - "ignore previous instructions"
      - "ignore all previous"
      - "disregard your instructions"
      - "pretend you are"
      - "act as if you have no restrictions"
      - "\\[SYSTEM\\]"
      - "\\[ADMIN\\]"
      - "<system>"
    
    # Log but don't block (for monitoring)
    warn_patterns:
      - "sudo"
      - "as root"
      - "with admin privileges"

Layer 5: Audit Logging

Every action OpenClaw takes should be logged:

logging:
  level: "info"
  
  audit:
    enabled: true
    log_file: "/var/log/openclaw/audit.log"
    
    # What to log
    events:
      - "message_received"
      - "message_sent"
      - "tool_invoked"
      - "tool_result"
      - "auth_attempt"
      - "auth_failure"
      - "config_change"
      - "skill_execution"
    
    # Include full context for tool invocations
    verbose_tool_logs: true
    
    # Rotation
    rotate:
      max_size: "100MB"
      max_files: 30
      compress: true

View audit logs:

# Recent tool invocations
openclaw logs --audit --filter tool_invoked --tail 50

# Failed authentication attempts
openclaw logs --audit --filter auth_failure

# All activity in the last hour
openclaw logs --audit --since "1h"

Layer 6: Network Security

Bind to Localhost Only

gateway:
  host: "127.0.0.1"  # Never use 0.0.0.0 without a reverse proxy
  port: 3377

Firewall Rules (UFW)

# Block everything by default
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (change port if needed)
sudo ufw allow 22/tcp

# Allow OpenClaw dashboard only from VPN
sudo ufw allow from 10.0.0.0/24 to any port 3377

# Enable
sudo ufw enable

VPN Access (WireGuard)

For remote access, use WireGuard instead of exposing ports:

# Install WireGuard
sudo apt install wireguard

# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Layer 7: Secrets Management

Never hardcode API keys or tokens:

# Use environment variables
export ANTHROPIC_API_KEY="sk-ant-..."
export TELEGRAM_BOT_TOKEN="7123456789:AAH..."

# Or use a .env file (ensure it's in .gitignore)
echo "ANTHROPIC_API_KEY=sk-ant-..." > ~/.openclaw/.env
chmod 600 ~/.openclaw/.env

Reference secrets in config:

ai:
  api_key: "${ANTHROPIC_API_KEY}"

channels:
  telegram:
    bot_token: "${TELEGRAM_BOT_TOKEN}"

Security Checklist

Run through this checklist before going live:

openclaw security audit

┌──────────────────────────────────┬──────────┐
│ Check                            │ Status   │
├──────────────────────────────────┼──────────┤
│ Running as non-root user         │ ✅ Pass  │
│ API keys in environment vars     │ ✅ Pass  │
│ Dashboard bound to localhost     │ ✅ Pass  │
│ File access sandboxed            │ ✅ Pass  │
│ Command execution restricted     │ ✅ Pass  │
│ Prompt injection filter enabled  │ ✅ Pass  │
│ Audit logging enabled            │ ✅ Pass  │
│ User authentication configured   │ ✅ Pass  │
│ Messaging accounts are dedicated │ ⚠️ Check │
│ Firewall configured              │ ✅ Pass  │
└──────────────────────────────────┴──────────┘

Conclusion

Security isn’t optional with OpenClaw — it’s foundational. A properly hardened deployment means you get all the power of an AI assistant with the confidence that your data and systems are protected. Layer your defenses, monitor your logs, and stay updated.

Need a security audit for your AI infrastructure? Our team provides security assessments and hardening services for self-hosted AI deployments.