← The Signal
11 min read

How to Lock Down OpenClaw: A Security Hardening Guide

OpenClaw is the most powerful open-source AI agent available — but the defaults will get you burned. Here's how to harden it, run it on local models, vet community skills, and use it without exposing your life to the internet.

OpenClaw is, by almost every metric, the most successful open-source AI project of the year. 247,000 GitHub stars. Over 47,700 forks. MIT licensed, free to use, and growing faster than any autonomous agent before it. It runs locally, connects to your messaging platforms — WhatsApp, Telegram, Signal, Discord, Slack, iMessage — and acts as a personal assistant that can execute shell commands, control your browser, read and write files on your machine, manage your calendar, handle email, and run your smart home.

The pitch is genuinely compelling. The instinct driving adoption — wanting AI capabilities without surrendering your data to corporate platforms — is correct.

But the defaults will get you burned.

Out of the box, OpenClaw sends every prompt to cloud APIs, stores credentials in plaintext, and has a community extension ecosystem where one in five skills is malware. Security firms including Malwarebytes, Kaspersky, Microsoft, and Cisco all published warnings about it in the same quarter. That kind of consensus is rare.

None of that means you shouldn’t use it. It means you need to set it up properly. Here’s how.

Understand What You’re Working With

Before hardening anything, understand the attack surface. OpenClaw has had real, documented security problems — not theoretical risks.

CVE-2026-25253 — a critical remote code execution vulnerability affecting every version before 2026.1.29. WebSocket token theft that allowed one-click RCE on any exposed instance. Hunt.io found 17,500+ vulnerable instances on the public internet. SecurityScorecard mapped 42,900 exposed instances across 82 countries, with over 220,000 unprotected instances total. Many running with zero authentication.

The skill ecosystem — Bitdefender audited ClawHub and found approximately 900 malicious skills out of ~4,500 total. Credential stealers, backdoors, and data exfiltration tools disguised as legitimate utilities. Skills run with the same permissions as the agent itself — full filesystem and network access.

Plaintext credential storage — API keys, messaging tokens, LLM credentials, service passwords — all stored as flat files on the local filesystem. No encryption at rest.

Cloud API dependency — By default, every prompt gets sent to Claude, GPT, or DeepSeek for inference. “Local-first” describes the architecture. It doesn’t describe the default behavior.

These are fixable problems. Let’s fix them.

Step 1: Update and Patch

This is the obvious one, but after CVE-2026-25253, it needs saying: run version 2026.1.29 or later. The RCE vulnerability was patched, but unpatched instances are still being discovered on the internet.

# Check your version
openclaw --version

# Update to latest
pip install --upgrade openclaw

Enable automatic updates if your deployment allows it. Subscribe to the OpenClaw security advisories feed so you know when the next CVE drops — because there will be a next one.

Step 2: Never Expose OpenClaw to the Internet

This is the single most important step. 42,900 instances were found on the public internet, many with zero authentication. If your OpenClaw instance is reachable from outside your local network, you have a problem.

Check if you’re exposed:

# Check what's listening on OpenClaw's default ports
ss -tlnp | grep -E ':(3000|8080|7681)'

Lock it down:

  • Bind to localhost only — configure OpenClaw to listen on 127.0.0.1, not 0.0.0.0
  • If you need remote access, put it behind a VPN (Mullvad, WireGuard, or Tailscale) — never expose the port directly
  • Firewall the port — block inbound connections to OpenClaw’s port from everything except localhost
  • If you’re running it in Docker, do not publish ports to 0.0.0.0 — bind to 127.0.0.1:3000:3000
# Firewall rule (ufw example)
sudo ufw deny in on any to any port 3000
sudo ufw allow in on lo to any port 3000

Enable authentication. OpenClaw supports token-based auth. Use it. Generate a strong random token and set it in your config:

# config.yaml
auth:
  enabled: true
  token: "your-64-char-random-token-here"

Generate one with: openssl rand -hex 32

Step 3: Route Everything Through Local Models

This is the step that makes OpenClaw actually private. By default, it sends every prompt to cloud LLM APIs. You need to replace that with a local model running on your own hardware.

Install Ollama:

curl -fsSL https://ollama.com/install.sh | sh
ollama pull llama3.1:70b   # or a smaller model if your hardware is limited
ollama pull llama3.1:8b    # good fallback for lighter tasks

Configure OpenClaw to use Ollama:

# config.yaml
llm:
  provider: ollama
  model: llama3.1:70b
  base_url: http://localhost:11434

Delete your cloud API keys from the OpenClaw config. If they’re not there, they can’t be used — even if a malicious skill or prompt injection tries to switch providers.

Model recommendations by hardware:

  • 8GB RAM: llama3.1:8b or phi-3:mini — basic tasks, drafting, summarization
  • 16GB RAM: llama3.1:8b or mistral:7b — good all-around performance
  • 32GB RAM: llama3.1:70b (quantized) or qwen2:32b — strong reasoning, complex tasks
  • 64GB+ RAM or dedicated GPU: llama3.1:70b full precision — near cloud-quality output

Once this is configured, zero data leaves your machine. Every prompt, every response, every piece of context stays on your hardware. This is the single biggest privacy improvement you can make.

Step 4: Encrypt Credential Storage

OpenClaw stores credentials in plaintext. This is unacceptable for anything connected to real accounts. You have a few options:

Option A: Use a secrets manager

Move credentials out of OpenClaw’s config files and into an encrypted store:

# Install pass (GPG-based password manager)
sudo apt install pass
pass init your-gpg-key-id

# Store credentials
pass insert openclaw/telegram-token
pass insert openclaw/signal-credentials

# Reference in OpenClaw config via environment variables
export TELEGRAM_TOKEN=$(pass openclaw/telegram-token)

Option B: Encrypt the config directory

If you want to keep things simple, encrypt the entire OpenClaw config directory at rest:

# Create an encrypted volume for OpenClaw data
# Using LUKS on Linux:
sudo cryptsetup luksFormat /dev/sdX1
sudo cryptsetup open /dev/sdX1 openclaw-vault
sudo mkfs.ext4 /dev/mapper/openclaw-vault
sudo mount /dev/mapper/openclaw-vault /opt/openclaw-data

The point is: your messaging tokens, API credentials, and platform passwords should never sit as readable text on an unencrypted filesystem. If your machine is compromised — or if a malicious skill reads your config directory — encrypted credentials are useless to the attacker.

Option C: Environment variables

At minimum, move all credentials to environment variables and load them from a protected file:

# .openclaw-secrets (chmod 600)
export TELEGRAM_TOKEN="your-token"
export SIGNAL_CREDS="your-creds"
export DISCORD_TOKEN="your-token"

# Load before starting OpenClaw
source ~/.openclaw-secrets && openclaw start

Step 5: Vet Every Skill Before Installing

The ClawHub skill ecosystem is 20% malware. Treat every community skill as untrusted code — because it is.

Rules:

  1. Never install skills automatically. Disable OpenClaw’s self-extending behavior. The agent should not discover, download, or activate skills without your explicit approval.
  2. Read the source code before installing any skill. Look for network calls to external endpoints, file reads outside the skill’s scope, and obfuscated code.
  3. Check the author. New accounts with a single skill submission are higher risk. Look for established contributors with multiple skills and community reputation.
  4. Monitor network traffic after installing a new skill. Watch for unexpected outbound connections.
# config.yaml — disable autonomous skill installation
skills:
  auto_install: false
  auto_update: false
  allow_network: false  # skills cannot make network calls unless explicitly allowed

Run skills in a sandbox if your OS supports it:

# Use firejail to sandbox OpenClaw
firejail --net=none --private openclaw start

# Or use Docker with restricted networking
docker run --network=none openclaw/openclaw

If a skill needs network access to function, that’s a red flag. Legitimate skills that process local files, format text, or manage local tasks don’t need outbound connections.

Step 6: Isolate OpenClaw from Your Main System

Microsoft’s Defender team recommended running OpenClaw in isolated environments only. They’re right. Here’s how to do it:

Option A: Dedicated machine

Run OpenClaw on a separate machine — a mini PC, old laptop, or a Raspberry Pi (for lighter models). This machine connects to your messaging platforms and runs the agent. Your primary workstation never touches it. If the agent is compromised, the blast radius is limited to a machine with no access to your main files, browser sessions, or credentials.

Option B: Virtual machine

Run OpenClaw inside a VM (VirtualBox, KVM, or Proxmox). Snapshot before making changes. If something goes wrong, roll back. The VM has no access to your host filesystem.

# Quick KVM setup
virt-install --name openclaw-vm \
  --ram 8192 --vcpus 4 \
  --disk size=50 \
  --os-variant ubuntu24.04 \
  --network network=default

Option C: Docker with strict limits

# docker-compose.yml
services:
  openclaw:
    image: openclaw/openclaw:latest
    network_mode: "none"  # no network access by default
    read_only: true
    tmpfs:
      - /tmp
    volumes:
      - ./config:/app/config:ro
      - ./data:/app/data
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

The key principle: OpenClaw should run in an environment where a full compromise — RCE, malicious skill, prompt injection — cannot reach your primary machine, your browser sessions, your SSH keys, or your files.

Step 7: Using OpenClaw Anonymously

If you want to run OpenClaw without it being traceable to your identity, you need to think about more than just the software.

Network anonymity:

  • Route OpenClaw’s traffic through Tor or a VPN that doesn’t require an email (Mullvad — account is a random number, accepts cash)
  • If running local models, there’s zero network traffic to anonymize — this is the strongest position
  • If you must use a cloud API (you shouldn’t), create the API account with a disposable email (SimpleLogin, AnonAddy) and pay with cryptocurrency

Account separation:

  • Create dedicated messaging accounts for OpenClaw — don’t connect your personal WhatsApp, Telegram, or Signal
  • Use a burner phone number (prepaid SIM, bought with cash) for any messaging platform that requires one
  • For Signal: use a separate Signal account on the OpenClaw machine, not your daily driver

Hardware anonymity:

  • Buy the hardware with cash if you’re serious about it
  • Don’t register the device with any manufacturer account
  • Run a privacy-focused OS (TailsOS from a USB for extreme cases, or a clean Linux install with no personal accounts)

Operational security:

  • Don’t connect OpenClaw to accounts that are tied to your real identity
  • Don’t process documents that contain your real name, address, or identifying information through the agent
  • If using messaging integrations, understand that the people you communicate with can still see you’re using an AI agent (message patterns, response times, formatting)

The anonymous setup is the most paranoid configuration, and most people don’t need it. But if you’re a journalist, researcher, or activist working with sensitive sources, this is how you separate OpenClaw from your identity completely.

Step 8: Enable Logging and Monitoring

OpenClaw has no built-in audit logging. You need to add your own.

Basic approach — log all agent actions:

# Wrap OpenClaw in a script that logs everything
openclaw start 2>&1 | tee -a /var/log/openclaw/agent.log

Monitor network connections:

# Watch for unexpected outbound connections
ss -tnp | grep openclaw
# Or use nethogs for real-time per-process bandwidth
nethogs

File integrity monitoring:

# Use inotifywait to detect file changes in sensitive directories
inotifywait -m -r ~/.openclaw/ -e modify,create,delete

If you’re running OpenClaw in a business environment, you need to know what the agent accessed, when, and why. Without logging, a malicious skill exfiltrating client data produces zero evidence. Set up logging before you connect any real accounts.

The Checklist

Here’s the full hardening checklist in order:

  1. Update to 2026.1.29+ — patch the known RCE
  2. Bind to localhost — never expose to the internet
  3. Enable authentication — strong random token
  4. Switch to local models — Ollama + delete cloud API keys
  5. Encrypt credentials — secrets manager, encrypted volume, or env vars
  6. Disable auto-install of skills — vet everything manually
  7. Sandbox the agent — dedicated machine, VM, or Docker
  8. Set up logging — monitor agent actions and network traffic
  9. Separate accounts — don’t connect personal messaging accounts
  10. Firewall — block all unnecessary outbound connections

If you do all ten, you have an OpenClaw installation that is genuinely private, genuinely local, and significantly harder to compromise than what 99% of users are running.

OpenClaw is a powerful tool built on a legitimate need — AI that you control, running on your hardware. The security problems are real, but they’re fixable. The difference between a dangerous OpenClaw install and a hardened one is about two hours of configuration work and an understanding of what the defaults actually do.

The 247,000 people who installed OpenClaw wanted the right thing. Most of them just didn’t know the defaults were working against them.

If you’d rather have someone do all of this for you — local model setup, security hardening, skill vetting, messaging integration, the works — that’s what our OpenClaw Configuration service is built for. We set it up locked down from day one so you don’t have to audit config files at 2 AM.

But if you want to do it yourself, everything you need is on this page.

AIOpenClawprivacysecurityself-hostinghardening
$199 Starter Kit — Most Popular